Merge branch 'master' into oscd

Makefile

@@ -1,7 +1,7 @@
-.PHONY: test test-rules test-sigmac
+.PHONY: test test-rules test-sigmac test-sigma2attack
 TMPOUT = $(shell tempfile||mktemp)
-COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma
-test: clearcov test-rules test-sigmac test-merge build finish
+COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma,tools/sigma2attack
+test: clearcov test-rules test-sigmac test-merge test-sigma2attack build finish
 
 clearcov:
 	rm -f .coverage
@@ -92,6 +92,9 @@ test-merge:
 test-backend-es-qs:
 	tests/test-backend-es-qs.py
 
+test-sigma2attack:
+	coverage run -a --include=$(COVSCOPE) tools/sigma2attack
+
 build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg
 	cd tools && python3 setup.py bdist_wheel sdist
 

README.md

@@ -33,7 +33,7 @@ The SANS webcast on Sigma contains a very good 20 min introduction to the projec
 # Use Cases
 
 * Describe your detection method in Sigma to make it sharable
-* Write and your SIEM searches in Sigma to avoid a vendor lock-in
+* Write your SIEM searches in Sigma to avoid a vendor lock-in
 * Share the signature in the appendix of your analysis along with IOCs and YARA rules
 * Share the signature in threat intel communities - e.g. via MISP
 * Provide Sigma signatures for malicious behaviour in your own application
@@ -254,6 +254,27 @@ sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
 
 [Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. 
 
+## Sigma2attack
+
+Generates a [MITRE ATT&CK Navigator](https://github.com/mitre/attack-navigator/) heatmap from a directory containing sigma rules.
+
+Requirements:
+- Sigma rules tagged with a `attack.tXXXX` tag (e.g.: `attack.t1086`)
+
+Usage samples:
+
+```
+# Use the default "rules" folder
+./tools/sigma2attack
+
+# ... or specify your own
+./tools/sigma2attack --rules-directory ~/hunting/rules
+```
+
+Result once imported in the MITRE ATT&CK Navigator ([online version](https://mitre-attack.github.io/attack-navigator/enterprise/)):
+
+![Sigma2attack result](./images/sigma2attack.png)
+
 ## Contributed Scripts
 
 The directory `contrib` contains scripts that were contributed by the community:

rules/apt/apt_wocao.yml

@@ -0,0 +1,41 @@
+action: global
+title: Operation Wocao Activity
+id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
+author: Florian Roth
+status: experimental
+description: Detects activity mentioned in Operation Wocao report
+references:
+    - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
+    - https://twitter.com/SBousseaden/status/1207671369963646976
+date: 2019/12/20
+falsepositives:
+    - Administrators that use checkadmin.exe tool to enumerate local administrators
+level: high
+---
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4799
+        GroupName: 'Administrators'
+        ProcessName: '*\checkadmin.exe'
+    condition: selection
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains: 
+            - 'checkadmin.exe 127.0.0.1 -all'
+            - 'netsh advfirewall firewall add rule name=powershell dir=in'
+            - 'cmd /c powershell.exe -ep bypass -file c:\s.ps1'
+            - '/tn win32times /f'
+            - 'create win32times binPath='
+            - '\c$\windows\system32\devmgr.dll'
+            - ' -exec bypass -enc JgAg'
+            - 'type *keepass\KeePass.config.xml'
+            - 'iie.exe iie.txt'
+            - 'reg query HKEY_CURRENT_USER\Software\*\PuTTY\Sessions\'
+    condition: selection

rules/web/web_citrix_cve_2019_19781_exploit.yml

@@ -0,0 +1,29 @@
+title: Citrix Netscaler Attack CVE-2019-19781
+description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
+id: ac5a6409-8c89-44c2-8d64-668c29a2d756
+references:
+    - https://support.citrix.com/article/CTX267679
+    - https://support.citrix.com/article/CTX267027
+    - https://isc.sans.edu/diary/25686
+author: Arnim Rupp, Florian Roth
+status: experimental
+date: 2020/01/02
+modified: 2020/01/07
+logsource:
+    category: webserver
+    description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt)'
+detection:
+    selection:
+        c-uri-path: 
+            - '*/../vpns/*'
+            - '*/vpns/cfg/smb.conf'
+    condition: selection
+fields:
+    - client_ip
+    - vhost
+    - url
+    - response
+falsepositives:
+    - Unknown
+level: critical
+

rules/windows/powershell/powershell_malicious_commandlets.yml

@@ -110,6 +110,7 @@ detection:
             - "*Invoke-ReverseDNSLookup*"
             - "*Invoke-SMBScanner*"
             - "*Invoke-Mimikittenz*"
+            - "*Invoke-AllChecks*"
     false_positives:
         - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
     condition: keywords and not false_positives

rules/windows/process_creation/win_hack_bloodhound.yml

@@ -0,0 +1,39 @@
+title: Bloodhound and Sharphound Hack Tool
+id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
+description: Detects command line parameters used by Bloodhound and Sharphound hack tools
+author: Florian Roth
+references:
+    - https://github.com/BloodHoundAD/BloodHound
+    - https://github.com/BloodHoundAD/SharpHound
+date: 2019/12/20
+modified: 2019/12/21
+tags:
+    - attack.discovery
+    - attack.t1087
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1: 
+        Image|contains: 
+            - '\Bloodhound.exe'
+            - '\SharpHound.exe'
+    selection2:
+        CommandLine|contains: 
+            - ' -CollectionMethod All '
+            - '.exe -c All -d '
+            - 'Invoke-Bloodhound'
+            - 'Get-BloodHoundData'
+    selection3:
+        CommandLine|contains|all: 
+            - ' -JsonFolder '
+            - ' -ZipFileName '
+    selection4:
+        CommandLine|contains|all: 
+            - ' DCOnly '
+            - ' --NoSaveCache '
+    condition: 1 of them
+falsepositives:
+    - Other programs that use these command line option and accepts an 'All' parameter
+level: high
+

rules/windows/process_creation/win_hack_secutyxploded.yml

@@ -0,0 +1,26 @@
+title: SecurityXploded Tool
+id: 7679d464-4f74-45e2-9e01-ac66c5eb041a
+description: Detects the execution of SecurityXploded Tools
+author: Florian Roth
+references:
+    - https://securityxploded.com/
+    - https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
+date: 2018/12/19
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.s0005
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Company: SecurityXploded
+    selection2:
+        Image|endswith: 'PasswordDump.exe'
+    selection3:
+        OriginalFilename|endswith: 'PasswordDump.exe'
+    condition: 1 of them
+falsepositives:
+    - unlikely
+level: critical

rules/windows/process_creation/win_hktl_createminidump.yml

@@ -0,0 +1,33 @@
+action: global
+title: CreateMiniDump Hacktool
+id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
+description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
+author: Florian Roth
+references:
+    - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
+date: 2019/12/22
+tags:
+    - attack.credential_access
+    - attack.t1003
+falsepositives:
+    - Unknown
+level: high
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1: 
+        Image|contains: '\CreateMiniDump.exe'
+    selection2:
+        Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'
+    condition: 1 of them
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        TargetFileName|contains: '*\lsass.dmp'
+    condition: 1 of them

rules/windows/process_creation/win_install_reg_debugger_backdoor.yml

@@ -22,6 +22,7 @@ detection:
             - '*\CurrentVersion\Image File Execution Options\magnify.exe*'
             - '*\CurrentVersion\Image File Execution Options\narrator.exe*'
             - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*'
+            - '*\CurrentVersion\Image File Execution Options\atbroker.exe*'
     condition: selection
 falsepositives:
     - Penetration Tests

rules/windows/process_creation/win_malware_trickbot_recon_activity.yml

@@ -0,0 +1,27 @@
+title: Trickbot Malware Recon Activity
+id: 410ad193-a728-4107-bc79-4419789fcbf8
+status: experimental
+description: Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.
+references:
+    - https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
+author: David Burkett
+date: 12/28/2019
+tags:
+    - attack.t1482
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image:
+            - '*\nltest.exe'
+        CommandLine:
+            - '/domain_trusts /all_trusts'
+            - '/domain_trusts'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Rare System Admin Activity
+level: critical

rules/windows/process_creation/win_susp_copy_lateral_movement.yml

@@ -0,0 +1,27 @@
+title: Copy from Admin Share
+id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
+status: experimental
+description: Detects a suspicious copy command from a remote C$ or ADMIN$ share
+references: 
+  - https://twitter.com/SBousseaden/status/1211636381086339073
+author: Florian Roth
+date: 2019/12/30
+tags:
+    - attack.lateral_movement
+    - attack.t1077
+    - attack.t1105
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains: 
+          - 'copy *\c$'
+          - 'copy *\ADMIN$'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Administrative scripts
+level: high

rules/windows/process_creation/win_susp_powershell_enc_cmd.yml

@@ -1,6 +1,6 @@
 title: Suspicious Encoded PowerShell Command Line
 id: ca2092a1-c273-4878-9b4b-0d60115bf5ea
-description: Detects suspicious powershell process starts with base64 encoded commands
+description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
 status: experimental
 references:
     - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e

rules/windows/process_creation/win_susp_svchost_no_cli.yml

@@ -0,0 +1,29 @@
+title: Suspect svchost Activity
+id: 16c37b52-b141-42a5-a3ea-bbe098444397
+status: experimental
+description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
+references:
+    - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
+author: David Burkett
+date: 12/28/2019
+tags:
+    - attack.t1055
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine: null
+    selection2:
+        Image: '*\svchost.exe'
+    filter:
+        ParentImage:
+            - '*\rpcnet.exe'
+            - '*\rpcnetp.exe'
+    condition: (selection1 and selection2) and not filter
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf
+level: critical

rules/windows/process_creation/win_susp_whoami_localsystem.yml

@@ -0,0 +1,22 @@
+title: Whoami as LOCAL_SYSTEM
+id: 1453b1a4-261b-4daf-afe1-2a400a838b5c
+status: experimental
+description: Detects the execution of whoami as LOCAL_SYSTEM, often used after privilege escalation by attackers who want to evaluate the new user context
+author: Florian Roth
+date: 2019/12/22
+tags:
+    - attack.discovery
+    - attack.t1033
+    - car.2016-03-001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|contains: '\whoami.exe'
+        User: 'NT AUTHORITY\SYSTEM' 
+    condition: selection
+falsepositives:
+    - Admin activity
+    - Scripts and administrative tools used in the monitored environment
+level: critical

rules/windows/process_creation/win_system_exe_anomaly.yml

@@ -38,6 +38,7 @@ detection:
             - 'C:\Windows\explorer.exe'
             - 'C:\Windows\winsxs\\*'
             - 'C:\Windows\WinSxS\\*'
+            - '\SystemRoot\System32\\*'
     condition: selection and not filter
 fields:
     - ComputerName