Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[OSCD Sprint #1] Final Pull Request / Summary #554

Merged
merged 174 commits into from Feb 20, 2020
Merged

[OSCD Sprint #1] Final Pull Request / Summary #554

merged 174 commits into from Feb 20, 2020

Conversation

yugoslavskiy
Copy link
Collaborator

@yugoslavskiy yugoslavskiy commented Dec 7, 2019

The last set of Sigma rules developed during the first OSCD sprint.

Summary

  • 144 new rules added
  • 19 existing rules improved
  • two existing rules deprecated

Tom Kern (NIL SOC) 🇸🇮

added 1 rule:

  • sysmon_in_memory_powershell.yml

James Pemberton, @4A616D6573 (Hydro Tasmania) 🇦🇺

improved 2 rules:

  • win_renamed_binary.yml
  • win_susp_net_execution.yml

Ian Davis (Tieto SOC) 🇨🇿

added 2 new rules:

  • win_tap_installer_execution.yml
  • win_tap_driver_installation.yml

Daniel Bohannon, @danielhbohannon (FireEye) 🇺🇸

added 3 rules:

  • win_invoke_obfuscation_obfuscated_iex_services.yml
  • powershell_invoke_obfuscation_obfuscated_iex.yml
  • win_invoke_obfuscation_obfuscated_iex_commandline.yml

Diego Perez, @darkquassar (Independent Researcher) 🇦🇷

added 3 new rules:

  • sysmon_suspicious_remote_thread.yml
  • sysmon_in_memory_assembly_execution.yml
  • sysmon_minidumwritedump_lsass.yml

improved 1 rule:

  • powershell_suspicious_keywords.yml

Victor Sergeev, @stvetro (Help AG) 🇦🇪

added 4 new rules:

  • win_susp_direct_run_key_modification.yml
  • win_susp_netsh_dll_persistence.yml
  • win_susp_service_path_modification.yml
  • sysmon_asep_reg_keys_modification.yml

Teymur Kheirkhabarov, @HeirhabarovT (BI.ZONE SOC) 🇷🇺

added 6 new rules:

  • win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
  • win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
  • win_possible_privilege_escalation_using_rotten_potato.yml
  • win_using_sc_to_change_sevice_image_path_by_non_admin.yml
  • win_whoami_as_system.yml
  • sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml

Jakob Weinzettl, @mrblacyk (Tieto SOC) 🇵🇱

added 7 new rules:

  • lnx_dd_delete_file.yml
  • lnx_pers_systemd_reload.yml
  • lnx_file_or_folder_permissions.yml
  • lnx_chattr_immutable_removal.yml
  • win_service_stop.yml
  • win_file_permission_modifications.yml
  • win_dsquery_domain_trust_discovery.yml

Rules shared by (Tieto SOC) 🇨🇿

added 9 new rules:

  • net_high_dns_bytes_out.yml
  • net_high_dns_requests_rate.yml
  • net_high_null_records_requests_rate.yml
  • net_high_txt_records_requests_rate.yml
  • powershell_dnscat_execution.yml
  • win_dns_exfiltration_tools_execution.yml
  • win_exfiltration_and_tunneling_tools_execution.yml
  • net_dns_high_subdomain_rate.yml
  • net_dns_large_domain_name.yml

improved 1 rule:

  • net_dns_c2_detection.yml

Denis Beyu, (Independent Researcher) 🇷🇺

added 11 new rules:

  • lnx_auditd_web_rce.yml
  • win_susp_bginfo.yml
  • win_susp_cdb.yml
  • win_susp_devtoolslauncher.yml
  • win_susp_dnx.yml
  • win_susp_dxcap.yml
  • win_susp_msoffice.yml
  • win_susp_odbcconf.yml
  • win_susp_openwith.yml
  • win_susp_psr_capture_screenshots.yml
  • sysmon_webshell_creation_detect.yml

Ilyas Ochkov, @CatSchrodinger (Independent Researcher) 🇷🇺

added 13 new rules:

  • net_possible_dns_rebinding.yml
  • proxy_suspicious_reverse_connect_via_http_proxy.yml
  • win_new_or_renamed_user_account_with_dollar_sign.yml
  • win_possible_dc_sync.yml
  • win_register_new_logon_process_by_rubeus.yml
  • win_suspicious_outbound_kerberos_connection.yml
  • win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
  • powershell_clear_powershell_history.yml
  • sysmon_disable_security_events_logging_adding_reg_key_minint.yml
  • sysmon_new_dll_added_to_appcertdlls_registry_key.yml
  • sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
  • sysmon_possible_dns_rebinding.yml
  • sysmon_suspicious_outbound_kerberos_connection.yml

BSI 🇩🇪

  • Jan Hasenbusch
  • Eva Maria Anhaus

added 17 new rules:

  • lnx_auditd_ld_so_preload_mod.yml
  • win_bootconf_mod.yml
  • win_hh_chm.yml
  • win_indirect_cmd.yml
  • win_interactive_at.yml
  • win_lsass_dump.yml
  • win_mshta_javascript.yml
  • win_net_enum.yml
  • win_net_user_add.yml
  • win_powershell_audio_capture.yml
  • win_powershell_bitsjob.yaml
  • win_remote_time_discovery.yml
  • win_soundrec_audio_capture.yml
  • win_trust_discovery.yml
  • win_uac_cmstp.yml
  • win_uac_fodhelper.yml
  • win_uac_wsreset.yml

improved 4 rules:

  • win_susp_eventlog_clear.yml
  • win_data_compressed_with_rar.yml
  • win_susp_fsutil_usage.yml
  • win_grabbing_sensitive_hives_via_reg.yml

Daniil Yugoslavskiy, @yugoslavskiy (Atomic Threat Coverage) 🏳️

added 43 new rules:

  • win_quarkspwdump_clearing_hive_access_history.yml
  • win_remote_registry_management_using_reg_utility.yml
  • win_susp_lsass_dump_generic.yml
  • win_transferring_files_with_credential_data_via_network_shares.yml
  • win_copying_sensitive_files_with_credential_data.yml
  • win_grabbing_sensitive_hives_via_reg.yml
  • win_mimikatz_command_line.yml
  • win_shadow_copies_access_symlink.yml
  • win_shadow_copies_creation.yml
  • win_shadow_copies_deletion.yml
  • sysmon_cred_dump_lsass_access.yml
  • sysmon_cred_dump_tools_dropped_files.yml
  • sysmon_cred_dump_tools_named_pipes.yml
  • sysmon_lsass_memory_dump_file_creation.yml
  • sysmon_raw_disk_access_using_illegitimate_tools.yml
  • sysmon_unsigned_image_loaded_into_lsass.yml
  • win_dumping_ntdsdit_via_dcsync.yml
  • win_dumping_ntdsdit_via_netsync.yml
  • win_ad_replication_non_machine_account.yml
  • win_dpapi_domain_backupkey_extraction.yml
  • win_protected_storage_service_access.yml
  • win_dpapi_domain_masterkey_backup_attempt.yml
  • win_sam_registry_hive_handle_request.yml
  • win_sam_registry_hive_dump_via_reg_utility.yml
  • win_lsass_access_non_system_account.yml
  • win_ad_object_writedac_access.yml
  • powershell_alternate_powershell_hosts.yml
  • sysmon_remote_powershell_session_network.yml
  • win_remote_powershell_session.yml
  • win_scm_database_handle_failure.yml
  • win_scm_database_privileged_operation.yml
  • sysmon_wmi_module_load.yml
  • sysmon_remote_powershell_session_process.yml
  • sysmon_rdp_registry_modification.yml
  • sysmon_powershell_execution_pipe.yml
  • sysmon_alternate_powershell_hosts_pipe.yml
  • sysmon_powershell_execution_moduleload.yml
  • sysmon_createremotethread_loadlibrary.yml
  • sysmon_alternate_powershell_hosts_moduleload.yml
  • powershell_remote_powershell_session.yml
  • win_non_interactive_powershell.yml
  • win_syskey_registry_access.yml
  • win_wmiprvse_spawning_process.yml

improved 9 rules:

  • win_renamed_binary.yml
  • win_susp_eventlog_clear.yml
  • win_mal_creddumper.yml
  • win_mal_service_installs.yml
  • win_susp_raccess_sensitive_fext.yml
  • win_susp_process_creations.yml
  • win_susp_process_creations.yml
  • sysmon_powershell_exploit_scripts.yml
  • win_account_backdoor_dcsync_rights.yml

deprecated 2 rules:

  • win_susp_vssadmin_ntds_activity.yml
  • sysmon_mimikatz_detection_lsass.yml

mrblacyk and others added 30 commits Oct 23, 2019
…operation.yml, win_syskey_registry_access.yml
…library.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml
  win_non_interactive_powershell.yml
	win_remote_powershell_session.yml
	win_wmiprvse_spawning_process.yml
	powershell_alternate_powershell_hosts.yml
	powershell_remote_powershell_session.yml
	sysmon_alternate_powershell_hosts_moduleload.yml
	sysmon_alternate_powershell_hosts_pipe.yml
	sysmon_non_interactive_powershell_execution.yml
	sysmon_powershell_execution_moduleload.yml
	sysmon_powershell_execution_pipe.yml
	sysmon_remote_powershell_session_network.yml
	sysmon_remote_powershell_session_process.yml
	sysmon_wmi_module_load.yml
	sysmon_wmiprvse_spawning_process.yml
Added:

1. Additional tags for techniques as defined by Atomic Blue.
2. Detection for OriginalFileName as net.exe can easily be renamed.

Part of oscd.community effort.
Updated tags to pass Travis CI checks.
fix some typos and remove redundant references
found in multiple internally analyzed malicious scripts (in the wild and as result of engagements)
- new rules:

	+ rules/windows/builtin/win_susp_lsass_dump_generic.yml
	+
rules/windows/builtin/win_transferring_files_with_credential_data_via_ne
twork_shares.yml
	+
rules/windows/builtin/win_remote_registry_management_using_reg_utility.y
ml
	+ rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml
	+ rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml
	+
rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml
	+ rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml
	+
rules/windows/process_creation/process_creation_shadow_copies_creation.y
ml
	+
rules/windows/process_creation/process_creation_shadow_copies_deletion.y
ml
	+
rules/windows/process_creation/process_creation_copying_sensitive_files_
with_credential_data.yml
	+
rules/windows/process_creation/process_creation_shadow_copies_access_sym
link.yml
	+
rules/windows/process_creation/process_creation_grabbing_sensitive_hives
_via_reg.yml
	+
rules/windows/process_creation/process_creation_mimikatz_command_line.ym
l
	+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml
	+
rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml
.yml

- updated rules:

	+ rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
	+ rules/windows/builtin/win_mal_creddumper.yml
	+ rules/windows/builtin/win_mal_service_installs.yml
	+ rules/windows/process_creation/win_susp_process_creations.yml
	+ rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml
	+ rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml

- deprecated rules:

	+ rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml
@yugoslavskiy
Copy link
Collaborator Author

@yugoslavskiy yugoslavskiy commented Feb 4, 2020

Hello @thomaspatzke !

I see you've deleted rules/windows/process_creation/win_whoami_as_system.yml, developed by Teymur Kheirkhabarov, due to deduplication reasons.

He presented this detection logic back in November 2018, and pushed the Sigma rule 2 month before it was added by @Neo23x0 .
I believe that he deserves to have his name and reference to his research in the rule added by Florian:

https://github.com/Neo23x0/sigma/blob/815c562a17ebb716ef78eede2761ed2587c7e7ba/rules/windows/process_creation/win_susp_whoami_localsystem.yml#L5

Would you mind if I will add this information to this rule? Please don't get me wrong, I am talking about adding the info, not replacing.

@thomaspatzke
Copy link
Member

@thomaspatzke thomaspatzke commented Feb 6, 2020

I see you've deleted rules/windows/process_creation/win_whoami_as_system.yml, developed by Teymur Kheirkhabarov, due to deduplication reasons.

Definitely deleted the wrong one by accident, I readd it.

@thomaspatzke
Copy link
Member

@thomaspatzke thomaspatzke commented Feb 6, 2020

@yugoslavskiy thanks for your comments! I will incorporate the changes at the weekend and also give an answer on your comment regarding unsupported rules.

@thomaspatzke
Copy link
Member

@thomaspatzke thomaspatzke commented Feb 9, 2020

1. It's not the sigmac case. They would never be supported by Sigma.

Initially, we've put some rules to "unsupported" section because they could be implemented by some SIEMs, but not supported by sigmac.

This way we've tried to provide you with additional community opinion on that case to support the development of complex correlation logic in sigmac, that would push Sigma forward.

There is no SIEM system that would be able to do Enrichments from the rules have been moved to "unsupported" section, as it requires extra data processing with 3rd party systems (i.e. Logstash).

This way, rules with "Enrichments" most probably would never become "supported" by Sigma.

I understand your point there. Generally the idea of the Sigma rule repository was that the rules are directly actionable. On the other side generating queries for an environment anyways requires some work (configuration, mapping, enabling log source, configuring security settings etc.) so why not. @Neo23x0 what do you think about it?

2. There are many rules, that actually require Enrichment, but there is no info about it in the rule.

A good example of such rule is rules/windows/process_creation/win_renamed_paexec.yml. Here is the detection section from it:

detection:
    selection1:
        Product:
            - '*PAExec*'
    selection2:
        Imphash:
            - 11D40A7B7876288F919AB819CC2D9802
            - 6444f8a34e99b8f7d9647de66aabe516
            - dfd6aa3f7b2b1035b76b718f1ddc689f
            - 1a6cca4d5460b1710a12dea39e4a592c
    filter1:
        Image: '*paexec*'
    condition: (selection1 and selection2) and not filter1

As you can see, it uses Imphash field from Sysmon Event ID 1.
As you know, Sysmon Event ID 1 doesn't provide such field, it provides Hashes field in String format, and inside this field we see the next string:

SHA1=E82AC9345FBEFC100FF16D66536877502AB2C017,MD5=C8F7FA1A3A3B23DF12A2BCF4B500DEE1,SHA256=E666AC2934A9BA6C65531E4E258C9BEBD7C311C6A378A6ACCEFFDF7F9741B4A8,IMPHASH=E799C2BD8BC66603D6DDC95F2DB31A18

If somebody want's to implement rules/windows/process_creation/win_renamed_paexec.yml he will need the Imphash field. Which means, he will need to parse this Hashes field, and this is... Enrichment. In this specific case, Enrichment is not mentioned in the Sigma rule, even though it is required. But at the same time, it doesn't make this rule "unsupported".

This can be accomplished by mapping the Imphash field to Hashes (already possible) and put wildcards around it (planned, very easy to implement). Therefore we decided shortly to keep the specific hash field to prevent that this important information about the hash type is lost in the rule.

@thomaspatzke
Copy link
Member

@thomaspatzke thomaspatzke commented Feb 16, 2020

Suggested changes implemented. Now need to make CI tests added meanwhile to master passing again.

@yugoslavskiy yugoslavskiy changed the title [OSCD] Final Pull Request / Summary [OSCD Sprint #1] Final Pull Request / Summary Feb 16, 2020
thomaspatzke and others added 3 commits Feb 16, 2020
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
@thomaspatzke thomaspatzke merged commit 48d95f0 into master Feb 20, 2020
2 checks passed
@thomaspatzke thomaspatzke deleted the oscd branch Feb 20, 2020
@thomaspatzke
Copy link
Member

@thomaspatzke thomaspatzke commented Feb 20, 2020

Finally...it's merged! 😃

To all contributors: thanks a lot for this great contribution and sorry for the long qa delay!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

9 participants