Merge pull request SigmaHQ#1018 from savvyspoon/wcry-dns

WannaCry Killswitch domain DNS query

rules/application/app_python_sql_exceptions.yml

@@ -1,12 +1,10 @@
 title: Python SQL Exceptions
 id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
+status: stable
 description: Generic rule for SQL exceptions in Python according to PEP 249
 author: Thomas Patzke
 date: 2017/08/12
 modified: 2020/09/01
-tags:
-    - attack.initial_access
-    - attack.t1190
 references:
     - https://www.python.org/dev/peps/pep-0249/#exceptions
 logsource:
@@ -23,3 +21,6 @@ falsepositives:
     - Application bugs
     - Penetration testing
 level: medium
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/application/app_sqlinjection_errors.yml

@@ -5,9 +5,6 @@ description: Detects SQL error messages that indicate probing for an injection a
 author: Bjoern Kimminich
 date: 2017/11/27
 modified: 2020/09/01
-tags:
-    - attack.initial_access
-    - attack.t1190
 references:
     - http://www.sqlinjection.net/errors
 logsource:
@@ -28,3 +25,6 @@ detection:
 falsepositives:
     - Application bugs
 level: high
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/application/appframework_django_exceptions.yml

@@ -1,12 +1,10 @@
 title: Django Framework Exceptions
 id: fd435618-981e-4a7c-81f8-f78ce480d616
+status: stable
 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
 date: 2017/08/05
 modified: 2020/09/01
-tags:
-    - attack.initial_access
-    - attack.t1190
 references:
     - https://docs.djangoproject.com/en/1.11/ref/exceptions/
     - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
@@ -34,3 +32,6 @@ falsepositives:
     - Application bugs
     - Penetration testing
 level: medium
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/application/appframework_ruby_on_rails_exceptions.yml

@@ -1,12 +1,10 @@
 title: Ruby on Rails Framework Exceptions
 id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
+status: stable
 description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
 author: Thomas Patzke
 date: 2017/08/06
 modified: 2020/09/01
-tags:
-    - attack.initial_access
-    - attack.t1190
 references:
     - http://edgeguides.rubyonrails.org/security.html
     - http://guides.rubyonrails.org/action_controller_overview.html
@@ -27,3 +25,6 @@ falsepositives:
     - Application bugs
     - Penetration testing
 level: medium
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/application/appframework_spring_exceptions.yml

@@ -1,12 +1,10 @@
 title: Spring Framework Exceptions
 id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
+status: stable
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
 date: 2017/08/06
 modified: 2020/09/01
-tags:
-    - attack.initial_access
-    - attack.t1190
 references:
     - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
 logsource:
@@ -26,3 +24,6 @@ falsepositives:
     - Application bugs
     - Penetration testing
 level: medium
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/apt/apt_silence_downloader_v3.yml

@@ -5,16 +5,6 @@ description: Detects Silence downloader. These commands are hardcoded into the b
 author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
 date: 2019/11/01
 modified: 2020/09/01
-tags:
-    - attack.persistence
-    - attack.t1547.001
-    - attack.t1060  # an old one
-    - attack.discovery
-    - attack.t1057
-    - attack.t1082
-    - attack.t1016
-    - attack.t1033
-    - attack.g0091
 logsource:
     category: process_creation
     product: windows
@@ -38,3 +28,13 @@ fields:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.persistence
+    - attack.t1547.001
+    - attack.t1060  # an old one
+    - attack.discovery
+    - attack.t1057
+    - attack.t1082
+    - attack.t1016
+    - attack.t1033
+    - attack.g0091

rules/apt/apt_silence_eda.yml

@@ -5,18 +5,6 @@ description: Detects Silence empireDNSagent
 author: Alina Stepchenkova, Group-IB, oscd.community
 date: 2019/11/01
 modified: 2020/09/01
-tags:
-    - attack.execution
-    - attack.t1059.001
-    - attack.t1086  # an old one
-    - attack.command_and_control
-    - attack.t1071.004
-    - attack.t1071  # an old one
-    - attack.t1572
-    - attack.impact
-    - attack.t1529
-    - attack.g0091
-    - attack.s0363
 logsource:
     product: windows
     service: powershell
@@ -41,3 +29,15 @@ detection:
 falsepositives:
     - Unknown
 level: critical
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  # an old one
+    - attack.command_and_control
+    - attack.t1071.004
+    - attack.t1071  # an old one
+    - attack.t1572
+    - attack.impact
+    - attack.t1529
+    - attack.g0091
+    - attack.s0363

rules/cloud/aws_cloudtrail_disable_logging.yml

@@ -1,9 +1,9 @@
 title: AWS CloudTrail Important Change
 id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
 status: experimental
+description: Detects disabling, deleting and updating of a Trail
 author: vitaliy0x1
 date: 2020/01/21
-description: Detects disabling, deleting and updating of a Trail
 references:
     - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
 logsource:
@@ -17,9 +17,9 @@ detection:
             - UpdateTrail
             - DeleteTrail
     condition: selection_source AND events
-level: medium
 falsepositives:
     - Valid change in a Trail
+level: medium
 tags:
     - attack.defense_evasion
     - attack.t1562.001

rules/cloud/aws_config_disable_recording.yml

@@ -1,9 +1,9 @@
 title: AWS Config Disabling Channel/Recorder
 id: 07330162-dba1-4746-8121-a9647d49d297
 status: experimental
+description: Detects AWS Config Service disabling
 author: vitaliy0x1
 date: 2020/01/21
-description: Detects AWS Config Service disabling
 logsource:
     service: cloudtrail
 detection:
@@ -14,9 +14,9 @@ detection:
             - DeleteDeliveryChannel
             - StopConfigurationRecorder
     condition: selection_source AND events
-level: high
 falsepositives:
     - Valid change in AWS Config Service
+level: high
 tags:
     - attack.defense_evasion
     - attack.t1562.001

rules/cloud/aws_ec2_download_userdata.yml

@@ -1,10 +1,10 @@
 title: AWS EC2 Download Userdata
 id: 26ff4080-194e-47e7-9889-ef7602efed0c
 status: experimental
+description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
 author: faloker
 date: 2020/02/11
 modified: 2020/09/01
-description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24
 logsource:
@@ -18,9 +18,9 @@ detection:
         - eventName: DescribeInstanceAttribute
     timeframe: 30m
     condition: all of them | count() > 10
-level: medium
 falsepositives:
     - Assets management software like device42
+level: medium
 tags:
     - attack.exfiltration 
     - attack.t1020

rules/cloud/aws_ec2_startup_script_change.yml

@@ -1,10 +1,10 @@
 title: AWS EC2 Startup Shell Script Change
 id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
 status: experimental
+description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.
 author: faloker
 date: 2020/02/12
 modified: 2020/09/01
-description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9
 logsource:
@@ -17,9 +17,9 @@ detection:
     selection_eventname:
         - eventName: ModifyInstanceAttribute
     condition: all of them
-level: high
 falsepositives:
     - Valid changes to the startup script
+level: high
 tags:
     - attack.execution
     - attack.t1059.001

rules/cloud/aws_ec2_vm_export_failure.yml

@@ -1,17 +1,11 @@
 title: AWS EC2 VM Export Failure
 id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
 status: experimental
-description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
-references:
-  - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance     
+description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.     
 author: Diogo Braz
 date: 2020/04/16
-tags:
-  - attack.collection    
-  - attack.t1005      
-  - attack.exfiltration
-  - attack.t1537
-level: low
+references: 
+  - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
 logsource:
   service: cloudtrail
 detection:
@@ -26,3 +20,10 @@ detection:
     eventName: 'ConsoleLogin'
     responseElements: '*Failure*'
   condition: selection and (filter1 or filter2 or filter3)
+level: low
+tags:
+- attack.collection    
+- attack.t1005      
+- attack.exfiltration
+- attack.t1537
+

rules/cloud/aws_guardduty_disruption.yml

@@ -1,9 +1,9 @@
 title: AWS GuardDuty Important Change
 id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
 status: experimental
+description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
 author: faloker
 date: 2020/02/11
-description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9
 logsource:
@@ -14,9 +14,9 @@ detection:
     selection_eventName:
         - eventName: CreateIPSet
     condition: all of them
-level: high
 falsepositives:
     - Valid change in the GuardDuty (e.g. to ignore internal scanners)
+level: high
 tags:
     - attack.defense_evasion
     - attack.t1562.001

rules/cloud/aws_iam_backdoor_users_keys.yml

@@ -1,10 +1,10 @@
 title: AWS IAM Backdoor Users Keys
 id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
 status: experimental
+description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
 author: faloker
 date: 2020/02/12
 modified: 2020/09/01
-description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
 logsource:
@@ -22,10 +22,10 @@ fields:
     - responseElements.accessKey.userName
     - errorCode
     - errorMessage
-level: medium
 falsepositives:
     - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
     - AWS API keys legitimate exchange workflows
+level: medium
 tags:
     - attack.persistence
     - attack.t1098

rules/cloud/aws_rds_change_master_password.yml

@@ -1,10 +1,10 @@
 title: AWS RDS Master Password Change
 id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
 status: experimental
+description: Detects the change of database master password. It may be a part of data exfiltration.
 author: faloker
 date: 2020/02/12
 modified: 2020/09/01
-description: Detects the change of database master password. It may be a part of data exfiltration.
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
 logsource:
@@ -17,9 +17,9 @@ detection:
     selection_eventname:
         - eventName: ModifyDBInstance
     condition: all of them
-level: medium
 falsepositives:
     - Benign changes to a db instance
+level: medium
 tags:
     - attack.exfiltration
     - attack.t1020

rules/cloud/aws_rds_public_db_restore.yml

@@ -1,10 +1,10 @@
 title: Restore Public AWS RDS Instance
 id: c3f265c7-ff03-4056-8ab2-d486227b4599
 status: experimental
+description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
 author: faloker
 date: 2020/02/12
 modified: 2020/09/01
-description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
 logsource:
@@ -17,9 +17,9 @@ detection:
     selection_eventname:
         - eventName: RestoreDBInstanceFromDBSnapshot
     condition: all of them
-level: high
 falsepositives:
     - unknown
+level: high
 tags:
     - attack.exfiltration
     - attack.t1020