diff --git a/rules/sigma/builtin/win_hidden_user_creation.yml b/rules/sigma/builtin/win_hidden_user_creation.yml index 526c96dd..45f43c4a 100644 --- a/rules/sigma/builtin/win_hidden_user_creation.yml +++ b/rules/sigma/builtin/win_hidden_user_creation.yml @@ -1,4 +1,3 @@ - title: Hidden Local User Creation author: Christian Burkard date: 2021/05/03 diff --git a/rules/sigma/builtin/win_user_added_to_local_administrators.yml b/rules/sigma/builtin/win_user_added_to_local_administrators.yml index 4fe138b6..06b76c48 100644 --- a/rules/sigma/builtin/win_user_added_to_local_administrators.yml +++ b/rules/sigma/builtin/win_user_added_to_local_administrators.yml @@ -1,4 +1,3 @@ - title: User Added to Local Administrators author: Florian Roth date: 2017/03/14 diff --git a/rules/sigma/builtin/win_user_creation.yml b/rules/sigma/builtin/win_user_creation.yml index aaa45500..27ec53cc 100644 --- a/rules/sigma/builtin/win_user_creation.yml +++ b/rules/sigma/builtin/win_user_creation.yml @@ -1,4 +1,3 @@ - title: Local User Creation author: Patrick Bareiss date: 2019/04/18 diff --git a/rules/sigma/other/win_exchange_cve_2021_42321.yml b/rules/sigma/other/win_exchange_cve_2021_42321.yml index 77e2a949..e17e37cf 100644 --- a/rules/sigma/other/win_exchange_cve_2021_42321.yml +++ b/rules/sigma/other/win_exchange_cve_2021_42321.yml @@ -1,4 +1,3 @@ - title: Possible Exploitation of Exchange RCE CVE-2021-42321 author: Florian Roth, @testanull date: 2021/11/18 diff --git a/src/yaml.rs b/src/yaml.rs index e724fb6c..7420410c 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -264,9 +264,9 @@ mod tests { #[test] fn test_exclude_rules_file() { let mut yaml = yaml::ParseYaml::new(); - let path = Path::new("test_files/rules/yaml"); + let path = Path::new("test_files/rules/"); yaml.read_dir(path.to_path_buf(), &"", &fillter::exclude_ids()) .unwrap(); - assert_eq!(yaml.ignorerule_count, 1); + assert_eq!(yaml.ignorerule_count, 10); } } diff --git a/test_files/rules/yaml/1.yml b/test_files/rules/yaml/1.yml index c34d0bc2..23a32d6a 100644 --- a/test_files/rules/yaml/1.yml +++ b/test_files/rules/yaml/1.yml @@ -1,5 +1,4 @@ title: Sysmon Check command lines -id : 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 description: hogehoge enabled: true author: Yea @@ -16,5 +15,4 @@ falsepositives: level: medium output: 'CommandLine=%CommandLine%¥nParentImage=%ParentImage%' creation_date: 2020/11/8 -updated_date: 2020/11/8 - +updated_date: 2020/11/8 \ No newline at end of file diff --git a/test_files/rules/yaml/exclude1.yml b/test_files/rules/yaml/exclude1.yml new file mode 100644 index 00000000..76e3e73d --- /dev/null +++ b/test_files/rules/yaml/exclude1.yml @@ -0,0 +1,19 @@ +title: Sysmon Check command lines +id : 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 +description: hogehoge +enabled: true +author: Yea +logsource: + product: windows +detection: + selection: + EventLog: Sysmon + EventID: 1 + CommandLine: '*' + condition: selection +falsepositives: + - unknown +level: medium +output: 'CommandLine=%CommandLine%¥nParentImage=%ParentImage%' +creation_date: 2020/11/8 +updated_date: 2020/11/8 \ No newline at end of file diff --git a/test_files/rules/yaml/exclude2.yml b/test_files/rules/yaml/exclude2.yml new file mode 100644 index 00000000..e17e37cf --- /dev/null +++ b/test_files/rules/yaml/exclude2.yml @@ -0,0 +1,21 @@ +title: Possible Exploitation of Exchange RCE CVE-2021-42321 +author: Florian Roth, @testanull +date: 2021/11/18 +description: Detects log entries that appear in exploitation attempts against MS Exchange + RCE CVE-2021-42321 +detection: + condition: 'Cmdlet failed. Cmdlet Get-App, ' +falsepositives: +- Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues +id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb +level: critical +logsource: + product: windows + service: msexchange-management +references: +- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 +status: experimental +tags: +- attack.lateral_movement +- attack.t1210 +ruletype: SIGMA diff --git a/test_files/rules/yaml/exclude3.yml b/test_files/rules/yaml/exclude3.yml new file mode 100644 index 00000000..45f43c4a --- /dev/null +++ b/test_files/rules/yaml/exclude3.yml @@ -0,0 +1,28 @@ +title: Hidden Local User Creation +author: Christian Burkard +date: 2021/05/03 +description: Detects the creation of a local hidden user account which should not + happen for event ID 4720. +detection: + SELECTION_1: + EventID: 4720 + SELECTION_2: + TargetUserName: '*$' + condition: (SELECTION_1 and SELECTION_2) +falsepositives: +- unknown +fields: +- EventCode +- AccountName +id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 +level: high +logsource: + product: windows + service: security +references: +- https://twitter.com/SBousseaden/status/1387743867663958021 +status: experimental +tags: +- attack.persistence +- attack.t1136.001 +ruletype: SIGMA diff --git a/test_files/rules/yaml/exclude4.yml b/test_files/rules/yaml/exclude4.yml new file mode 100644 index 00000000..06b76c48 --- /dev/null +++ b/test_files/rules/yaml/exclude4.yml @@ -0,0 +1,30 @@ +title: User Added to Local Administrators +author: Florian Roth +date: 2017/03/14 +description: This rule triggers on user accounts that are added to the local Administrators + group, which could be legitimate activity or a sign of privilege escalation activity +detection: + SELECTION_1: + EventID: 4732 + SELECTION_2: + TargetUserName: Administr* + SELECTION_3: + TargetSid: S-1-5-32-544 + SELECTION_4: + SubjectUserName: '*$' + condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and not (SELECTION_4)) +falsepositives: +- Legitimate administrative activity +id: c265cf08-3f99-46c1-8d59-328247057d57 +level: medium +logsource: + product: windows + service: security +modified: 2021/07/07 +status: stable +tags: +- attack.privilege_escalation +- attack.t1078 +- attack.persistence +- attack.t1098 +ruletype: SIGMA diff --git a/test_files/rules/yaml/exclude5.yml b/test_files/rules/yaml/exclude5.yml new file mode 100644 index 00000000..27ec53cc --- /dev/null +++ b/test_files/rules/yaml/exclude5.yml @@ -0,0 +1,31 @@ +title: Local User Creation +author: Patrick Bareiss +date: 2019/04/18 +description: Detects local user creation on windows servers, which shouldn't happen + in an Active Directory environment. Apply this Sigma Use Case on your windows server + logs and not on your DC logs. +detection: + SELECTION_1: + EventID: 4720 + condition: SELECTION_1 +falsepositives: +- Domain Controller Logs +- Local accounts managed by privileged account management tools +fields: +- EventCode +- AccountName +- AccountDomain +id: 66b6be3d-55d0-4f47-9855-d69df21740ea +level: low +logsource: + product: windows + service: security +modified: 2020/08/23 +references: +- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ +status: experimental +tags: +- attack.persistence +- attack.t1136 +- attack.t1136.001 +ruletype: SIGMA diff --git a/test_files/rules/yaml/noisy1.yml b/test_files/rules/yaml/noisy1.yml new file mode 100644 index 00000000..6ea217b6 --- /dev/null +++ b/test_files/rules/yaml/noisy1.yml @@ -0,0 +1,25 @@ +title: WMI Event Subscription +author: Tom Ueltschi (@c_APT_ure) +date: 2019/01/12 +description: Detects creation of WMI event subscription persistence method +detection: + SELECTION_1: + EventID: 19 + SELECTION_2: + EventID: 20 + SELECTION_3: + EventID: 21 + condition: (SELECTION_1 or SELECTION_2 or SELECTION_3) +falsepositives: +- exclude legitimate (vetted) use of WMI event subscription in your network +id: 0f06a3a5-6a09-413f-8743-e6cf35561297 +level: high +logsource: + category: wmi_event + product: windows +status: experimental +tags: +- attack.t1084 +- attack.persistence +- attack.t1546.003 +ruletype: SIGMA \ No newline at end of file diff --git a/test_files/rules/yaml/noisy2.yml b/test_files/rules/yaml/noisy2.yml new file mode 100644 index 00000000..2296fba4 --- /dev/null +++ b/test_files/rules/yaml/noisy2.yml @@ -0,0 +1,31 @@ +title: Rare Schtasks Creations +author: Florian Roth +date: 2017/03/23 +description: Detects rare scheduled tasks creations that only appear a few times per + time frame and could reveal password dumpers, backdoor installs or other types of + malicious code +detection: + SELECTION_1: + EventID: 4698 + condition: SELECTION_1 | count() by TaskName < 5 +falsepositives: +- Software installation +- Software updates +id: b0d77106-7bb0-41fe-bd94-d1752164d066 +level: low +logsource: + definition: The Advanced Audit Policy setting Object Access > Audit Other Object + Access Events has to be configured to allow this detection (not in the baseline + recommendations by Microsoft). We also recommend extracting the Command field + from the embedded XML in the event data. + product: windows + service: security +status: experimental +tags: +- attack.execution +- attack.privilege_escalation +- attack.persistence +- attack.t1053 +- car.2013-08-001 +- attack.t1053.005 +ruletype: SIGMA diff --git a/test_files/rules/yaml/noisy3.yml b/test_files/rules/yaml/noisy3.yml new file mode 100644 index 00000000..7e2071a0 --- /dev/null +++ b/test_files/rules/yaml/noisy3.yml @@ -0,0 +1,26 @@ +title: Rare Service Installs +author: Florian Roth +date: 2017/03/08 +description: Detects rare service installs that only appear a few times per time frame + and could reveal password dumpers, backdoor installs or other types of malicious + services +detection: + SELECTION_1: + EventID: 7045 + condition: SELECTION_1 | count() by ServiceFileName < 5 +falsepositives: +- Software installation +- Software updates +id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae +level: low +logsource: + product: windows + service: system +status: experimental +tags: +- attack.persistence +- attack.privilege_escalation +- attack.t1050 +- car.2013-09-005 +- attack.t1543.003 +ruletype: SIGMA diff --git a/test_files/rules/yaml/noisy4.yml b/test_files/rules/yaml/noisy4.yml new file mode 100644 index 00000000..39bbd1a3 --- /dev/null +++ b/test_files/rules/yaml/noisy4.yml @@ -0,0 +1,33 @@ +title: Failed Logins with Different Accounts from Single Source System +author: Florian Roth +date: 2017/01/10 +description: Detects suspicious failed logins with different user accounts from a + single source system +detection: + SELECTION_1: + EventID: 529 + SELECTION_2: + EventID: 4625 + SELECTION_3: + TargetUserName: '*' + SELECTION_4: + WorkstationName: '*' + condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) | count(TargetUserName) + by WorkstationName > 3 +falsepositives: +- Terminal servers +- Jump servers +- Other multiuser systems like Citrix server farms +- Workstations with frequently changing users +id: e98374a6-e2d9-4076-9b5c-11bdb2569995 +level: medium +logsource: + product: windows + service: security +modified: 2021/09/21 +status: experimental +tags: +- attack.persistence +- attack.privilege_escalation +- attack.t1078 +ruletype: SIGMA diff --git a/test_files/rules/yaml/noisy5.yml b/test_files/rules/yaml/noisy5.yml new file mode 100644 index 00000000..ddfc134a --- /dev/null +++ b/test_files/rules/yaml/noisy5.yml @@ -0,0 +1,34 @@ +title: Failed Logins with Different Accounts from Single Source System +author: Florian Roth +date: 2017/01/10 +description: Detects suspicious failed logins with different user accounts from a + single source system +detection: + SELECTION_1: + EventID: 4776 + SELECTION_2: + TargetUserName: '*' + SELECTION_3: + Workstation: '*' + condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) | count(TargetUserName) + by Workstation > 3 +falsepositives: +- Terminal servers +- Jump servers +- Other multiuser systems like Citrix server farms +- Workstations with frequently changing users +id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538 +level: medium +logsource: + product: windows + service: security +modified: 2021/09/21 +related: +- id: e98374a6-e2d9-4076-9b5c-11bdb2569995 + type: derived +status: experimental +tags: +- attack.persistence +- attack.privilege_escalation +- attack.t1078 +ruletype: SIGMA