Regex filename change (#291)

* update rule config files and art * regexサンプルファイルの名前変更 * fixed test error due to filename change #291 Co-authored-by: DustInDark <nextsasasa@gmail.com>
2021-12-17 12:25:55 +00:00
parent 9be8b3d33f
commit d668fc9241
11 changed files with 39 additions and 13 deletions
--- a/art/christmas.txt
+++ b/art/christmas.txt
@@ -54,4 +54,4 @@
                                                %%%%%%%%%%%%%%%%%%%%%%%%%%%                                             
                                                #%%%%%%%%%%%%%%%#%%%%%%%%%%                                             
                                                %%%%%%%%%%%%%%%%%%%%%%%%%%%                                            
-                                                                                                                                                                                                                               
+                                                                                                                                                                                                                               
--- a/config/eventkey_alias.txt
+++ b/config/eventkey_alias.txt
@@ -12,6 +12,7 @@ AuthenticationPackageName,Event.EventData.AuthenticationPackageName
 CallTrace,Event.EventData.CallTrace
 Caller_Process_Name,Event.EventData.Caller_Process_Name
 CallingProcessName,Event.EventData.CallingProcessName
+CategoryName,Event.EventData.Category Name
 Channel,Event.System.Channel
 Client_Address,Event.EventData.Client_Address
 CommandLine,Event.EventData.CommandLine
@@ -30,6 +31,7 @@ DestinationIsIpv6,Event.EventData.DestinationIsIpv6
 DestinationPort,Event.EventData.DestinationPort
 Details,Event.EventData.Details
 DetectionSource,Event.EventData.DetectionSource
+DetectionUser,Event.EventData.Detection User
 Device,Event.EventData.Device
 DeviceClassName,Event.EventData.DeviceClassName
 DeviceDescription,Event.EventData.DeviceDescription
@@ -107,6 +109,7 @@ Service,Event.EventData.Service
 ServiceFileName,Event.EventData.ServiceFileName
 ServiceName,Event.EventData.ServiceName
 ServicePrincipalNames,Event.EventData.ServicePrincipalNames
+SeverityName,Event.EventData.Severity Name
 ShareName,Event.EventData.ShareName
 SidHistory,Event.EventData.SidHistory
 Signature,Event.EventData.Signature
@@ -136,6 +139,7 @@ TargetProcessAddress,Event.EventData.TargetProcessAddress
 TargetSid,Event.EventData.TargetSid
 TargetUserName,Event.EventData.TargetUserName
 TaskName,Event.EventData.TaskName
+ThreatName,Event.EventData.Threat Name
 TicketEncryptionType,Event.EventData.TicketEncryptionType
 TicketOptions,Event.EventData.TicketOptions
 Url,Event.EventData.url
--- a/config/exclude-rules-full.txt
+++ b/config/exclude-rules-full.txt
@@ -0,0 +1,8 @@
+4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 # ./rules/sigma/other/msexchange/win_exchange_transportagent.yml
+c92f1896-d1d2-43c3-92d5-7a5b35c217bb # ./rules/sigma/other/msexchange/win_exchange_cve_2021_42321.yml
+9f7aa113-9da6-4a8d-907c-5f1a4b908299 # ./rules/sigma/deprecated/powershell_syncappvpublishingserver_exe.yml
+
+# Replaced by hayabusa rules
+c265cf08-3f99-46c1-8d59-328247057d57 # ./rules/sigma/builtin/security/win_user_added_to_local_administrators.yml
+66b6be3d-55d0-4f47-9855-d69df21740ea # ./rules/sigma/builtin/security/win_user_creation.yml
+7b449a5e-1db5-4dd0-a2dc-4e3a67282538 # ./rules/sigma/builtin/security/win_hidden_user_creation.yml
--- a/config/exclude-rules.txt
+++ b/config/exclude-rules.txt
@@ -2,4 +2,5 @@
 c92f1896-d1d2-43c3-92d5-7a5b35c217bb
 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
 c265cf08-3f99-46c1-8d59-328247057d57
-66b6be3d-55d0-4f47-9855-d69df21740ea
+66b6be3d-55d0-4f47-9855-d69df21740ea
+9f7aa113-9da6-4a8d-907c-5f1a4b908299
--- a/config/noisy-rules-full.txt
+++ b/config/noisy-rules-full.txt
@@ -0,0 +1,9 @@
+0f06a3a5-6a09-413f-8743-e6cf35561297 # ./rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml
+b0d77106-7bb0-41fe-bd94-d1752164d066 # ./rules/sigma/builtin/security/win_rare_schtasks_creations.yml
+66bfef30-22a5-4fcd-ad44-8d81e60922ae # ./rules/sigma/builtin/system/win_rare_service_installs.yml
+e98374a6-e2d9-4076-9b5c-11bdb2569995 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source.yml
+6309ffc4-8fa2-47cf-96b8-a2f72e58e538 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source2.yml
+61ab5496-748e-4818-a92f-de78e20fe7f1 # ./rules/sigma/process_creation/win_multiple_suspicious_cli.yml
+add2ef8d-dc91-4002-9e7e-f2702369f53a # ./rules/sigma/builtin/security/win_susp_failed_remote_logons_single_source.yml
+196a29c2-e378-48d8-ba07-8a9e61f7fab9 # ./rules/sigma/builtin/security/win_susp_failed_logons_explicit_credentials.yml
+72124974-a68b-4366-b990-d30e0b2a190d # ./rules/sigma/builtin/security/win_metasploit_authentication.yml
--- a/config/noisy-rules.txt
+++ b/config/noisy-rules.txt
@@ -3,4 +3,8 @@ b0d77106-7bb0-41fe-bd94-d1752164d066
 66bfef30-22a5-4fcd-ad44-8d81e60922ae
 e98374a6-e2d9-4076-9b5c-11bdb2569995
 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
+61ab5496-748e-4818-a92f-de78e20fe7f1
+add2ef8d-dc91-4002-9e7e-f2702369f53a
+196a29c2-e378-48d8-ba07-8a9e61f7fab9
+72124974-a68b-4366-b990-d30e0b2a190d
 b20f6158-9438-41be-83da-a5a16ac90c2b
--- a/config/regex/allowlist_legimate_serviceimage.txt
+++ b/config/regex/allowlist_legimate_serviceimage.txt
--- a/config/regex/detectlist_suspicous_services.txt
+++ b/config/regex/detectlist_suspicous_services.txt
--- a/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml
+++ b/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml
@@ -6,8 +6,8 @@ title: Malicious service installed
 title_jp: 悪意のあるサービスがインストールされた
 output: 'Service: %ServiceName%  :  Image path: %ImagePath'
 output_jp: 'サービス名: %ServiceName%  :  Imageパス: %ImagePath'
-description: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
-description_jp: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
+description: Malicious service was installed based on suspicious entries in ./config/regex/detectlist_suspicous_services.txt
+description_jp: Malicious service was installed based on suspicious entries in ./config/regex/detectlist_suspicous_services.txt

 id: dbbfd9f3-9508-478b-887e-03ddb9236909
 level: high
@@ -17,10 +17,10 @@ detection:
        Channel: System
        EventID: 7045
        ServiceName:
-            regexes: ./config/regex/regexes_suspicous_service.txt
+            regexes: ./config/regex/detectlist_suspicous_services.txt
        ImagePath:
            min_length: 1000
-            allowlist: ./config/regex/allowlist_legimate_serviceimage.txt
+            allowlist: .allowlist_legitimate_services.txt
    condition: selection
 falsepositives:
    - normal system usage
--- a/src/detections/rule/matchers.rs
+++ b/src/detections/rule/matchers.rs
@@ -538,8 +538,8 @@ mod tests {
                    - ホスト アプリケーション
                ImagePath:
                    min_length: 1234321
-                    regexes: ./config/regex/regexes_suspicous_service.txt
-                    allowlist: ./config/regex/allowlist_legimate_serviceimage.txt
+                    regexes: ./config/regex/detectlist_suspicous_services.txt
+                    allowlist: ./config/regex/allowlist_legitimate_services.txt
        falsepositives:
            - unknown
        level: medium
@@ -1165,7 +1165,7 @@ mod tests {
            selection:
                EventID: 4103
                Channel:
-                    - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt
+                    - allowlist: ./config/regex/allowlist_legitimate_services.txt
        output: 'command=%CommandLine%'
        "#;

@@ -1202,7 +1202,7 @@ mod tests {
            selection:
                EventID: 4103
                Channel:
-                    - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt
+                    - allowlist: ./config/regex/allowlist_legitimate_services.txt
        output: 'command=%CommandLine%'
        "#;

@@ -1239,7 +1239,7 @@ mod tests {
            selection:
                EventID: 4103
                Channel:
-                    - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt
+                    - allowlist: ./config/regex/allowlist_legitimate_services.txt
        output: 'command=%CommandLine%'
        "#;

--- a/src/detections/utils.rs
+++ b/src/detections/utils.rs
@@ -192,7 +192,7 @@ mod tests {

    #[test]
    fn test_check_regex() {
-        let regexes = utils::read_txt("./config/regex/regexes_suspicous_service.txt")
+        let regexes = utils::read_txt("./config/regex/detectlist_suspicous_services.txt")
            .unwrap()
            .into_iter()
            .map(|regex_str| Regex::new(&regex_str).unwrap())
@@ -207,7 +207,7 @@ mod tests {
    #[test]
    fn test_check_allowlist() {
        let commandline = "\"C:\\Program Files\\Google\\Update\\GoogleUpdate.exe\"";
-        let allowlist = utils::read_txt("./config/regex/allowlist_legimate_serviceimage.txt")
+        let allowlist = utils::read_txt("./config/regex/allowlist_legitimate_services.txt")
            .unwrap()
            .into_iter()
            .map(|allow_str| Regex::new(&allow_str).unwrap())