Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[OSCD Sprint #1] Final Pull Request / Summary #554

merged 174 commits into from Feb 20, 2020

[OSCD Sprint #1] Final Pull Request / Summary #554

merged 174 commits into from Feb 20, 2020


Copy link

@yugoslavskiy yugoslavskiy commented Dec 7, 2019

The last set of Sigma rules developed during the first OSCD sprint.


  • 144 new rules added
  • 19 existing rules improved
  • two existing rules deprecated

Tom Kern (NIL SOC) 🇸🇮

added 1 rule:

  • sysmon_in_memory_powershell.yml

James Pemberton, @4A616D6573 (Hydro Tasmania) 🇦🇺

improved 2 rules:

  • win_renamed_binary.yml
  • win_susp_net_execution.yml

Ian Davis (Tieto SOC) 🇨🇿

added 2 new rules:

  • win_tap_installer_execution.yml
  • win_tap_driver_installation.yml

Daniel Bohannon, @danielhbohannon (FireEye) 🇺🇸

added 3 rules:

  • win_invoke_obfuscation_obfuscated_iex_services.yml
  • powershell_invoke_obfuscation_obfuscated_iex.yml
  • win_invoke_obfuscation_obfuscated_iex_commandline.yml

Diego Perez, @darkquassar (Independent Researcher) 🇦🇷

added 3 new rules:

  • sysmon_suspicious_remote_thread.yml
  • sysmon_in_memory_assembly_execution.yml
  • sysmon_minidumwritedump_lsass.yml

improved 1 rule:

  • powershell_suspicious_keywords.yml

Victor Sergeev, @stvetro (Help AG) 🇦🇪

added 4 new rules:

  • win_susp_direct_run_key_modification.yml
  • win_susp_netsh_dll_persistence.yml
  • win_susp_service_path_modification.yml
  • sysmon_asep_reg_keys_modification.yml

Teymur Kheirkhabarov, @HeirhabarovT (BI.ZONE SOC) 🇷🇺

added 6 new rules:

  • win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
  • win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
  • win_possible_privilege_escalation_using_rotten_potato.yml
  • win_using_sc_to_change_sevice_image_path_by_non_admin.yml
  • win_whoami_as_system.yml
  • sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml

Jakob Weinzettl, @mrblacyk (Tieto SOC) 🇵🇱

added 7 new rules:

  • lnx_dd_delete_file.yml
  • lnx_pers_systemd_reload.yml
  • lnx_file_or_folder_permissions.yml
  • lnx_chattr_immutable_removal.yml
  • win_service_stop.yml
  • win_file_permission_modifications.yml
  • win_dsquery_domain_trust_discovery.yml

Rules shared by (Tieto SOC) 🇨🇿

added 9 new rules:

  • net_high_dns_bytes_out.yml
  • net_high_dns_requests_rate.yml
  • net_high_null_records_requests_rate.yml
  • net_high_txt_records_requests_rate.yml
  • powershell_dnscat_execution.yml
  • win_dns_exfiltration_tools_execution.yml
  • win_exfiltration_and_tunneling_tools_execution.yml
  • net_dns_high_subdomain_rate.yml
  • net_dns_large_domain_name.yml

improved 1 rule:

  • net_dns_c2_detection.yml

Denis Beyu, (Independent Researcher) 🇷🇺

added 11 new rules:

  • lnx_auditd_web_rce.yml
  • win_susp_bginfo.yml
  • win_susp_cdb.yml
  • win_susp_devtoolslauncher.yml
  • win_susp_dnx.yml
  • win_susp_dxcap.yml
  • win_susp_msoffice.yml
  • win_susp_odbcconf.yml
  • win_susp_openwith.yml
  • win_susp_psr_capture_screenshots.yml
  • sysmon_webshell_creation_detect.yml

Ilyas Ochkov, @CatSchrodinger (Independent Researcher) 🇷🇺

added 13 new rules:

  • net_possible_dns_rebinding.yml
  • proxy_suspicious_reverse_connect_via_http_proxy.yml
  • win_new_or_renamed_user_account_with_dollar_sign.yml
  • win_possible_dc_sync.yml
  • win_register_new_logon_process_by_rubeus.yml
  • win_suspicious_outbound_kerberos_connection.yml
  • win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
  • powershell_clear_powershell_history.yml
  • sysmon_disable_security_events_logging_adding_reg_key_minint.yml
  • sysmon_new_dll_added_to_appcertdlls_registry_key.yml
  • sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
  • sysmon_possible_dns_rebinding.yml
  • sysmon_suspicious_outbound_kerberos_connection.yml

BSI 🇩🇪

  • Jan Hasenbusch
  • Eva Maria Anhaus

added 17 new rules:

  • lnx_auditd_ld_so_preload_mod.yml
  • win_bootconf_mod.yml
  • win_hh_chm.yml
  • win_indirect_cmd.yml
  • win_interactive_at.yml
  • win_lsass_dump.yml
  • win_mshta_javascript.yml
  • win_net_enum.yml
  • win_net_user_add.yml
  • win_powershell_audio_capture.yml
  • win_powershell_bitsjob.yaml
  • win_remote_time_discovery.yml
  • win_soundrec_audio_capture.yml
  • win_trust_discovery.yml
  • win_uac_cmstp.yml
  • win_uac_fodhelper.yml
  • win_uac_wsreset.yml

improved 4 rules:

  • win_susp_eventlog_clear.yml
  • win_data_compressed_with_rar.yml
  • win_susp_fsutil_usage.yml
  • win_grabbing_sensitive_hives_via_reg.yml

Daniil Yugoslavskiy, @yugoslavskiy (Atomic Threat Coverage) 🏳️

added 43 new rules:

  • win_quarkspwdump_clearing_hive_access_history.yml
  • win_remote_registry_management_using_reg_utility.yml
  • win_susp_lsass_dump_generic.yml
  • win_transferring_files_with_credential_data_via_network_shares.yml
  • win_copying_sensitive_files_with_credential_data.yml
  • win_grabbing_sensitive_hives_via_reg.yml
  • win_mimikatz_command_line.yml
  • win_shadow_copies_access_symlink.yml
  • win_shadow_copies_creation.yml
  • win_shadow_copies_deletion.yml
  • sysmon_cred_dump_lsass_access.yml
  • sysmon_cred_dump_tools_dropped_files.yml
  • sysmon_cred_dump_tools_named_pipes.yml
  • sysmon_lsass_memory_dump_file_creation.yml
  • sysmon_raw_disk_access_using_illegitimate_tools.yml
  • sysmon_unsigned_image_loaded_into_lsass.yml
  • win_dumping_ntdsdit_via_dcsync.yml
  • win_dumping_ntdsdit_via_netsync.yml
  • win_ad_replication_non_machine_account.yml
  • win_dpapi_domain_backupkey_extraction.yml
  • win_protected_storage_service_access.yml
  • win_dpapi_domain_masterkey_backup_attempt.yml
  • win_sam_registry_hive_handle_request.yml
  • win_sam_registry_hive_dump_via_reg_utility.yml
  • win_lsass_access_non_system_account.yml
  • win_ad_object_writedac_access.yml
  • powershell_alternate_powershell_hosts.yml
  • sysmon_remote_powershell_session_network.yml
  • win_remote_powershell_session.yml
  • win_scm_database_handle_failure.yml
  • win_scm_database_privileged_operation.yml
  • sysmon_wmi_module_load.yml
  • sysmon_remote_powershell_session_process.yml
  • sysmon_rdp_registry_modification.yml
  • sysmon_powershell_execution_pipe.yml
  • sysmon_alternate_powershell_hosts_pipe.yml
  • sysmon_powershell_execution_moduleload.yml
  • sysmon_createremotethread_loadlibrary.yml
  • sysmon_alternate_powershell_hosts_moduleload.yml
  • powershell_remote_powershell_session.yml
  • win_non_interactive_powershell.yml
  • win_syskey_registry_access.yml
  • win_wmiprvse_spawning_process.yml

improved 9 rules:

  • win_renamed_binary.yml
  • win_susp_eventlog_clear.yml
  • win_mal_creddumper.yml
  • win_mal_service_installs.yml
  • win_susp_raccess_sensitive_fext.yml
  • win_susp_process_creations.yml
  • win_susp_process_creations.yml
  • sysmon_powershell_exploit_scripts.yml
  • win_account_backdoor_dcsync_rights.yml

deprecated 2 rules:

  • win_susp_vssadmin_ntds_activity.yml
  • sysmon_mimikatz_detection_lsass.yml

mrblacyk and others added 30 commits Oct 23, 2019
…operation.yml, win_syskey_registry_access.yml
…library.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml

1. Additional tags for techniques as defined by Atomic Blue.
2. Detection for OriginalFileName as net.exe can easily be renamed.

Part of effort.
Updated tags to pass Travis CI checks.
fix some typos and remove redundant references
found in multiple internally analyzed malicious scripts (in the wild and as result of engagements)
- new rules:

	+ rules/windows/builtin/win_susp_lsass_dump_generic.yml
	+ rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml
	+ rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml

- updated rules:

	+ rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
	+ rules/windows/builtin/win_mal_creddumper.yml
	+ rules/windows/builtin/win_mal_service_installs.yml
	+ rules/windows/process_creation/win_susp_process_creations.yml
	+ rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml
	+ rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml

- deprecated rules:

	+ rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
Copy link
Collaborator Author

@yugoslavskiy yugoslavskiy commented Feb 4, 2020

Hello @thomaspatzke !

I see you've deleted rules/windows/process_creation/win_whoami_as_system.yml, developed by Teymur Kheirkhabarov, due to deduplication reasons.

He presented this detection logic back in November 2018, and pushed the Sigma rule 2 month before it was added by @Neo23x0 .
I believe that he deserves to have his name and reference to his research in the rule added by Florian:

Would you mind if I will add this information to this rule? Please don't get me wrong, I am talking about adding the info, not replacing.

Copy link

@thomaspatzke thomaspatzke commented Feb 6, 2020

I see you've deleted rules/windows/process_creation/win_whoami_as_system.yml, developed by Teymur Kheirkhabarov, due to deduplication reasons.

Definitely deleted the wrong one by accident, I readd it.

Copy link

@thomaspatzke thomaspatzke commented Feb 6, 2020

@yugoslavskiy thanks for your comments! I will incorporate the changes at the weekend and also give an answer on your comment regarding unsupported rules.

Copy link

@thomaspatzke thomaspatzke commented Feb 9, 2020

1. It's not the sigmac case. They would never be supported by Sigma.

Initially, we've put some rules to "unsupported" section because they could be implemented by some SIEMs, but not supported by sigmac.

This way we've tried to provide you with additional community opinion on that case to support the development of complex correlation logic in sigmac, that would push Sigma forward.

There is no SIEM system that would be able to do Enrichments from the rules have been moved to "unsupported" section, as it requires extra data processing with 3rd party systems (i.e. Logstash).

This way, rules with "Enrichments" most probably would never become "supported" by Sigma.

I understand your point there. Generally the idea of the Sigma rule repository was that the rules are directly actionable. On the other side generating queries for an environment anyways requires some work (configuration, mapping, enabling log source, configuring security settings etc.) so why not. @Neo23x0 what do you think about it?

2. There are many rules, that actually require Enrichment, but there is no info about it in the rule.

A good example of such rule is rules/windows/process_creation/win_renamed_paexec.yml. Here is the detection section from it:

            - '*PAExec*'
            - 11D40A7B7876288F919AB819CC2D9802
            - 6444f8a34e99b8f7d9647de66aabe516
            - dfd6aa3f7b2b1035b76b718f1ddc689f
            - 1a6cca4d5460b1710a12dea39e4a592c
        Image: '*paexec*'
    condition: (selection1 and selection2) and not filter1

As you can see, it uses Imphash field from Sysmon Event ID 1.
As you know, Sysmon Event ID 1 doesn't provide such field, it provides Hashes field in String format, and inside this field we see the next string:


If somebody want's to implement rules/windows/process_creation/win_renamed_paexec.yml he will need the Imphash field. Which means, he will need to parse this Hashes field, and this is... Enrichment. In this specific case, Enrichment is not mentioned in the Sigma rule, even though it is required. But at the same time, it doesn't make this rule "unsupported".

This can be accomplished by mapping the Imphash field to Hashes (already possible) and put wildcards around it (planned, very easy to implement). Therefore we decided shortly to keep the specific hash field to prevent that this important information about the hash type is lost in the rule.

Copy link

@thomaspatzke thomaspatzke commented Feb 16, 2020

Suggested changes implemented. Now need to make CI tests added meanwhile to master passing again.

@yugoslavskiy yugoslavskiy changed the title [OSCD] Final Pull Request / Summary [OSCD Sprint #1] Final Pull Request / Summary Feb 16, 2020
thomaspatzke and others added 3 commits Feb 16, 2020
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
@thomaspatzke thomaspatzke merged commit 48d95f0 into master Feb 20, 2020
2 checks passed
@thomaspatzke thomaspatzke deleted the oscd branch Feb 20, 2020
Copy link

@thomaspatzke thomaspatzke commented Feb 20, 2020's merged! 😃

To all contributors: thanks a lot for this great contribution and sorry for the long qa delay!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

9 participants