[OSCD Sprint #1] Final Pull Request / Summary

[yugoslavskiy]

The last set of Sigma rules developed during the first OSCD sprint.

Summary

• 144 new rules added
• 19 existing rules improved
• two existing rules deprecated

Tom Kern (NIL SOC) 🇸🇮

added 1 rule:

• sysmon_in_memory_powershell.yml

James Pemberton, @4A616D6573 (Hydro Tasmania) 🇦🇺

improved 2 rules:

• win_renamed_binary.yml
• win_susp_net_execution.yml

Ian Davis (Tieto SOC) 🇨🇿

added 2 new rules:

• win_tap_installer_execution.yml
• win_tap_driver_installation.yml

Daniel Bohannon, @danielhbohannon (FireEye) 🇺🇸

added 3 rules:

• win_invoke_obfuscation_obfuscated_iex_services.yml
• powershell_invoke_obfuscation_obfuscated_iex.yml
• win_invoke_obfuscation_obfuscated_iex_commandline.yml

Diego Perez, @darkquassar (Independent Researcher) 🇦🇷

added 3 new rules:

• sysmon_suspicious_remote_thread.yml
• sysmon_in_memory_assembly_execution.yml
• sysmon_minidumwritedump_lsass.yml

improved 1 rule:

• powershell_suspicious_keywords.yml

Victor Sergeev, @stvetro (Help AG) 🇦🇪

added 4 new rules:

• win_susp_direct_run_key_modification.yml
• win_susp_netsh_dll_persistence.yml
• win_susp_service_path_modification.yml
• sysmon_asep_reg_keys_modification.yml

Teymur Kheirkhabarov, @HeirhabarovT (BI.ZONE SOC) 🇷🇺

added 6 new rules:

• win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
• win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
• win_possible_privilege_escalation_using_rotten_potato.yml
• win_using_sc_to_change_sevice_image_path_by_non_admin.yml
• win_whoami_as_system.yml
• sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml

Jakob Weinzettl, @mrblacyk (Tieto SOC) 🇵🇱

added 7 new rules:

• lnx_dd_delete_file.yml
• lnx_pers_systemd_reload.yml
• lnx_file_or_folder_permissions.yml
• lnx_chattr_immutable_removal.yml
• win_service_stop.yml
• win_file_permission_modifications.yml
• win_dsquery_domain_trust_discovery.yml

Rules shared by (Tieto SOC) 🇨🇿

added 9 new rules:

• net_high_dns_bytes_out.yml
• net_high_dns_requests_rate.yml
• net_high_null_records_requests_rate.yml
• net_high_txt_records_requests_rate.yml
• powershell_dnscat_execution.yml
• win_dns_exfiltration_tools_execution.yml
• win_exfiltration_and_tunneling_tools_execution.yml
• net_dns_high_subdomain_rate.yml
• net_dns_large_domain_name.yml

improved 1 rule:

• net_dns_c2_detection.yml

Denis Beyu, (Independent Researcher) 🇷🇺

added 11 new rules:

• lnx_auditd_web_rce.yml
• win_susp_bginfo.yml
• win_susp_cdb.yml
• win_susp_devtoolslauncher.yml
• win_susp_dnx.yml
• win_susp_dxcap.yml
• win_susp_msoffice.yml
• win_susp_odbcconf.yml
• win_susp_openwith.yml
• win_susp_psr_capture_screenshots.yml
• sysmon_webshell_creation_detect.yml

Ilyas Ochkov, @CatSchrodinger (Independent Researcher) 🇷🇺

added 13 new rules:

• net_possible_dns_rebinding.yml
• proxy_suspicious_reverse_connect_via_http_proxy.yml
• win_new_or_renamed_user_account_with_dollar_sign.yml
• win_possible_dc_sync.yml
• win_register_new_logon_process_by_rubeus.yml
• win_suspicious_outbound_kerberos_connection.yml
• win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
• powershell_clear_powershell_history.yml
• sysmon_disable_security_events_logging_adding_reg_key_minint.yml
• sysmon_new_dll_added_to_appcertdlls_registry_key.yml
• sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
• sysmon_possible_dns_rebinding.yml
• sysmon_suspicious_outbound_kerberos_connection.yml

BSI 🇩🇪

• Jan Hasenbusch
• Eva Maria Anhaus

added 17 new rules:

• lnx_auditd_ld_so_preload_mod.yml
• win_bootconf_mod.yml
• win_hh_chm.yml
• win_indirect_cmd.yml
• win_interactive_at.yml
• win_lsass_dump.yml
• win_mshta_javascript.yml
• win_net_enum.yml
• win_net_user_add.yml
• win_powershell_audio_capture.yml
• win_powershell_bitsjob.yaml
• win_remote_time_discovery.yml
• win_soundrec_audio_capture.yml
• win_trust_discovery.yml
• win_uac_cmstp.yml
• win_uac_fodhelper.yml
• win_uac_wsreset.yml

improved 4 rules:

• win_susp_eventlog_clear.yml
• win_data_compressed_with_rar.yml
• win_susp_fsutil_usage.yml
• win_grabbing_sensitive_hives_via_reg.yml

Daniil Yugoslavskiy, @yugoslavskiy (Atomic Threat Coverage) 🏳️

added 43 new rules:

• win_quarkspwdump_clearing_hive_access_history.yml
• win_remote_registry_management_using_reg_utility.yml
• win_susp_lsass_dump_generic.yml
• win_transferring_files_with_credential_data_via_network_shares.yml
• win_copying_sensitive_files_with_credential_data.yml
• win_grabbing_sensitive_hives_via_reg.yml
• win_mimikatz_command_line.yml
• win_shadow_copies_access_symlink.yml
• win_shadow_copies_creation.yml
• win_shadow_copies_deletion.yml
• sysmon_cred_dump_lsass_access.yml
• sysmon_cred_dump_tools_dropped_files.yml
• sysmon_cred_dump_tools_named_pipes.yml
• sysmon_lsass_memory_dump_file_creation.yml
• sysmon_raw_disk_access_using_illegitimate_tools.yml
• sysmon_unsigned_image_loaded_into_lsass.yml
• win_dumping_ntdsdit_via_dcsync.yml
• win_dumping_ntdsdit_via_netsync.yml
• win_ad_replication_non_machine_account.yml
• win_dpapi_domain_backupkey_extraction.yml
• win_protected_storage_service_access.yml
• win_dpapi_domain_masterkey_backup_attempt.yml
• win_sam_registry_hive_handle_request.yml
• win_sam_registry_hive_dump_via_reg_utility.yml
• win_lsass_access_non_system_account.yml
• win_ad_object_writedac_access.yml
• powershell_alternate_powershell_hosts.yml
• sysmon_remote_powershell_session_network.yml
• win_remote_powershell_session.yml
• win_scm_database_handle_failure.yml
• win_scm_database_privileged_operation.yml
• sysmon_wmi_module_load.yml
• sysmon_remote_powershell_session_process.yml
• sysmon_rdp_registry_modification.yml
• sysmon_powershell_execution_pipe.yml
• sysmon_alternate_powershell_hosts_pipe.yml
• sysmon_powershell_execution_moduleload.yml
• sysmon_createremotethread_loadlibrary.yml
• sysmon_alternate_powershell_hosts_moduleload.yml
• powershell_remote_powershell_session.yml
• win_non_interactive_powershell.yml
• win_syskey_registry_access.yml
• win_wmiprvse_spawning_process.yml

improved 9 rules:

• win_renamed_binary.yml
• win_susp_eventlog_clear.yml
• win_mal_creddumper.yml
• win_mal_service_installs.yml
• win_susp_raccess_sensitive_fext.yml
• win_susp_process_creations.yml
• win_susp_process_creations.yml
• sysmon_powershell_exploit_scripts.yml
• win_account_backdoor_dcsync_rights.yml

deprecated 2 rules:

• win_susp_vssadmin_ntds_activity.yml
• sysmon_mimikatz_detection_lsass.yml

[yugoslavskiy]

Hello @thomaspatzke !

I see you've deleted rules/windows/process_creation/win_whoami_as_system.yml, developed by Teymur Kheirkhabarov, due to deduplication reasons.

He presented this detection logic back in November 2018, and pushed the Sigma rule 2 month before it was added by @Neo23x0 .
I believe that he deserves to have his name and reference to his research in the rule added by Florian:

https://github.com/Neo23x0/sigma/blob/815c562a17ebb716ef78eede2761ed2587c7e7ba/rules/windows/process_creation/win_susp_whoami_localsystem.yml#L5

Would you mind if I will add this information to this rule? Please don't get me wrong, I am talking about adding the info, not replacing.

[thomaspatzke]

I see you've deleted rules/windows/process_creation/win_whoami_as_system.yml, developed by Teymur Kheirkhabarov, due to deduplication reasons.

Definitely deleted the wrong one by accident, I readd it.

[thomaspatzke]

@yugoslavskiy thanks for your comments! I will incorporate the changes at the weekend and also give an answer on your comment regarding unsupported rules.

[thomaspatzke]

1. It's not the sigmac case. They would never be supported by Sigma.

Initially, we've put some rules to "unsupported" section because they could be implemented by some SIEMs, but not supported by sigmac.

This way we've tried to provide you with additional community opinion on that case to support the development of complex correlation logic in sigmac, that would push Sigma forward.

There is no SIEM system that would be able to do Enrichments from the rules have been moved to "unsupported" section, as it requires extra data processing with 3rd party systems (i.e. Logstash).

This way, rules with "Enrichments" most probably would never become "supported" by Sigma.

I understand your point there. Generally the idea of the Sigma rule repository was that the rules are directly actionable. On the other side generating queries for an environment anyways requires some work (configuration, mapping, enabling log source, configuring security settings etc.) so why not. @Neo23x0 what do you think about it?

2. There are many rules, that actually require Enrichment, but there is no info about it in the rule.

A good example of such rule is rules/windows/process_creation/win_renamed_paexec.yml. Here is the detection section from it:

detection:
    selection1:
        Product:
            - '*PAExec*'
    selection2:
        Imphash:
            - 11D40A7B7876288F919AB819CC2D9802
            - 6444f8a34e99b8f7d9647de66aabe516
            - dfd6aa3f7b2b1035b76b718f1ddc689f
            - 1a6cca4d5460b1710a12dea39e4a592c
    filter1:
        Image: '*paexec*'
    condition: (selection1 and selection2) and not filter1

As you can see, it uses Imphash field from Sysmon Event ID 1.
As you know, Sysmon Event ID 1 doesn't provide such field, it provides Hashes field in String format, and inside this field we see the next string:

SHA1=E82AC9345FBEFC100FF16D66536877502AB2C017,MD5=C8F7FA1A3A3B23DF12A2BCF4B500DEE1,SHA256=E666AC2934A9BA6C65531E4E258C9BEBD7C311C6A378A6ACCEFFDF7F9741B4A8,IMPHASH=E799C2BD8BC66603D6DDC95F2DB31A18

If somebody want's to implement rules/windows/process_creation/win_renamed_paexec.yml he will need the Imphash field. Which means, he will need to parse this Hashes field, and this is... Enrichment. In this specific case, Enrichment is not mentioned in the Sigma rule, even though it is required. But at the same time, it doesn't make this rule "unsupported".

This can be accomplished by mapping the Imphash field to Hashes (already possible) and put wildcards around it (planned, very easy to implement). Therefore we decided shortly to keep the specific hash field to prevent that this important information about the hash type is lost in the rule.

[thomaspatzke]

Suggested changes implemented. Now need to make CI tests added meanwhile to master passing again.

[thomaspatzke]

Finally...it's merged! 😃

To all contributors: thanks a lot for this great contribution and sorry for the long qa delay!