add test rule files

rules/sigma/builtin/win_hidden_user_creation.yml

@@ -1,4 +1,3 @@
-
 title: Hidden Local User Creation
 author: Christian Burkard
 date: 2021/05/03

rules/sigma/builtin/win_user_added_to_local_administrators.yml

@@ -1,4 +1,3 @@
-
 title: User Added to Local Administrators
 author: Florian Roth
 date: 2017/03/14

rules/sigma/builtin/win_user_creation.yml

@@ -1,4 +1,3 @@
-
 title: Local User Creation
 author: Patrick Bareiss
 date: 2019/04/18

rules/sigma/other/win_exchange_cve_2021_42321.yml

@@ -1,4 +1,3 @@
-
 title: Possible Exploitation of Exchange RCE CVE-2021-42321
 author: Florian Roth, @testanull
 date: 2021/11/18

src/yaml.rs

@@ -264,9 +264,9 @@ mod tests {
     #[test]
     fn test_exclude_rules_file() {
         let mut yaml = yaml::ParseYaml::new();
-        let path = Path::new("test_files/rules/yaml");
+        let path = Path::new("test_files/rules/");
         yaml.read_dir(path.to_path_buf(), &"", &fillter::exclude_ids())
             .unwrap();
-        assert_eq!(yaml.ignorerule_count, 1);
+        assert_eq!(yaml.ignorerule_count, 10);
     }
 }

test_files/rules/yaml/1.yml

@@ -1,5 +1,4 @@
 title: Sysmon Check command lines
-id : 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
 description: hogehoge
 enabled: true
 author: Yea
@@ -17,4 +16,3 @@ level: medium
 output: 'CommandLine=%CommandLine%¥nParentImage=%ParentImage%'
 creation_date: 2020/11/8
 updated_date: 2020/11/8
-

test_files/rules/yaml/exclude1.yml

@@ -0,0 +1,19 @@
+title: Sysmon Check command lines
+id : 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
+description: hogehoge
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        EventLog: Sysmon
+        EventID: 1
+        CommandLine: '*'
+    condition: selection
+falsepositives:
+    - unknown
+level: medium
+output: 'CommandLine=%CommandLine%¥nParentImage=%ParentImage%'
+creation_date: 2020/11/8
+updated_date: 2020/11/8

test_files/rules/yaml/exclude2.yml

@@ -0,0 +1,21 @@
+title: Possible Exploitation of Exchange RCE CVE-2021-42321
+author: Florian Roth, @testanull
+date: 2021/11/18
+description: Detects log entries that appear in exploitation attempts against MS Exchange
+  RCE CVE-2021-42321
+detection:
+  condition: 'Cmdlet failed. Cmdlet Get-App, '
+falsepositives:
+- Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues
+id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb
+level: critical
+logsource:
+  product: windows
+  service: msexchange-management
+references:
+- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1210
+ruletype: SIGMA

test_files/rules/yaml/exclude3.yml

@@ -0,0 +1,28 @@
+title: Hidden Local User Creation
+author: Christian Burkard
+date: 2021/05/03
+description: Detects the creation of a local hidden user account which should not
+  happen for event ID 4720.
+detection:
+  SELECTION_1:
+    EventID: 4720
+  SELECTION_2:
+    TargetUserName: '*$'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- EventCode
+- AccountName
+id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
+level: high
+logsource:
+  product: windows
+  service: security
+references:
+- https://twitter.com/SBousseaden/status/1387743867663958021
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136.001
+ruletype: SIGMA

test_files/rules/yaml/exclude4.yml

@@ -0,0 +1,30 @@
+title: User Added to Local Administrators
+author: Florian Roth
+date: 2017/03/14
+description: This rule triggers on user accounts that are added to the local Administrators
+  group, which could be legitimate activity or a sign of privilege escalation activity
+detection:
+  SELECTION_1:
+    EventID: 4732
+  SELECTION_2:
+    TargetUserName: Administr*
+  SELECTION_3:
+    TargetSid: S-1-5-32-544
+  SELECTION_4:
+    SubjectUserName: '*$'
+  condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and  not (SELECTION_4))
+falsepositives:
+- Legitimate administrative activity
+id: c265cf08-3f99-46c1-8d59-328247057d57
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/07
+status: stable
+tags:
+- attack.privilege_escalation
+- attack.t1078
+- attack.persistence
+- attack.t1098
+ruletype: SIGMA

test_files/rules/yaml/exclude5.yml

@@ -0,0 +1,31 @@
+title: Local User Creation
+author: Patrick Bareiss
+date: 2019/04/18
+description: Detects local user creation on windows servers, which shouldn't happen
+  in an Active Directory environment. Apply this Sigma Use Case on your windows server
+  logs and not on your DC logs.
+detection:
+  SELECTION_1:
+    EventID: 4720
+  condition: SELECTION_1
+falsepositives:
+- Domain Controller Logs
+- Local accounts managed by privileged account management tools
+fields:
+- EventCode
+- AccountName
+- AccountDomain
+id: 66b6be3d-55d0-4f47-9855-d69df21740ea
+level: low
+logsource:
+  product: windows
+  service: security
+modified: 2020/08/23
+references:
+- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136
+- attack.t1136.001
+ruletype: SIGMA

test_files/rules/yaml/noisy1.yml

@@ -0,0 +1,25 @@
+title: WMI Event Subscription
+author: Tom Ueltschi (@c_APT_ure)
+date: 2019/01/12
+description: Detects creation of WMI event subscription persistence method
+detection:
+  SELECTION_1:
+    EventID: 19
+  SELECTION_2:
+    EventID: 20
+  SELECTION_3:
+    EventID: 21
+  condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
+falsepositives:
+- exclude legitimate (vetted) use of WMI event subscription in your network
+id: 0f06a3a5-6a09-413f-8743-e6cf35561297
+level: high
+logsource:
+  category: wmi_event
+  product: windows
+status: experimental
+tags:
+- attack.t1084
+- attack.persistence
+- attack.t1546.003
+ruletype: SIGMA

test_files/rules/yaml/noisy2.yml

@@ -0,0 +1,31 @@
+title: Rare Schtasks Creations
+author: Florian Roth
+date: 2017/03/23
+description: Detects rare scheduled tasks creations that only appear a few times per
+  time frame and could reveal password dumpers, backdoor installs or other types of
+  malicious code
+detection:
+  SELECTION_1:
+    EventID: 4698
+  condition: SELECTION_1 | count() by TaskName < 5
+falsepositives:
+- Software installation
+- Software updates
+id: b0d77106-7bb0-41fe-bd94-d1752164d066
+level: low
+logsource:
+  definition: The Advanced Audit Policy setting Object Access > Audit Other Object
+    Access Events has to be configured to allow this detection (not in the baseline
+    recommendations by Microsoft). We also recommend extracting the Command field
+    from the embedded XML in the event data.
+  product: windows
+  service: security
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1053
+- car.2013-08-001
+- attack.t1053.005
+ruletype: SIGMA

test_files/rules/yaml/noisy3.yml

@@ -0,0 +1,26 @@
+title: Rare Service Installs
+author: Florian Roth
+date: 2017/03/08
+description: Detects rare service installs that only appear a few times per time frame
+  and could reveal password dumpers, backdoor installs or other types of malicious
+  services
+detection:
+  SELECTION_1:
+    EventID: 7045
+  condition: SELECTION_1 | count() by ServiceFileName < 5
+falsepositives:
+- Software installation
+- Software updates
+id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
+level: low
+logsource:
+  product: windows
+  service: system
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1050
+- car.2013-09-005
+- attack.t1543.003
+ruletype: SIGMA

test_files/rules/yaml/noisy4.yml

@@ -0,0 +1,33 @@
+title: Failed Logins with Different Accounts from Single Source System
+author: Florian Roth
+date: 2017/01/10
+description: Detects suspicious failed logins with different user accounts from a
+  single source system
+detection:
+  SELECTION_1:
+    EventID: 529
+  SELECTION_2:
+    EventID: 4625
+  SELECTION_3:
+    TargetUserName: '*'
+  SELECTION_4:
+    WorkstationName: '*'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) | count(TargetUserName)
+    by WorkstationName > 3
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: e98374a6-e2d9-4076-9b5c-11bdb2569995
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1078
+ruletype: SIGMA

test_files/rules/yaml/noisy5.yml

@@ -0,0 +1,34 @@
+title: Failed Logins with Different Accounts from Single Source System
+author: Florian Roth
+date: 2017/01/10
+description: Detects suspicious failed logins with different user accounts from a
+  single source system
+detection:
+  SELECTION_1:
+    EventID: 4776
+  SELECTION_2:
+    TargetUserName: '*'
+  SELECTION_3:
+    Workstation: '*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) | count(TargetUserName)
+    by Workstation > 3
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+related:
+- id: e98374a6-e2d9-4076-9b5c-11bdb2569995
+  type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1078
+ruletype: SIGMA