Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

[OSCD Sprint #1] Final Pull Request / Summary #554

Open
wants to merge 173 commits into
base: master
from
Open

[OSCD Sprint #1] Final Pull Request / Summary #554

wants to merge 173 commits into from

Conversation

@yugoslavskiy
Copy link
Collaborator

yugoslavskiy commented Dec 7, 2019

The last set of Sigma rules developed during the first OSCD sprint.

Summary

  • 144 new rules added
  • 19 existing rules improved
  • two existing rules deprecated

Sergey Soldatov, @SVSoldatov (Kaspersky MDR) 馃嚪馃嚭

added 1 rule:

  • win_run_powershell_script_from_ads.yml

Tom Kern (NIL SOC) 馃嚫馃嚠

added 1 rule:

  • sysmon_in_memory_powershell.yml

James Pemberton, @4A616D6573 (Hydro Tasmania) 馃嚘馃嚭

improved 2 rules:

  • win_renamed_binary.yml
  • win_susp_net_execution.yml

Ian Davis (Tieto SOC) 馃嚚馃嚳

added 2 new rules:

  • win_tap_installer_execution.yml
  • win_tap_driver_installation.yml

CERT-GIB 馃嚪馃嚭

  • Alina Stepchenkova
  • Roman Rezvukhin

added 2 rules:

  • apt_silence_eda.yml
  • apt_silence_downloader_v3.yml

Daniel Bohannon, @danielhbohannon (FireEye) 馃嚭馃嚫

added 3 rules:

  • win_invoke_obfuscation_obfuscated_iex_services.yml
  • powershell_invoke_obfuscation_obfuscated_iex.yml
  • win_invoke_obfuscation_obfuscated_iex_commandline.yml

Diego Perez, @darkquassar (Independent Researcher) 馃嚘馃嚪

added 3 new rules:

  • sysmon_suspicious_remote_thread.yml
  • sysmon_in_memory_assembly_execution.yml
  • sysmon_minidumwritedump_lsass.yml

improved 1 rule:

  • powershell_suspicious_keywords.yml

Victor Sergeev, @stvetro (Help AG) 馃嚘馃嚜

added 4 new rules:

  • win_susp_direct_run_key_modification.yml
  • win_susp_netsh_dll_persistence.yml
  • win_susp_service_path_modification.yml
  • sysmon_asep_reg_keys_modification.yml

Jet CSIRT 馃嚪馃嚭

  • Mikhail Larin
  • Alexander Akhremchik
  • Dmitriy Lifanov

added 5 new rules:

  • generic_brute_force.yml
  • lnx_auditd_auditing_config_change.yml
  • lnx_auditd_logging_config_change.yml
  • sysmon_narrator_feedback_persistance.yml
  • sysmon_regsvr32_network_activity.yml

Teymur Kheirkhabarov, @HeirhabarovT (BI.ZONE SOC) 馃嚪馃嚭

added 6 new rules:

  • win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
  • win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
  • win_possible_privilege_escalation_using_rotten_potato.yml
  • win_using_sc_to_change_sevice_image_path_by_non_admin.yml
  • win_whoami_as_system.yml
  • sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml

PT ESC 馃嚪馃嚭

  • Alexey Potapov
  • Kirill Kiryanov
  • Egor Podmokov
  • Anton Kutepov
  • Alexey Lednyov
  • Anton Tyurin

added 4 new rules:

  • silenttrinity_stage_use.yml
  • win_netsh_packet_capture.yml
  • win_sysmon_driver_unload.yml
  • sysmon_registry_persistence_key_linking.yml

improved 3 rules:

  • win_odbcconf_execution.yml
  • sysmon_cobaltstrike_process_injection.yml
  • sysmon_cred_dump_lsass_access.yml

Jakob Weinzettl, @mrblacyk (Tieto SOC) 馃嚨馃嚤

added 7 new rules:

  • lnx_dd_delete_file.yml
  • lnx_pers_systemd_reload.yml
  • lnx_file_or_folder_permissions.yml
  • lnx_chattr_immutable_removal.yml
  • win_service_stop.yml
  • win_file_permission_modifications.yml
  • win_dsquery_domain_trust_discovery.yml

Rules shared by (Tieto SOC) 馃嚚馃嚳

added 9 new rules:

  • net_high_dns_bytes_out.yml
  • net_high_dns_requests_rate.yml
  • net_high_null_records_requests_rate.yml
  • net_high_txt_records_requests_rate.yml
  • powershell_dnscat_execution.yml
  • win_dns_exfiltration_tools_execution.yml
  • win_exfiltration_and_tunneling_tools_execution.yml
  • net_dns_high_subdomain_rate.yml
  • net_dns_large_domain_name.yml

improved 1 rule:

  • net_dns_c2_detection.yml

Denis Beyu (GKU TO CITTO) 馃嚪馃嚭

added 11 new rules:

  • lnx_auditd_web_rce.yml
  • win_susp_bginfo.yml
  • win_susp_cdb.yml
  • win_susp_devtoolslauncher.yml
  • win_susp_dnx.yml
  • win_susp_dxcap.yml
  • win_susp_msoffice.yml
  • win_susp_odbcconf.yml
  • win_susp_openwith.yml
  • win_susp_psr_capture_screenshots.yml
  • sysmon_webshell_creation_detect.yml

Ilyas Ochkov, @CatSchrodinger (Independent Researcher) 馃嚪馃嚭

added 13 new rules:

  • net_possible_dns_rebinding.yml
  • proxy_suspicious_reverse_connect_via_http_proxy.yml
  • win_new_or_renamed_user_account_with_dollar_sign.yml
  • win_possible_dc_sync.yml
  • win_register_new_logon_process_by_rubeus.yml
  • win_suspicious_outbound_kerberos_connection.yml
  • win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
  • powershell_clear_powershell_history.yml
  • sysmon_disable_security_events_logging_adding_reg_key_minint.yml
  • sysmon_new_dll_added_to_appcertdlls_registry_key.yml
  • sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
  • sysmon_possible_dns_rebinding.yml
  • sysmon_suspicious_outbound_kerberos_connection.yml

Timur Zinniatullin (Angara technologies group) 馃嚪馃嚭

added 13 new rules:

  • lnx_auditd_masquerading_crond.yml
  • lnx_auditd_user_discovery.yml
  • lnx_data_compressed.yml
  • lnx_network_sniffing.yml
  • powershell_data_compressed.yml
  • powershell_winlogon_helper_dll.yml
  • win_change_default_file_association.yml
  • win_data_compressed_with_rar.yml
  • win_local_system_owner_account_discovery.yml
  • win_network_sniffing.yml
  • win_query_registry.yml
  • win_service_execution.yml
  • win_xsl_script_processing.yml

improved 1 rule:

  • win_possible_applocker_bypass.yml

BSI 馃嚛馃嚜

  • Jan Hasenbusch
  • Eva Maria Anhaus

added 17 new rules:

  • lnx_auditd_ld_so_preload_mod.yml
  • win_bootconf_mod.yml
  • win_hh_chm.yml
  • win_indirect_cmd.yml
  • win_interactive_at.yml
  • win_lsass_dump.yml
  • win_mshta_javascript.yml
  • win_net_enum.yml
  • win_net_user_add.yml
  • win_powershell_audio_capture.yml
  • win_powershell_bitsjob.yaml
  • win_remote_time_discovery.yml
  • win_soundrec_audio_capture.yml
  • win_trust_discovery.yml
  • win_uac_cmstp.yml
  • win_uac_fodhelper.yml
  • win_uac_wsreset.yml

improved 4 rules:

  • win_susp_eventlog_clear.yml
  • win_data_compressed_with_rar.yml
  • win_susp_fsutil_usage.yml
  • win_grabbing_sensitive_hives_via_reg.yml

Daniil Yugoslavskiy, @yugoslavskiy (Cindicator SOC) 馃嚪馃嚭

added 43 new rules:

  • win_quarkspwdump_clearing_hive_access_history.yml
  • win_remote_registry_management_using_reg_utility.yml
  • win_susp_lsass_dump_generic.yml
  • win_transferring_files_with_credential_data_via_network_shares.yml
  • win_copying_sensitive_files_with_credential_data.yml
  • win_grabbing_sensitive_hives_via_reg.yml
  • win_mimikatz_command_line.yml
  • win_shadow_copies_access_symlink.yml
  • win_shadow_copies_creation.yml
  • win_shadow_copies_deletion.yml
  • sysmon_cred_dump_lsass_access.yml
  • sysmon_cred_dump_tools_dropped_files.yml
  • sysmon_cred_dump_tools_named_pipes.yml
  • sysmon_lsass_memory_dump_file_creation.yml
  • sysmon_raw_disk_access_using_illegitimate_tools.yml
  • sysmon_unsigned_image_loaded_into_lsass.yml
  • win_dumping_ntdsdit_via_dcsync.yml
  • win_dumping_ntdsdit_via_netsync.yml
  • win_ad_replication_non_machine_account.yml
  • win_dpapi_domain_backupkey_extraction.yml
  • win_protected_storage_service_access.yml
  • win_dpapi_domain_masterkey_backup_attempt.yml
  • win_sam_registry_hive_handle_request.yml
  • win_sam_registry_hive_dump_via_reg_utility.yml
  • win_lsass_access_non_system_account.yml
  • win_ad_object_writedac_access.yml
  • powershell_alternate_powershell_hosts.yml
  • sysmon_remote_powershell_session_network.yml
  • win_remote_powershell_session.yml
  • win_scm_database_handle_failure.yml
  • win_scm_database_privileged_operation.yml
  • sysmon_wmi_module_load.yml
  • sysmon_remote_powershell_session_process.yml
  • sysmon_rdp_registry_modification.yml
  • sysmon_powershell_execution_pipe.yml
  • sysmon_alternate_powershell_hosts_pipe.yml
  • sysmon_powershell_execution_moduleload.yml
  • sysmon_createremotethread_loadlibrary.yml
  • sysmon_alternate_powershell_hosts_moduleload.yml
  • powershell_remote_powershell_session.yml
  • win_non_interactive_powershell.yml
  • win_syskey_registry_access.yml
  • win_wmiprvse_spawning_process.yml

improved 9 rules:

  • win_renamed_binary.yml
  • win_susp_eventlog_clear.yml
  • win_mal_creddumper.yml
  • win_mal_service_installs.yml
  • win_susp_raccess_sensitive_fext.yml
  • win_susp_process_creations.yml
  • win_susp_process_creations.yml
  • sysmon_powershell_exploit_scripts.yml
  • win_account_backdoor_dcsync_rights.yml

deprecated 2 rules:

  • win_susp_vssadmin_ntds_activity.yml
  • sysmon_mimikatz_detection_lsass.yml
mrblacyk and others added 30 commits Oct 23, 2019
鈥peration.yml, win_syskey_registry_access.yml
鈥ibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml
added:
  win_non_interactive_powershell.yml
	win_remote_powershell_session.yml
	win_wmiprvse_spawning_process.yml
	powershell_alternate_powershell_hosts.yml
	powershell_remote_powershell_session.yml
	sysmon_alternate_powershell_hosts_moduleload.yml
	sysmon_alternate_powershell_hosts_pipe.yml
	sysmon_non_interactive_powershell_execution.yml
	sysmon_powershell_execution_moduleload.yml
	sysmon_powershell_execution_pipe.yml
	sysmon_remote_powershell_session_network.yml
	sysmon_remote_powershell_session_process.yml
	sysmon_wmi_module_load.yml
	sysmon_wmiprvse_spawning_process.yml
Added:

1. Additional tags for techniques as defined by Atomic Blue.
2. Detection for OriginalFileName as net.exe can easily be renamed.

Part of oscd.community effort.
Updated tags to pass Travis CI checks.
Teimur Kheirkhabarov Teimur Kheirkhabarov
Teimur Kheirkhabarov Teimur Kheirkhabarov
鈥issions_weakness
Teimur Kheirkhabarov
fix some typos and remove redundant references
found in multiple internally analyzed malicious scripts (in the wild and as result of engagements)
- new rules:

	+ rules/windows/builtin/win_susp_lsass_dump_generic.yml
	+
rules/windows/builtin/win_transferring_files_with_credential_data_via_ne
twork_shares.yml
	+
rules/windows/builtin/win_remote_registry_management_using_reg_utility.y
ml
	+ rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml
	+ rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml
	+
rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml
	+
rules/windows/process_creation/process_creation_shadow_copies_creation.y
ml
	+
rules/windows/process_creation/process_creation_shadow_copies_deletion.y
ml
	+
rules/windows/process_creation/process_creation_copying_sensitive_files_
with_credential_data.yml
	+
rules/windows/process_creation/process_creation_shadow_copies_access_sym
link.yml
	+
rules/windows/process_creation/process_creation_grabbing_sensitive_hives
_via_reg.yml
	+
rules/windows/process_creation/process_creation_mimikatz_command_line.ym
l
	+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml
	+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml
.yml

- updated rules:

	+ rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
	+ rules/windows/builtin/win_mal_creddumper.yml
	+ rules/windows/builtin/win_mal_service_installs.yml
	+ rules/windows/process_creation/win_susp_process_creations.yml
	+ rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml
	+ rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml

- deprecated rules:

	+ rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
@yugoslavskiy

This comment has been minimized.

Copy link
Collaborator Author

yugoslavskiy commented Feb 2, 2020

Hello @thomaspatzke !

You've done a great job reviewing and modifying this PR. Well done!

I am texting you regarding ba83b88 ("Moved rules with enrichments into unsupported").

I think rules with "Enrichments" should not be in "unsupported" section.

Let me provide you with some of my points:

1. It's not the sigmac case. They would never be supported by Sigma.

Initially, we've put some rules to "unsupported" section because they could be implemented by some SIEMs, but not supported by sigmac.

This way we've tried to provide you with additional community opinion on that case to support the development of complex correlation logic in sigmac, that would push Sigma forward.

There is no SIEM system that would be able to do Enrichments from the rules have been moved to "unsupported" section, as it requires extra data processing with 3rd party systems (i.e. Logstash).

This way, rules with "Enrichments" most probably would never become "supported" by Sigma.

2. There are many rules, that actually require Enrichment, but there is no info about it in the rule.

A good example of such rule is rules/windows/process_creation/win_renamed_paexec.yml. Here is the detection section from it:

detection:
    selection1:
        Product:
            - '*PAExec*'
    selection2:
        Imphash:
            - 11D40A7B7876288F919AB819CC2D9802
            - 6444f8a34e99b8f7d9647de66aabe516
            - dfd6aa3f7b2b1035b76b718f1ddc689f
            - 1a6cca4d5460b1710a12dea39e4a592c
    filter1:
        Image: '*paexec*'
    condition: (selection1 and selection2) and not filter1

As you can see, it uses Imphash field from Sysmon Event ID 1.
As you know, Sysmon Event ID 1 doesn't provide such field, it provides Hashes field in String format, and inside this field we see the next string:

SHA1=E82AC9345FBEFC100FF16D66536877502AB2C017,MD5=C8F7FA1A3A3B23DF12A2BCF4B500DEE1,SHA256=E666AC2934A9BA6C65531E4E258C9BEBD7C311C6A378A6ACCEFFDF7F9741B4A8,IMPHASH=E799C2BD8BC66603D6DDC95F2DB31A18

If somebody want's to implement rules/windows/process_creation/win_renamed_paexec.yml he will need the Imphash field. Which means, he will need to parse this Hashes field, and this is... Enrichment. In this specific case, Enrichment is not mentioned in the Sigma rule, even though it is required. But at the same time, it doesn't make this rule "unsupported".

I don't see how this specific rule differs from any or rules with Enrichment section that have been moved to "unsupported", rather that they are actually more transparent because Enrichment is clearly defined.

My proposals

  • Move rules with "Enrichment" back. We will develop Enrichments examples in ATC for the rest of the rules in Sigma repo that require it and will update them with links to Enrichment, the same way we've done it for existing rules with Enrichment section

or

  • Create another directory, something like "enrichment_required" and put all relevant rules in it. I am ready to provide help with it, developing a list of such rules (analyzing all existing sigma rules)

Thank you for your work.
Looking forward to the answer!

@neu5ron

This comment has been minimized.

Copy link
Contributor

neu5ron commented Feb 3, 2020

To throw in two cents, this imphash situation is similar to how powershell 4104 is and many windows event security logs that require certain GPOs that are not on by default.
For the windows event security logs (I know some of them at a minimum) have a definition of the required GPO.
see

definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'

I like the idea of having a section of unsupported, I just dont think that imphash fits this scenario if we add a definition.

thomaspatzke added 2 commits Feb 3, 2020
@yugoslavskiy

This comment has been minimized.

Copy link
Collaborator Author

yugoslavskiy commented Feb 4, 2020

Hello @thomaspatzke !

I see you've deleted rules/windows/process_creation/win_whoami_as_system.yml, developed by Teymur Kheirkhabarov, due to deduplication reasons.

He presented this detection logic back in November 2018, and pushed the Sigma rule 2 month before it was added by @Neo23x0 .
I believe that he deserves to have his name and reference to his research in the rule added by Florian:

Would you mind if I will add this information to this rule? Please don't get me wrong, I am talking about adding the info, not replacing.

@thomaspatzke

This comment has been minimized.

Copy link
Collaborator

thomaspatzke commented Feb 6, 2020

I see you've deleted rules/windows/process_creation/win_whoami_as_system.yml, developed by Teymur Kheirkhabarov, due to deduplication reasons.

Definitely deleted the wrong one by accident, I readd it.

@thomaspatzke

This comment has been minimized.

Copy link
Collaborator

thomaspatzke commented Feb 6, 2020

@yugoslavskiy thanks for your comments! I will incorporate the changes at the weekend and also give an answer on your comment regarding unsupported rules.

@thomaspatzke

This comment has been minimized.

Copy link
Collaborator

thomaspatzke commented Feb 9, 2020

1. It's not the sigmac case. They would never be supported by Sigma.

Initially, we've put some rules to "unsupported" section because they could be implemented by some SIEMs, but not supported by sigmac.

This way we've tried to provide you with additional community opinion on that case to support the development of complex correlation logic in sigmac, that would push Sigma forward.

There is no SIEM system that would be able to do Enrichments from the rules have been moved to "unsupported" section, as it requires extra data processing with 3rd party systems (i.e. Logstash).

This way, rules with "Enrichments" most probably would never become "supported" by Sigma.

I understand your point there. Generally the idea of the Sigma rule repository was that the rules are directly actionable. On the other side generating queries for an environment anyways requires some work (configuration, mapping, enabling log source, configuring security settings etc.) so why not. @Neo23x0 what do you think about it?

2. There are many rules, that actually require Enrichment, but there is no info about it in the rule.

A good example of such rule is rules/windows/process_creation/win_renamed_paexec.yml. Here is the detection section from it:

detection:
    selection1:
        Product:
            - '*PAExec*'
    selection2:
        Imphash:
            - 11D40A7B7876288F919AB819CC2D9802
            - 6444f8a34e99b8f7d9647de66aabe516
            - dfd6aa3f7b2b1035b76b718f1ddc689f
            - 1a6cca4d5460b1710a12dea39e4a592c
    filter1:
        Image: '*paexec*'
    condition: (selection1 and selection2) and not filter1

As you can see, it uses Imphash field from Sysmon Event ID 1.
As you know, Sysmon Event ID 1 doesn't provide such field, it provides Hashes field in String format, and inside this field we see the next string:

SHA1=E82AC9345FBEFC100FF16D66536877502AB2C017,MD5=C8F7FA1A3A3B23DF12A2BCF4B500DEE1,SHA256=E666AC2934A9BA6C65531E4E258C9BEBD7C311C6A378A6ACCEFFDF7F9741B4A8,IMPHASH=E799C2BD8BC66603D6DDC95F2DB31A18

If somebody want's to implement rules/windows/process_creation/win_renamed_paexec.yml he will need the Imphash field. Which means, he will need to parse this Hashes field, and this is... Enrichment. In this specific case, Enrichment is not mentioned in the Sigma rule, even though it is required. But at the same time, it doesn't make this rule "unsupported".

This can be accomplished by mapping the Imphash field to Hashes (already possible) and put wildcards around it (planned, very easy to implement). Therefore we decided shortly to keep the specific hash field to prevent that this important information about the hash type is lost in the rule.

This reverts commit ba83b88.
From suggestions of @yugoslavskiy in issue #554.
@thomaspatzke

This comment has been minimized.

Copy link
Collaborator

thomaspatzke commented Feb 16, 2020

Suggested changes implemented. Now need to make CI tests added meanwhile to master passing again.

@yugoslavskiy yugoslavskiy changed the title [OSCD] Final Pull Request / Summary [OSCD Sprint #1] Final Pull Request / Summary Feb 16, 2020
thomaspatzke and others added 2 commits Feb 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

9 participants
You can鈥檛 perform that action at this time.