Merge branch 'master' into rule-devel

Makefile

@@ -57,13 +57,15 @@ test-sigmac:
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t carbonblack -c tools/config/carbon-black.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
+	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness-epl -c netwitness-epl rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t humio -O rulecomment -c tools/config/humio.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t crowdstrike -O rulecomment -c tools/config/crowdstrike.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -c sysmon rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sqlite -c sysmon rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t csharp -c sysmon rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logiq -c sysmon rules/ > /dev/null
+	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sysmon -c sysmon -rvd rules/windows/driver_load rules/windows/file_event rules/windows/image_load rules/windows/network_connection rules/windows/process_access rules/windows/process_creation rules/windows/registry_event rules/windows/sysmon > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null

README.md

@@ -24,11 +24,11 @@ This repository contains:
 
 [![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")
 
-## SANS Webcast on MITRE ATT&CK and Sigma
+## SANS Webcast on MITRE ATT&CK® and Sigma
 
 The SANS webcast on Sigma contains a very good 20 min introduction to the project by John Hubbart from minute 39 onward. (SANS account required; registration is free)
 
-[MITRE ATT&CK and Sigma Alerting Webcast Recording](https://www.sans.org/webcasts/mitre-att-ck-sigma-alerting-110010 "MITRE ATT&CK and Sigma Alerting")
+[MITRE ATT&CK® and Sigma Alerting Webcast Recording](https://www.sans.org/webcasts/mitre-att-ck-sigma-alerting-110010 "MITRE ATT&CK® and Sigma Alerting")
 
 # Use Cases
 
@@ -269,7 +269,7 @@ sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
 
 ## Sigma2attack
 
-Generates a [MITRE ATT&CK Navigator](https://github.com/mitre/attack-navigator/) heatmap from a directory containing sigma rules.
+Generates a [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) heatmap from a directory containing sigma rules.
 
 Requirements:
 - Sigma rules tagged with a `attack.tXXXX` tag (e.g.: `attack.t1086`)
@@ -284,7 +284,7 @@ Usage samples:
 ./tools/sigma2attack --rules-directory ~/hunting/rules
 ```
 
-Result once imported in the MITRE ATT&CK Navigator ([online version](https://mitre-attack.github.io/attack-navigator/enterprise/)):
+Result once imported in the MITRE ATT&CK® Navigator ([online version](https://mitre-attack.github.io/attack-navigator/enterprise/)):
 
 ![Sigma2attack result](./images/sigma2attack.png)
 
@@ -299,7 +299,7 @@ These tools are not part of the main toolchain and maintained separately by thei
 
 # Next Steps
 
-* Integration of MITRE ATT&CK framework identifier to the rule set
+* Integration of MITRE ATT&CK® framework identifier to the rule set
 * Integration into Threat Intel Exchanges
 * Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms
 

rules/application/app_python_sql_exceptions.yml

@@ -1,8 +1,10 @@
 title: Python SQL Exceptions
 id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
+status: stable
 description: Generic rule for SQL exceptions in Python according to PEP 249
 author: Thomas Patzke
 date: 2017/08/12
+modified: 2020/09/01
 references:
     - https://www.python.org/dev/peps/pep-0249/#exceptions
 logsource:
@@ -19,3 +21,6 @@ falsepositives:
     - Application bugs
     - Penetration testing
 level: medium
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/application/app_sqlinjection_errors.yml

@@ -4,6 +4,7 @@ status: experimental
 description: Detects SQL error messages that indicate probing for an injection attack
 author: Bjoern Kimminich
 date: 2017/11/27
+modified: 2020/09/01
 references:
     - http://www.sqlinjection.net/errors
 logsource:
@@ -24,3 +25,6 @@ detection:
 falsepositives:
     - Application bugs
 level: high
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/application/appframework_django_exceptions.yml

@@ -1,8 +1,10 @@
 title: Django Framework Exceptions
 id: fd435618-981e-4a7c-81f8-f78ce480d616
+status: stable
 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
 date: 2017/08/05
+modified: 2020/09/01
 references:
     - https://docs.djangoproject.com/en/1.11/ref/exceptions/
     - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
@@ -30,3 +32,6 @@ falsepositives:
     - Application bugs
     - Penetration testing
 level: medium
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/application/appframework_ruby_on_rails_exceptions.yml

@@ -1,8 +1,10 @@
 title: Ruby on Rails Framework Exceptions
 id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
+status: stable
 description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
 author: Thomas Patzke
 date: 2017/08/06
+modified: 2020/09/01
 references:
     - http://edgeguides.rubyonrails.org/security.html
     - http://guides.rubyonrails.org/action_controller_overview.html
@@ -23,3 +25,6 @@ falsepositives:
     - Application bugs
     - Penetration testing
 level: medium
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/application/appframework_spring_exceptions.yml

@@ -1,8 +1,10 @@
 title: Spring Framework Exceptions
 id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
+status: stable
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
 date: 2017/08/06
+modified: 2020/09/01
 references:
     - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
 logsource:
@@ -22,3 +24,6 @@ falsepositives:
     - Application bugs
     - Penetration testing
 level: medium
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/apt/apt_silence_downloader_v3.yml

@@ -4,10 +4,7 @@ status: experimental
 description: Detects Silence downloader. These commands are hardcoded into the binary.
 author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
 date: 2019/11/01
-modified: 2019/11/22
-tags:
-    - attack.persistence
-    - attack.g0091
+modified: 2020/09/01
 logsource:
     category: process_creation
     product: windows
@@ -31,3 +28,13 @@ fields:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.persistence
+    - attack.t1547.001
+    - attack.t1060  # an old one
+    - attack.discovery
+    - attack.t1057
+    - attack.t1082
+    - attack.t1016
+    - attack.t1033
+    - attack.g0091

rules/apt/apt_silence_eda.yml

@@ -4,10 +4,7 @@ status: experimental
 description: Detects Silence empireDNSagent
 author: Alina Stepchenkova, Group-IB, oscd.community
 date: 2019/11/01
-modified: 2019/11/20
-tags:
-    - attack.g0091
-    - attack.s0363
+modified: 2020/09/01
 logsource:
     product: windows
     service: powershell
@@ -32,3 +29,15 @@ detection:
 falsepositives:
     - Unknown
 level: critical
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  # an old one
+    - attack.command_and_control
+    - attack.t1071.004
+    - attack.t1071  # an old one
+    - attack.t1572
+    - attack.impact
+    - attack.t1529
+    - attack.g0091
+    - attack.s0363

rules/cloud/aws_cloudtrail_disable_logging.yml

@@ -1,9 +1,9 @@
 title: AWS CloudTrail Important Change
 id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
 status: experimental
+description: Detects disabling, deleting and updating of a Trail
 author: vitaliy0x1
 date: 2020/01/21
-description: Detects disabling, deleting and updating of a Trail
 references:
     - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
 logsource:
@@ -17,10 +17,10 @@ detection:
             - UpdateTrail
             - DeleteTrail
     condition: selection_source AND events
-level: medium
 falsepositives:
     - Valid change in a Trail
+level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1089
     - attack.t1562.001
+    - attack.t1089  # an old one

rules/cloud/aws_config_disable_recording.yml

@@ -1,9 +1,9 @@
 title: AWS Config Disabling Channel/Recorder
 id: 07330162-dba1-4746-8121-a9647d49d297
 status: experimental
+description: Detects AWS Config Service disabling
 author: vitaliy0x1
 date: 2020/01/21
-description: Detects AWS Config Service disabling
 logsource:
     service: cloudtrail
 detection:
@@ -14,10 +14,10 @@ detection:
             - DeleteDeliveryChannel
             - StopConfigurationRecorder
     condition: selection_source AND events
-level: high
 falsepositives:
     - Valid change in AWS Config Service
+level: high
 tags:
     - attack.defense_evasion
-    - attack.t1089
     - attack.t1562.001
+    - attack.t1089  # an old one

rules/cloud/aws_ec2_download_userdata.yml

@@ -1,9 +1,10 @@
 title: AWS EC2 Download Userdata
 id: 26ff4080-194e-47e7-9889-ef7602efed0c
 status: experimental
+description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
 author: faloker
 date: 2020/02/11
-description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
+modified: 2020/09/01
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24
 logsource:
@@ -17,8 +18,9 @@ detection:
         - eventName: DescribeInstanceAttribute
     timeframe: 30m
     condition: all of them | count() > 10
-level: medium
 falsepositives:
     - Assets management software like device42
+level: medium
 tags:
+    - attack.exfiltration 
     - attack.t1020

rules/cloud/aws_ec2_startup_script_change.yml

@@ -1,9 +1,10 @@
 title: AWS EC2 Startup Shell Script Change
 id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
 status: experimental
+description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.
 author: faloker
 date: 2020/02/12
-description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.
+modified: 2020/09/01
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9
 logsource:
@@ -16,9 +17,14 @@ detection:
     selection_eventname:
         - eventName: ModifyInstanceAttribute
     condition: all of them
-level: high
 falsepositives:
     - Valid changes to the startup script
+level: high
 tags:
-    - attack.t1064
-    - attack.t1059
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  # an old one
+    - attack.t1059.003
+    - attack.t1059.004
+    - attack.t1059  # an old one
+    - attack.t1064  # an old one

rules/cloud/aws_ec2_vm_export_failure.yml

@@ -1,17 +1,11 @@
 title: AWS EC2 VM Export Failure
 id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
 status: experimental
-description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
-references:
-  - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance     
+description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.     
 author: Diogo Braz
 date: 2020/04/16
-tags:
-  - attack.collection    
-  - attack.t1005      
-  - attack.exfiltration
-  - attack.t1537
-level: low
+references: 
+  - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
 logsource:
   service: cloudtrail
 detection:
@@ -26,3 +20,10 @@ detection:
     eventName: 'ConsoleLogin'
     responseElements: '*Failure*'
   condition: selection and (filter1 or filter2 or filter3)
+level: low
+tags:
+- attack.collection    
+- attack.t1005      
+- attack.exfiltration
+- attack.t1537
+

rules/cloud/aws_guardduty_disruption.yml

@@ -1,9 +1,9 @@
 title: AWS GuardDuty Important Change
 id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
 status: experimental
+description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
 author: faloker
 date: 2020/02/11
-description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9
 logsource:
@@ -14,10 +14,10 @@ detection:
     selection_eventName:
         - eventName: CreateIPSet
     condition: all of them
-level: high
 falsepositives:
     - Valid change in the GuardDuty (e.g. to ignore internal scanners)
+level: high
 tags:
     - attack.defense_evasion
-    - attack.t1089
     - attack.t1562.001
+    - attack.t1089  # an old one

rules/cloud/aws_iam_backdoor_users_keys.yml

@@ -1,9 +1,10 @@
 title: AWS IAM Backdoor Users Keys
 id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
 status: experimental
+description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
 author: faloker
 date: 2020/02/12
-description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
+modified: 2020/09/01
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
 logsource:
@@ -21,9 +22,10 @@ fields:
     - responseElements.accessKey.userName
     - errorCode
     - errorMessage
-level: medium
 falsepositives:
     - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
     - AWS API keys legitimate exchange workflows
+level: medium
 tags:
+    - attack.persistence
     - attack.t1098