diff --git a/art/christmas.txt b/art/christmas.txt index 144c9b8c..72c9807a 100644 --- a/art/christmas.txt +++ b/art/christmas.txt @@ -54,4 +54,4 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%% #%%%%%%%%%%%%%%%#%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%% - \ No newline at end of file + diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt index 3188c4b9..7c4bbcc4 100644 --- a/config/eventkey_alias.txt +++ b/config/eventkey_alias.txt @@ -12,6 +12,7 @@ AuthenticationPackageName,Event.EventData.AuthenticationPackageName CallTrace,Event.EventData.CallTrace Caller_Process_Name,Event.EventData.Caller_Process_Name CallingProcessName,Event.EventData.CallingProcessName +CategoryName,Event.EventData.Category Name Channel,Event.System.Channel Client_Address,Event.EventData.Client_Address CommandLine,Event.EventData.CommandLine @@ -30,6 +31,7 @@ DestinationIsIpv6,Event.EventData.DestinationIsIpv6 DestinationPort,Event.EventData.DestinationPort Details,Event.EventData.Details DetectionSource,Event.EventData.DetectionSource +DetectionUser,Event.EventData.Detection User Device,Event.EventData.Device DeviceClassName,Event.EventData.DeviceClassName DeviceDescription,Event.EventData.DeviceDescription @@ -107,6 +109,7 @@ Service,Event.EventData.Service ServiceFileName,Event.EventData.ServiceFileName ServiceName,Event.EventData.ServiceName ServicePrincipalNames,Event.EventData.ServicePrincipalNames +SeverityName,Event.EventData.Severity Name ShareName,Event.EventData.ShareName SidHistory,Event.EventData.SidHistory Signature,Event.EventData.Signature @@ -136,6 +139,7 @@ TargetProcessAddress,Event.EventData.TargetProcessAddress TargetSid,Event.EventData.TargetSid TargetUserName,Event.EventData.TargetUserName TaskName,Event.EventData.TaskName +ThreatName,Event.EventData.Threat Name TicketEncryptionType,Event.EventData.TicketEncryptionType TicketOptions,Event.EventData.TicketOptions Url,Event.EventData.url diff --git a/config/exclude-rules-full.txt b/config/exclude-rules-full.txt new file mode 100644 index 00000000..f03fce3c --- /dev/null +++ b/config/exclude-rules-full.txt @@ -0,0 +1,8 @@ +4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 # ./rules/sigma/other/msexchange/win_exchange_transportagent.yml +c92f1896-d1d2-43c3-92d5-7a5b35c217bb # ./rules/sigma/other/msexchange/win_exchange_cve_2021_42321.yml +9f7aa113-9da6-4a8d-907c-5f1a4b908299 # ./rules/sigma/deprecated/powershell_syncappvpublishingserver_exe.yml + +# Replaced by hayabusa rules +c265cf08-3f99-46c1-8d59-328247057d57 # ./rules/sigma/builtin/security/win_user_added_to_local_administrators.yml +66b6be3d-55d0-4f47-9855-d69df21740ea # ./rules/sigma/builtin/security/win_user_creation.yml +7b449a5e-1db5-4dd0-a2dc-4e3a67282538 # ./rules/sigma/builtin/security/win_hidden_user_creation.yml \ No newline at end of file diff --git a/config/exclude-rules.txt b/config/exclude-rules.txt index 201932cc..22e7479f 100644 --- a/config/exclude-rules.txt +++ b/config/exclude-rules.txt @@ -2,4 +2,5 @@ c92f1896-d1d2-43c3-92d5-7a5b35c217bb 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 c265cf08-3f99-46c1-8d59-328247057d57 -66b6be3d-55d0-4f47-9855-d69df21740ea \ No newline at end of file +66b6be3d-55d0-4f47-9855-d69df21740ea +9f7aa113-9da6-4a8d-907c-5f1a4b908299 \ No newline at end of file diff --git a/config/noisy-rules-full.txt b/config/noisy-rules-full.txt new file mode 100644 index 00000000..abadf989 --- /dev/null +++ b/config/noisy-rules-full.txt @@ -0,0 +1,9 @@ +0f06a3a5-6a09-413f-8743-e6cf35561297 # ./rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml +b0d77106-7bb0-41fe-bd94-d1752164d066 # ./rules/sigma/builtin/security/win_rare_schtasks_creations.yml +66bfef30-22a5-4fcd-ad44-8d81e60922ae # ./rules/sigma/builtin/system/win_rare_service_installs.yml +e98374a6-e2d9-4076-9b5c-11bdb2569995 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source.yml +6309ffc4-8fa2-47cf-96b8-a2f72e58e538 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source2.yml +61ab5496-748e-4818-a92f-de78e20fe7f1 # ./rules/sigma/process_creation/win_multiple_suspicious_cli.yml +add2ef8d-dc91-4002-9e7e-f2702369f53a # ./rules/sigma/builtin/security/win_susp_failed_remote_logons_single_source.yml +196a29c2-e378-48d8-ba07-8a9e61f7fab9 # ./rules/sigma/builtin/security/win_susp_failed_logons_explicit_credentials.yml +72124974-a68b-4366-b990-d30e0b2a190d # ./rules/sigma/builtin/security/win_metasploit_authentication.yml \ No newline at end of file diff --git a/config/noisy-rules.txt b/config/noisy-rules.txt index 1fa83b45..fce2d332 100644 --- a/config/noisy-rules.txt +++ b/config/noisy-rules.txt @@ -3,4 +3,8 @@ b0d77106-7bb0-41fe-bd94-d1752164d066 66bfef30-22a5-4fcd-ad44-8d81e60922ae e98374a6-e2d9-4076-9b5c-11bdb2569995 6309ffc4-8fa2-47cf-96b8-a2f72e58e538 +61ab5496-748e-4818-a92f-de78e20fe7f1 +add2ef8d-dc91-4002-9e7e-f2702369f53a +196a29c2-e378-48d8-ba07-8a9e61f7fab9 +72124974-a68b-4366-b990-d30e0b2a190d b20f6158-9438-41be-83da-a5a16ac90c2b \ No newline at end of file diff --git a/config/regex/allowlist_legimate_serviceimage.txt b/config/regex/allowlist_legitimate_services.txt similarity index 100% rename from config/regex/allowlist_legimate_serviceimage.txt rename to config/regex/allowlist_legitimate_services.txt diff --git a/config/regex/regexes_suspicous_service.txt b/config/regex/detectlist_suspicous_services.txt similarity index 100% rename from config/regex/regexes_suspicous_service.txt rename to config/regex/detectlist_suspicous_services.txt diff --git a/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml b/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml index 78b13842..a249f246 100644 --- a/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml +++ b/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml @@ -6,8 +6,8 @@ title: Malicious service installed title_jp: 悪意のあるサービスがインストールされた output: 'Service: %ServiceName% : Image path: %ImagePath' output_jp: 'サービス名: %ServiceName% : Imageパス: %ImagePath' -description: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt -description_jp: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt +description: Malicious service was installed based on suspicious entries in ./config/regex/detectlist_suspicous_services.txt +description_jp: Malicious service was installed based on suspicious entries in ./config/regex/detectlist_suspicous_services.txt id: dbbfd9f3-9508-478b-887e-03ddb9236909 level: high @@ -17,10 +17,10 @@ detection: Channel: System EventID: 7045 ServiceName: - regexes: ./config/regex/regexes_suspicous_service.txt + regexes: ./config/regex/detectlist_suspicous_services.txt ImagePath: min_length: 1000 - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt + allowlist: .allowlist_legitimate_services.txt condition: selection falsepositives: - normal system usage diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index 42c69614..7fc45fd7 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -538,8 +538,8 @@ mod tests { - ホスト アプリケーション ImagePath: min_length: 1234321 - regexes: ./config/regex/regexes_suspicous_service.txt - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt + regexes: ./config/regex/detectlist_suspicous_services.txt + allowlist: ./config/regex/allowlist_legitimate_services.txt falsepositives: - unknown level: medium @@ -1165,7 +1165,7 @@ mod tests { selection: EventID: 4103 Channel: - - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt + - allowlist: ./config/regex/allowlist_legitimate_services.txt output: 'command=%CommandLine%' "#; @@ -1202,7 +1202,7 @@ mod tests { selection: EventID: 4103 Channel: - - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt + - allowlist: ./config/regex/allowlist_legitimate_services.txt output: 'command=%CommandLine%' "#; @@ -1239,7 +1239,7 @@ mod tests { selection: EventID: 4103 Channel: - - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt + - allowlist: ./config/regex/allowlist_legitimate_services.txt output: 'command=%CommandLine%' "#; diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 72d6448c..c7e4c57b 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -192,7 +192,7 @@ mod tests { #[test] fn test_check_regex() { - let regexes = utils::read_txt("./config/regex/regexes_suspicous_service.txt") + let regexes = utils::read_txt("./config/regex/detectlist_suspicous_services.txt") .unwrap() .into_iter() .map(|regex_str| Regex::new(®ex_str).unwrap()) @@ -207,7 +207,7 @@ mod tests { #[test] fn test_check_allowlist() { let commandline = "\"C:\\Program Files\\Google\\Update\\GoogleUpdate.exe\""; - let allowlist = utils::read_txt("./config/regex/allowlist_legimate_serviceimage.txt") + let allowlist = utils::read_txt("./config/regex/allowlist_legitimate_services.txt") .unwrap() .into_iter() .map(|allow_str| Regex::new(&allow_str).unwrap())