Regex filename change (#291)

* update rule config files and art

* regexサンプルファイルの名前変更

* fixed test error due to filename change #291

Co-authored-by: DustInDark <nextsasasa@gmail.com>

config/eventkey_alias.txt

@@ -12,6 +12,7 @@ AuthenticationPackageName,Event.EventData.AuthenticationPackageName
 CallTrace,Event.EventData.CallTrace
 Caller_Process_Name,Event.EventData.Caller_Process_Name
 CallingProcessName,Event.EventData.CallingProcessName
+CategoryName,Event.EventData.Category Name
 Channel,Event.System.Channel
 Client_Address,Event.EventData.Client_Address
 CommandLine,Event.EventData.CommandLine
@@ -30,6 +31,7 @@ DestinationIsIpv6,Event.EventData.DestinationIsIpv6
 DestinationPort,Event.EventData.DestinationPort
 Details,Event.EventData.Details
 DetectionSource,Event.EventData.DetectionSource
+DetectionUser,Event.EventData.Detection User
 Device,Event.EventData.Device
 DeviceClassName,Event.EventData.DeviceClassName
 DeviceDescription,Event.EventData.DeviceDescription
@@ -107,6 +109,7 @@ Service,Event.EventData.Service
 ServiceFileName,Event.EventData.ServiceFileName
 ServiceName,Event.EventData.ServiceName
 ServicePrincipalNames,Event.EventData.ServicePrincipalNames
+SeverityName,Event.EventData.Severity Name
 ShareName,Event.EventData.ShareName
 SidHistory,Event.EventData.SidHistory
 Signature,Event.EventData.Signature
@@ -136,6 +139,7 @@ TargetProcessAddress,Event.EventData.TargetProcessAddress
 TargetSid,Event.EventData.TargetSid
 TargetUserName,Event.EventData.TargetUserName
 TaskName,Event.EventData.TaskName
+ThreatName,Event.EventData.Threat Name
 TicketEncryptionType,Event.EventData.TicketEncryptionType
 TicketOptions,Event.EventData.TicketOptions
 Url,Event.EventData.url

config/exclude-rules-full.txt

@@ -0,0 +1,8 @@
+4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 # ./rules/sigma/other/msexchange/win_exchange_transportagent.yml
+c92f1896-d1d2-43c3-92d5-7a5b35c217bb # ./rules/sigma/other/msexchange/win_exchange_cve_2021_42321.yml
+9f7aa113-9da6-4a8d-907c-5f1a4b908299 # ./rules/sigma/deprecated/powershell_syncappvpublishingserver_exe.yml
+
+# Replaced by hayabusa rules
+c265cf08-3f99-46c1-8d59-328247057d57 # ./rules/sigma/builtin/security/win_user_added_to_local_administrators.yml
+66b6be3d-55d0-4f47-9855-d69df21740ea # ./rules/sigma/builtin/security/win_user_creation.yml
+7b449a5e-1db5-4dd0-a2dc-4e3a67282538 # ./rules/sigma/builtin/security/win_hidden_user_creation.yml

config/exclude-rules.txt

@@ -3,3 +3,4 @@ c92f1896-d1d2-43c3-92d5-7a5b35c217bb
 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
 c265cf08-3f99-46c1-8d59-328247057d57
 66b6be3d-55d0-4f47-9855-d69df21740ea
+9f7aa113-9da6-4a8d-907c-5f1a4b908299

config/noisy-rules-full.txt

@@ -0,0 +1,9 @@
+0f06a3a5-6a09-413f-8743-e6cf35561297 # ./rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml
+b0d77106-7bb0-41fe-bd94-d1752164d066 # ./rules/sigma/builtin/security/win_rare_schtasks_creations.yml
+66bfef30-22a5-4fcd-ad44-8d81e60922ae # ./rules/sigma/builtin/system/win_rare_service_installs.yml
+e98374a6-e2d9-4076-9b5c-11bdb2569995 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source.yml
+6309ffc4-8fa2-47cf-96b8-a2f72e58e538 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source2.yml
+61ab5496-748e-4818-a92f-de78e20fe7f1 # ./rules/sigma/process_creation/win_multiple_suspicious_cli.yml
+add2ef8d-dc91-4002-9e7e-f2702369f53a # ./rules/sigma/builtin/security/win_susp_failed_remote_logons_single_source.yml
+196a29c2-e378-48d8-ba07-8a9e61f7fab9 # ./rules/sigma/builtin/security/win_susp_failed_logons_explicit_credentials.yml
+72124974-a68b-4366-b990-d30e0b2a190d # ./rules/sigma/builtin/security/win_metasploit_authentication.yml

config/noisy-rules.txt

@@ -3,4 +3,8 @@ b0d77106-7bb0-41fe-bd94-d1752164d066
 66bfef30-22a5-4fcd-ad44-8d81e60922ae
 e98374a6-e2d9-4076-9b5c-11bdb2569995
 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
+61ab5496-748e-4818-a92f-de78e20fe7f1
+add2ef8d-dc91-4002-9e7e-f2702369f53a
+196a29c2-e378-48d8-ba07-8a9e61f7fab9
+72124974-a68b-4366-b990-d30e0b2a190d
 b20f6158-9438-41be-83da-a5a16ac90c2b

rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml

@@ -6,8 +6,8 @@ title: Malicious service installed
 title_jp: 悪意のあるサービスがインストールされた
 output: 'Service: %ServiceName%  :  Image path: %ImagePath'
 output_jp: 'サービス名: %ServiceName%  :  Imageパス: %ImagePath'
-description: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
+description: Malicious service was installed based on suspicious entries in ./config/regex/detectlist_suspicous_services.txt
-description_jp: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
+description_jp: Malicious service was installed based on suspicious entries in ./config/regex/detectlist_suspicous_services.txt
 
 id: dbbfd9f3-9508-478b-887e-03ddb9236909
 level: high
@@ -17,10 +17,10 @@ detection:
         Channel: System
         EventID: 7045
         ServiceName:
-            regexes: ./config/regex/regexes_suspicous_service.txt
+            regexes: ./config/regex/detectlist_suspicous_services.txt
         ImagePath:
             min_length: 1000
-            allowlist: ./config/regex/allowlist_legimate_serviceimage.txt
+            allowlist: .allowlist_legitimate_services.txt
     condition: selection
 falsepositives:
     - normal system usage

src/detections/rule/matchers.rs

@@ -538,8 +538,8 @@ mod tests {
                     - ホスト アプリケーション
                 ImagePath:
                     min_length: 1234321
-                    regexes: ./config/regex/regexes_suspicous_service.txt
+                    regexes: ./config/regex/detectlist_suspicous_services.txt
-                    allowlist: ./config/regex/allowlist_legimate_serviceimage.txt
+                    allowlist: ./config/regex/allowlist_legitimate_services.txt
         falsepositives:
             - unknown
         level: medium
@@ -1165,7 +1165,7 @@ mod tests {
             selection:
                 EventID: 4103
                 Channel:
-                    - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt
+                    - allowlist: ./config/regex/allowlist_legitimate_services.txt
         output: 'command=%CommandLine%'
         "#;
 
@@ -1202,7 +1202,7 @@ mod tests {
             selection:
                 EventID: 4103
                 Channel:
-                    - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt
+                    - allowlist: ./config/regex/allowlist_legitimate_services.txt
         output: 'command=%CommandLine%'
         "#;
 
@@ -1239,7 +1239,7 @@ mod tests {
             selection:
                 EventID: 4103
                 Channel:
-                    - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt
+                    - allowlist: ./config/regex/allowlist_legitimate_services.txt
         output: 'command=%CommandLine%'
         "#;
 

src/detections/utils.rs

@@ -192,7 +192,7 @@ mod tests {
 
     #[test]
     fn test_check_regex() {
-        let regexes = utils::read_txt("./config/regex/regexes_suspicous_service.txt")
+        let regexes = utils::read_txt("./config/regex/detectlist_suspicous_services.txt")
             .unwrap()
             .into_iter()
             .map(|regex_str| Regex::new(&regex_str).unwrap())
@@ -207,7 +207,7 @@ mod tests {
     #[test]
     fn test_check_allowlist() {
         let commandline = "\"C:\\Program Files\\Google\\Update\\GoogleUpdate.exe\"";
-        let allowlist = utils::read_txt("./config/regex/allowlist_legimate_serviceimage.txt")
+        let allowlist = utils::read_txt("./config/regex/allowlist_legitimate_services.txt")
             .unwrap()
             .into_iter()
             .map(|allow_str| Regex::new(&allow_str).unwrap())