Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

17089 detect icedid attacks #19528

Merged
merged 4 commits into from Oct 9, 2023
Merged

17089 detect icedid attacks #19528

merged 4 commits into from Oct 9, 2023

Conversation

ooniagbi
Copy link
Member

@ooniagbi ooniagbi commented Oct 9, 2023

Related issue
Closes #17089

Description

These rules were made using public threat intelligence info related to IcedID software. These rules cover mostly execution, discovery, and persistence techniques

Configuration options

These rules consume Sysmon logs.

Logs/Alerts example

{"win":{"eventdata":{"originalFileName":"CALC.EXE","image":"C:\\\\Users\\\\AtomicRed\\\\AppData\\\\Local\\\\Temp\\\\calc.exe","product":"Microsoft® Windows® Operating System","parentProcessGuid":"{4dc16835-bf43-645e-1a00-000000002000}","description":"Windows Calculator","logonGuid":"{4dc16835-bf8c-645e-625d-0c0000000000}","parentCommandLine":"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p","processGuid":"{4dc16835-c01a-645e-af00-000000002000}","logonId":"0xc5d62","parentProcessId":"1280","processId":"5240","currentDirectory":"C:\\\\Windows\\\\system32\\\\","utcTime":"2023-05-12 22:39:22.022","hashes":"SHA1=ED13AF4A0A754B8DAEE4929134D2FF15EBE053CD,MD5=5DA8C98136D98DFEC4716EDD79C7145F,SHA256=58189CBD4E6DC0C7D8E66B6A6F75652FC9F4AFC7CE0EBA7D67D8C3FEB0D5381F,IMPHASH=8EEAA9499666119D13B3F44ECD77A729","parentImage":"C:\\\\Windows\\\\System32\\\\svchost.exe","ruleName":"technique_id=T1036,technique_name=Masquerading","company":"Microsoft Corporation","commandLine":"C:\\\\Users\\\\AtomicRed\\\\AppData\\\\Local\\\\Temp\\\\calc.exe","integrityLevel":"Medium","fileVersion":"10.0.19041.1 (WinBuild.160101.0800)","user":"EXCHANGETEST\\\\AtomicRed","terminalSessionId":"1","parentUser":"NT AUTHORITY\\\\SYSTEM"},"system":{"eventID":"1","keywords":"0x8000000000000000","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","level":"4","channel":"Microsoft-Windows-Sysmon/Operational","opcode":"0","message":"\"Process Create:\r\nRuleName: technique_id=T1036,technique_name=Masquerading\r\nUtcTime: 2023-05-12 22:39:22.022\r\nProcessGuid: {4dc16835-c01a-645e-af00-000000002000}\r\nProcessId: 5240\r\nImage: C:\\Users\\AtomicRed\\AppData\\Local\\Temp\\calc.exe\r\nFileVersion: 10.0.19041.1 (WinBuild.160101.0800)\r\nDescription: Windows Calculator\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: CALC.EXE\r\nCommandLine: C:\\Users\\AtomicRed\\AppData\\Local\\Temp\\calc.exe\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: EXCHANGETEST\\AtomicRed\r\nLogonGuid: {4dc16835-bf8c-645e-625d-0c0000000000}\r\nLogonId: 0xC5D62\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: SHA1=ED13AF4A0A754B8DAEE4929134D2FF15EBE053CD,MD5=5DA8C98136D98DFEC4716EDD79C7145F,SHA256=58189CBD4E6DC0C7D8E66B6A6F75652FC9F4AFC7CE0EBA7D67D8C3FEB0D5381F,IMPHASH=8EEAA9499666119D13B3F44ECD77A729\r\nParentProcessGuid: {4dc16835-bf43-645e-1a00-000000002000}\r\nParentProcessId: 1280\r\nParentImage: C:\\Windows\\System32\\svchost.exe\r\nParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p\r\nParentUser: NT AUTHORITY\\SYSTEM\"","version":"5","systemTime":"2023-05-12T22:39:22.0393502Z","eventRecordID":"231761","threadID":"3064","computer":"cfo.ExchangeTest.com","task":"1","processID":"2156","severityValue":"INFORMATION","providerName":"Microsoft-Windows-Sysmon"}}}

Tests

Component Tested Total Coverage
Rules 1381 4292 32.18%
Decoders 125 170 73.53%
File Passed Failed Status
./tests/proftpd.ini 7 0
./tests/exim.ini 7 0
./tests/squid_rules.ini 2 0
./tests/sysmon_eid_3.ini 10 0
./tests/amazon_sec_lake.ini 20 0
./tests/checkpoint_smart1.ini 18 0
./tests/iptables.ini 9 0
./tests/sysmon_eid_10.ini 4 0
./tests/SonicWall.ini 11 0
./tests/panda_paps.ini 8 0
./tests/fortiauth.ini 4 0
./tests/openldap.ini 9 0
./tests/f5_big_ip.ini 48 0
./tests/sophos.ini 8 0
./tests/opensmtpd.ini 7 0
./tests/netscreen.ini 4 0
./tests/rsh.ini 2 0
./tests/arbor.ini 2 0
./tests/web_rules.ini 10 0
./tests/exchange.ini 2 0
./tests/vuln_detector.ini 2 0
./tests/sysmon_eid_7.ini 6 0
./tests/macos.ini 11 0
./tests/samba.ini 4 0
./tests/apparmor.ini 5 0
./tests/test_osmatch_regex.ini 6 0
./tests/test_features.ini 7 0
./tests/pam.ini 5 0
./tests/apache.ini 12 0
./tests/fireeye.ini 3 0
./tests/sysmon.ini 25 0
./tests/dovecot.ini 15 0
./tests/web_appsec.ini 31 0
./tests/nextcloud.ini 8 0
./tests/kernel_usb.ini 6 0
./tests/paloalto.ini 16 0
./tests/sysmon_eid_13.ini 9 0
./tests/ossec.ini 5 0
./tests/test_osregex_regex.ini 28 0
./tests/cisco_ftd.ini 42 0
./tests/sysmon_eid_1.ini 63 0
./tests/github.ini 324 0
./tests/gitlab.ini 27 0
./tests/named.ini 5 0
./tests/powershell.ini 32 0
./tests/openvpn_ldap.ini 2 0
./tests/sysmon_eid_8.ini 4 0
./tests/cloudflare-waf.ini 13 0
./tests/huawei_usg.ini 3 0
./tests/eset.ini 8 0
./tests/test_expr_negation.ini 56 0
./tests/gcp.ini 31 0
./tests/cpanel.ini 7 0
./tests/pfsense.ini 2 0
./tests/cisco_asa.ini 88 0
./tests/systemd.ini 2 0
./tests/nginx.ini 12 0
./tests/sysmon_eid_11.ini 28 0
./tests/cisco_ios.ini 17 0
./tests/pix.ini 22 0
./tests/php.ini 2 0
./tests/office365.ini 128 0
./tests/fortigate.ini 45 0
./tests/fortimail.ini 6 0
./tests/audit_scp.ini 8 0
./tests/win_application.ini 0 0
./tests/fortiddos.ini 3 0
./tests/cimserver.ini 2 0
./tests/freepbx.ini 6 0
./tests/overwrite.ini 10 0
./tests/sshd.ini 49 0
./tests/win_event_channel.ini 8 0
./tests/test_pcre2_regex.ini 33 0
./tests/glpi.ini 3 0
./tests/api.ini 21 0
./tests/dropbear.ini 3 0
./tests/firewalld.ini 2 0
./tests/mailscanner.ini 1 0
./tests/owlh.ini 4 0
./tests/sysmon_eid_20.ini 2 0
./tests/auditd.ini 31 0
./tests/mcafee_epo.ini 1 0
./tests/doas.ini 4 0
./tests/junos.ini 3 0
./tests/sudo.ini 8 0
./tests/syslog.ini 6 0
./tests/sophos_fw.ini 10 0
./tests/vsftpd.ini 4 0
./tests/postfix.ini 2 0
./tests/modsecurity.ini 6 0
./tests/su.ini 5 0
./tests/unbound.ini 0 0
./tests/aws_s3_access.ini 10 0
./tests/test_static_filters.ini 28 0
./tests/oscap.ini 32 0
  • Decoder/Rule tests
    • Added unit testing files ".ini"
    • runtests.py executed without errors

@ooniagbi ooniagbi linked an issue Oct 9, 2023 that may be closed by this pull request
Add rules to detect IcedID attacks #17089
Closed
@ooniagbi ooniagbi requested a review from IsExec October 9, 2023 13:03
@ooniagbi ooniagbi self-assigned this Oct 9, 2023
@ooniagbi ooniagbi mentioned this pull request Oct 9, 2023
Closed
2 tasks
IsExec
IsExec approved these changes Oct 9, 2023
View reviewed changes
Copy link
Member

@IsExec IsExec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@ooniagbi ooniagbi merged commit 21850c5 into master Oct 9, 2023
@ooniagbi ooniagbi deleted the 17089-detect-icedid-attacks branch October 9, 2023 13:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@IsExec IsExec IsExec approved these changes

Assignees

@ooniagbi ooniagbi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add rules to detect IcedID attacks
2 participants
@ooniagbi @IsExec