Merge pull request #3642 from nasbench/add-openssh-operational

Add OpenSSH Operational

rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml

@@ -0,0 +1,27 @@
+title: OpenSSH Server Listening On Socket
+id: 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781
+status: experimental
+description: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
+references:
+    - https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH
+    - https://winaero.com/enable-openssh-server-windows-10/
+    - https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
+    - https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: mdecrevoisier
+date: 2022/10/25
+tags:
+    - attack.lateral_movement
+    - attack.t1021.004
+logsource:
+    product: windows
+    service: openssh
+detection:
+    selection:
+        EventID: 4
+        process: sshd
+        payload|startswith: 'Server listening on '
+    condition: selection
+falsepositives:
+    - Legitimate administrator activity
+level: medium

tools/config/elk-windows.yml

@@ -99,4 +99,9 @@ logsources:
     service: shell-core
     conditions:
       EventLog: 'Microsoft-Windows-Shell-Core/Operational'
+  windows-openssh:
+    product: windows
+    service: openssh
+    conditions:
+      EventLog: 'OpenSSH/Operational'
 defaultindex: logstash-*

tools/config/elk-winlogbeat-sp.yml

@@ -99,6 +99,11 @@ logsources:
     service: shell-core
     conditions:
       log_name: 'Microsoft-Windows-Shell-Core/Operational'
+  windows-openssh:
+    product: windows
+    service: openssh
+    conditions:
+      log_name: 'OpenSSH/Operational'
 defaultindex: <winlogbeat-{now/d}>
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'

tools/config/elk-winlogbeat.yml

@@ -99,6 +99,11 @@ logsources:
     service: shell-core
     conditions:
       logname: 'Microsoft-Windows-Shell-Core/Operational'
+  windows-openssh:
+    product: windows
+    service: openssh
+    conditions:
+      logname: 'OpenSSH/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'

tools/config/fireeye-helix.yml

@@ -127,6 +127,11 @@ logsources:
         service: shell-core
         conditions:
             channel: 'Microsoft-Windows-Shell-Core/Operational'
+    windows-openssh:
+        product: windows
+        service: openssh
+        conditions:
+            channel: 'OpenSSH/Operational'
     linux:
         product: linux
         index: posix

tools/config/generic/windows-services.yml

@@ -17,7 +17,7 @@ logsources:
         rewrite:
             product: windows
             service: powershell
-    # for the "classic" channel   
+    # for the "classic" channel
     ps_classic_start:
         category: ps_classic_start
         product: windows
@@ -178,8 +178,13 @@ logsources:
         service: shell-core
         conditions:
             Channel: 'Microsoft-Windows-Shell-Core/Operational'
-    security-mitigations:
+    windows-security-mitigations:
         product: windows
         service: security-mitigations
         conditions:
-            Provider_Name: 'Microsoft-Windows-Security-Mitigations'
+            Provider_Name: 'Microsoft-Windows-Security-Mitigations'
+    windows-openssh:
+        product: windows
+        service: openssh
+        conditions:
+            Provider_Name: 'OpenSSH/Operational'

tools/config/logpoint-windows.yml

@@ -99,6 +99,11 @@ logsources:
     service: shell-core
     conditions:
       event_source: 'Microsoft-Windows-Shell-Core/Operational'
+  windows-openssh:
+    product: windows
+    service: openssh
+    conditions:
+      event_source: 'OpenSSH/Operational'
 fieldmappings:
     EventID: event_id
     FailureCode: result_code

tools/config/logstash-windows.yml

@@ -120,4 +120,9 @@ logsources:
     service: shell-core
     conditions:
       Channel: 'Microsoft-Windows-Shell-Core/Operational'
+  windows-openssh:
+    product: windows
+    service: openssh
+    conditions:
+      Channel: 'OpenSSH/Operational'
 defaultindex: logstash-*

tools/config/powershell.yml

@@ -140,4 +140,9 @@ logsources:
     product: windows
     service: shell-core
     conditions:
-      LogName: 'Microsoft-Windows-Shell-Core/Operational'
+      LogName: 'Microsoft-Windows-Shell-Core/Operational'
+  windows-openssh:
+    product: windows
+    service: openssh
+    conditions:
+      LogName: 'OpenSSH/Operational'

tools/config/splunk-windows.yml

@@ -156,6 +156,11 @@ logsources:
     service: shell-core
     conditions:
       source: 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'
+  windows-openssh:
+    product: windows
+    service: openssh
+    conditions:
+      source: 'WinEventLog:OpenSSH/Operational'
   windows-defender:
     product: windows
     service: windefend

tools/config/sumologic.yml

@@ -130,6 +130,11 @@ logsources:
     service: shell-core
     conditions:
       EventChannel: 'Microsoft-Windows-Shell-Core/Operational'
+  windows-openssh:
+    product: windows
+    service: openssh
+    conditions:
+      EventChannel: 'OpenSSH/Operational'
   apache:
     service: apache
     index: WEBSERVER

tools/config/thor.yml

@@ -404,6 +404,11 @@ logsources:
     service: shell-core
     sources:
       - 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'
+  windows-openssh:
+    product: windows
+    service: openssh
+    sources:
+      - 'WinEventLog:OpenSSH/Operational'
   apache:
     category: webserver
     sources:

tools/config/winlogbeat-modules-enabled.yml

@@ -144,6 +144,11 @@ logsources:
     service: shell-core
     conditions:
       winlog.channel: 'Microsoft-Windows-Shell-Core/Operational'
+  windows-openssh:
+    product: windows
+    service: openssh
+    conditions:
+      winlog.channel: 'OpenSSH/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'

tools/config/winlogbeat-old.yml

@@ -107,6 +107,11 @@ logsources:
     service: shell-core
     conditions:
       log_name: 'Microsoft-Windows-Shell-Core/Operational'
+  windows-openssh:
+    product: windows
+    service: openssh
+    conditions:
+      log_name: 'OpenSSH/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'

tools/config/winlogbeat.yml

@@ -133,6 +133,11 @@ logsources:
     service: shell-core
     conditions:
       winlog.channel: 'Microsoft-Windows-Shell-Core/Operational'
+  windows-openssh:
+    product: windows
+    service: openssh
+    conditions:
+      winlog.channel: 'OpenSSH/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'