diff --git a/rules/web/proxy_generic/proxy_cobalt_amazon.yml b/deprecated/web/proxy_cobalt_amazon.yml similarity index 96% rename from rules/web/proxy_generic/proxy_cobalt_amazon.yml rename to deprecated/web/proxy_cobalt_amazon.yml index 419dc177f43..d1c32ad8a7b 100644 --- a/rules/web/proxy_generic/proxy_cobalt_amazon.yml +++ b/deprecated/web/proxy_cobalt_amazon.yml @@ -1,13 +1,13 @@ title: CobaltStrike Malleable Amazon Browsing Traffic Profile id: 953b895e-5cc9-454b-b183-7f3db555452e -status: test +status: deprecated description: Detects Malleable Amazon Profile references: - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100 author: Markus Neis date: 2019/11/12 -modified: 2022/07/07 +modified: 2024/02/15 tags: - attack.defense_evasion - attack.command_and_control diff --git a/rules/web/proxy_generic/proxy_cobalt_malformed_uas.yml b/deprecated/web/proxy_cobalt_malformed_uas.yml similarity index 95% rename from rules/web/proxy_generic/proxy_cobalt_malformed_uas.yml rename to deprecated/web/proxy_cobalt_malformed_uas.yml index 809a3fccb5e..3ed5fb48bcd 100644 --- a/rules/web/proxy_generic/proxy_cobalt_malformed_uas.yml +++ b/deprecated/web/proxy_cobalt_malformed_uas.yml @@ -1,12 +1,12 @@ title: CobaltStrike Malformed UAs in Malleable Profiles id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8 -status: test +status: deprecated description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike references: - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/ author: Florian Roth (Nextron Systems) date: 2021/05/06 -modified: 2022/12/25 +modified: 2024/02/15 tags: - attack.defense_evasion - attack.command_and_control diff --git a/rules/web/proxy_generic/proxy_cobalt_ocsp.yml b/deprecated/web/proxy_cobalt_ocsp.yml similarity index 93% rename from rules/web/proxy_generic/proxy_cobalt_ocsp.yml rename to deprecated/web/proxy_cobalt_ocsp.yml index 4941ea79256..54e56d2b7bf 100644 --- a/rules/web/proxy_generic/proxy_cobalt_ocsp.yml +++ b/deprecated/web/proxy_cobalt_ocsp.yml @@ -1,12 +1,12 @@ title: CobaltStrike Malleable (OCSP) Profile id: 37325383-740a-403d-b1a2-b2b4ab7992e7 -status: test +status: deprecated description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL references: - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile author: Markus Neis date: 2019/11/12 -modified: 2021/11/27 +modified: 2024/02/15 tags: - attack.defense_evasion - attack.command_and_control diff --git a/rules/web/proxy_generic/proxy_cobalt_onedrive.yml b/deprecated/web/proxy_cobalt_onedrive.yml similarity index 95% rename from rules/web/proxy_generic/proxy_cobalt_onedrive.yml rename to deprecated/web/proxy_cobalt_onedrive.yml index 5eca35956af..452843447df 100644 --- a/rules/web/proxy_generic/proxy_cobalt_onedrive.yml +++ b/deprecated/web/proxy_cobalt_onedrive.yml @@ -1,12 +1,12 @@ title: CobaltStrike Malleable OneDrive Browsing Traffic Profile id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc -status: test +status: deprecated description: Detects Malleable OneDrive Profile references: - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile author: Markus Neis date: 2019/11/12 -modified: 2022/08/15 +modified: 2024/02/15 tags: - attack.defense_evasion - attack.command_and_control diff --git a/rules/web/proxy_generic/proxy_ios_implant.yml b/deprecated/web/proxy_ios_implant.yml similarity index 86% rename from rules/web/proxy_generic/proxy_ios_implant.yml rename to deprecated/web/proxy_ios_implant.yml index fdfca9b93a2..74ee36db710 100644 --- a/rules/web/proxy_generic/proxy_ios_implant.yml +++ b/deprecated/web/proxy_ios_implant.yml @@ -1,13 +1,13 @@ title: iOS Implant URL Pattern id: e06ac91d-b9e6-443d-8e5b-af749e7aa6b6 -status: test +status: deprecated # Deprecated to being related to Ios so logging will vary and its old description: Detects URL pattern used by iOS Implant references: - https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html - https://twitter.com/craiu/status/1167358457344925696 author: Florian Roth (Nextron Systems) date: 2019/08/30 -modified: 2022/08/15 +modified: 2024/02/26 tags: - attack.execution - attack.t1203 diff --git a/rules/web/proxy_generic/proxy_chafer_malware.yml b/rules-emerging-threats/2019/Malware/Chafer/proxy_malware_chafer_url_pattern.yml similarity index 74% rename from rules/web/proxy_generic/proxy_chafer_malware.yml rename to rules-emerging-threats/2019/Malware/Chafer/proxy_malware_chafer_url_pattern.yml index 4ad291c006e..4c73c0f57fe 100644 --- a/rules/web/proxy_generic/proxy_chafer_malware.yml +++ b/rules-emerging-threats/2019/Malware/Chafer/proxy_malware_chafer_url_pattern.yml @@ -1,12 +1,12 @@ title: Chafer Malware URL Pattern id: fb502828-2db0-438e-93e6-801c7548686d status: test -description: Detects HTTP requests used by Chafer malware +description: Detects HTTP request used by Chafer malware to receive data from its C2. references: - https://securelist.com/chafer-used-remexi-malware/89538/ author: Florian Roth (Nextron Systems) date: 2019/01/31 -modified: 2022/08/15 +modified: 2024/02/15 tags: - attack.command_and_control - attack.t1071.001 @@ -16,10 +16,6 @@ detection: selection: c-uri|contains: '/asp.asp\?ui=' condition: selection -fields: - - ClientIP - - c-uri - - c-useragent falsepositives: - Unknown -level: critical +level: high diff --git a/rules/web/proxy_generic/proxy_ursnif_malware_c2_url.yml b/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_c2_url.yml similarity index 93% rename from rules/web/proxy_generic/proxy_ursnif_malware_c2_url.yml rename to rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_c2_url.yml index 3cd0231e75d..4e3ae946ae1 100644 --- a/rules/web/proxy_generic/proxy_ursnif_malware_c2_url.yml +++ b/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_c2_url.yml @@ -26,11 +26,6 @@ detection: - '.avi' - '/images/' condition: b64encoding and urlpatterns -fields: - - c-ip - - c-uri - - sc-bytes - - c-ua falsepositives: - Unknown level: critical diff --git a/rules/web/proxy_generic/proxy_ursnif_malware_download_url.yml b/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_download_url.yml similarity index 100% rename from rules/web/proxy_generic/proxy_ursnif_malware_download_url.yml rename to rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_download_url.yml diff --git a/rules/web/proxy_generic/proxy_apt40.yml b/rules-emerging-threats/2019/TA/APT40/proxy_apt_apt40_dropbox_tool_ua.yml similarity index 95% rename from rules/web/proxy_generic/proxy_apt40.yml rename to rules-emerging-threats/2019/TA/APT40/proxy_apt_apt40_dropbox_tool_ua.yml index b4771d9db53..66143182d98 100644 --- a/rules/web/proxy_generic/proxy_apt40.yml +++ b/rules-emerging-threats/2019/TA/APT40/proxy_apt_apt40_dropbox_tool_ua.yml @@ -19,9 +19,6 @@ detection: c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36' cs-host: 'api.dropbox.com' condition: selection -fields: - - c-ip - - c-uri falsepositives: - Old browsers level: high diff --git a/rules/web/proxy_generic/proxy_turla_comrat.yml b/rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml similarity index 81% rename from rules/web/proxy_generic/proxy_turla_comrat.yml rename to rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml index def96ce8925..f346161c7c8 100644 --- a/rules/web/proxy_generic/proxy_turla_comrat.yml +++ b/rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml @@ -1,12 +1,12 @@ -title: Turla ComRAT +title: ComRAT Network Communication id: 7857f021-007f-4928-8b2c-7aedbe64bb82 status: test -description: Detects Turla ComRAT patterns +description: Detects Turla ComRAT network communication. references: - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf author: Florian Roth (Nextron Systems) date: 2020/05/26 -modified: 2022/08/15 +modified: 2024/02/26 tags: - attack.defense_evasion - attack.command_and_control diff --git a/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_exploitation.yml similarity index 100% rename from rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml rename to rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_exploitation.yml diff --git a/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml similarity index 100% rename from rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml rename to rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml diff --git a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_exploitation.yml similarity index 100% rename from rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml rename to rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_exploitation.yml diff --git a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml similarity index 100% rename from rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml rename to rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml diff --git a/rules/web/proxy_generic/proxy_java_class_download.yml b/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml similarity index 50% rename from rules/web/proxy_generic/proxy_java_class_download.yml rename to rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml index 51bca642fe6..c94fe2c053b 100644 --- a/rules/web/proxy_generic/proxy_java_class_download.yml +++ b/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml @@ -1,14 +1,17 @@ -title: Java Class Proxy Download +title: .Class Extension URI Ending Request id: 53c15703-b04c-42bb-9055-1937ddfb3392 status: test -description: Detects Java class download in proxy logs, e.g. used in Log4shell exploitation attacks against Log4j. +description: | + Detects requests to URI ending with the ".class" extension in proxy logs. + This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j. references: - https://www.lunasec.io/docs/blog/log4j-zero-day/ author: Andreas Hunkeler (@Karneades) date: 2021/12/21 -modified: 2022/12/25 +modified: 2024/02/26 tags: - attack.initial_access + - detection.threat_hunting logsource: category: proxy detection: @@ -17,4 +20,4 @@ detection: condition: selection falsepositives: - Unknown -level: high +level: medium diff --git a/rules/cloud/github/github_delete_action_invoked.yml b/rules/cloud/github/github_delete_action_invoked.yml index e0d8f584782..15a7e5e9f3b 100644 --- a/rules/cloud/github/github_delete_action_invoked.yml +++ b/rules/cloud/github/github_delete_action_invoked.yml @@ -2,7 +2,7 @@ title: Github Delete Action Invoked id: 16a71777-0b2e-4db7-9888-9d59cb75200b status: test description: Detects delete action in the Github audit logs for codespaces, environment, project and repo. -author: Muhammad Faisal +author: Muhammad Faisal (@faisalusuf) date: 2023/01/19 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions @@ -22,11 +22,6 @@ detection: - 'project.delete' - 'repo.destroy' condition: selection -fields: - - 'action' - - 'actor' - - 'org' - - 'actor_location.country_code' falsepositives: - Validate the deletion activity is permitted. The "actor" field need to be validated. level: medium diff --git a/rules/cloud/github/github_disable_high_risk_configuration.yml b/rules/cloud/github/github_disable_high_risk_configuration.yml index fbe4fa23b3b..63dde5985f5 100644 --- a/rules/cloud/github/github_disable_high_risk_configuration.yml +++ b/rules/cloud/github/github_disable_high_risk_configuration.yml @@ -2,7 +2,7 @@ title: Github High Risk Configuration Disabled id: 8622c92d-c00e-463c-b09d-fd06166f6794 status: test description: Detects when a user disables a critical security feature for an organization. -author: Muhammad Faisal +author: Muhammad Faisal (@faisalusuf) date: 2023/01/29 references: - https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization @@ -20,21 +20,11 @@ logsource: detection: selection: action: + - 'org.advanced_security_policy_selected_member_disabled' - 'org.disable_oauth_app_restrictions' - 'org.disable_two_factor_requirement' - 'repo.advanced_security_disabled' - - 'org.advanced_security_policy_selected_member_disabled' condition: selection -fields: - - 'action' - - 'actor' - - 'org' - - 'actor_location.country_code' - - 'transport_protocol_name' - - 'repository' - - 'repo' - - 'repository_public' - - '@timestamp' falsepositives: - Approved administrator/owner activities. level: high diff --git a/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml b/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml index 5ad33bcf317..a6ab69436e5 100644 --- a/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml +++ b/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml @@ -4,7 +4,7 @@ status: test description: | Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories. -author: Muhammad Faisal +author: Muhammad Faisal (@faisalusuf) date: 2023/01/27 references: - https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts @@ -19,22 +19,12 @@ logsource: detection: selection: action: - - 'dependabot_alerts.disable' - 'dependabot_alerts_new_repos.disable' - - 'dependabot_security_updates.disable' + - 'dependabot_alerts.disable' - 'dependabot_security_updates_new_repos.disable' + - 'dependabot_security_updates.disable' - 'repository_vulnerability_alerts.disable' condition: selection -fields: - - 'action' - - 'actor' - - 'org' - - 'actor_location.country_code' - - 'transport_protocol_name' - - 'repository' - - 'repo' - - 'repository_public' - - '@timestamp' falsepositives: - Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes. level: high diff --git a/rules/cloud/github/github_new_org_member.yml b/rules/cloud/github/github_new_org_member.yml index 505626f1d8c..ac17b72bd35 100644 --- a/rules/cloud/github/github_new_org_member.yml +++ b/rules/cloud/github/github_new_org_member.yml @@ -2,7 +2,7 @@ title: New Github Organization Member Added id: 3908d64a-3c06-4091-b503-b3a94424533b status: test description: Detects when a new member is added or invited to a github organization. -author: Muhammad Faisal +author: Muhammad Faisal (@faisalusuf) date: 2023/01/29 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions @@ -19,16 +19,6 @@ detection: - 'org.add_member' - 'org.invite_member' condition: selection -fields: - - 'action' - - 'actor' - - 'org' - - 'actor_location.country_code' - - 'transport_protocol_name' - - 'repository' - - 'repo' - - 'repository_public' - - '@timestamp' falsepositives: - Organization approved new members level: informational diff --git a/rules/cloud/github/github_new_secret_created.yml b/rules/cloud/github/github_new_secret_created.yml index 7daa5cc37be..f5741c62025 100644 --- a/rules/cloud/github/github_new_secret_created.yml +++ b/rules/cloud/github/github_new_secret_created.yml @@ -2,7 +2,7 @@ title: Github New Secret Created id: f9405037-bc97-4eb7-baba-167dad399b83 status: test description: Detects when a user creates action secret for the organization, environment, codespaces or repository. -author: Muhammad Faisal +author: Muhammad Faisal (@faisalusuf) date: 2023/01/20 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions @@ -19,16 +19,11 @@ logsource: detection: selection: action: - - 'org.create_actions_secret' - - 'environment.create_actions_secret' - 'codespaces.create_an_org_secret' + - 'environment.create_actions_secret' + - 'org.create_actions_secret' - 'repo.create_actions_secret' condition: selection -fields: - - 'action' - - 'actor' - - 'org' - - 'actor_location.country_code' falsepositives: - This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor". level: low diff --git a/rules/cloud/github/github_outside_collaborator_detected.yml b/rules/cloud/github/github_outside_collaborator_detected.yml index 6127829674f..3fa79ec55b5 100644 --- a/rules/cloud/github/github_outside_collaborator_detected.yml +++ b/rules/cloud/github/github_outside_collaborator_detected.yml @@ -3,7 +3,7 @@ id: eaa9ac35-1730-441f-9587-25767bde99d7 status: test description: | Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA. -author: Muhammad Faisal +author: Muhammad Faisal (@faisalusuf) date: 2023/01/20 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions @@ -21,14 +21,9 @@ logsource: detection: selection: action: - - 'project.update_user_permission' - 'org.remove_outside_collaborator' + - 'project.update_user_permission' condition: selection -fields: - - 'action' - - 'actor' - - 'org' - - 'actor_location.country_code' falsepositives: - Validate the actor if permitted to access the repo. - Validate the Multifactor Authentication changes. diff --git a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml index 23f9b0cb41b..1c5088f655a 100644 --- a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml +++ b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml @@ -5,7 +5,7 @@ description: | A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context. -author: Muhammad Faisal +author: Muhammad Faisal (@faisalusuf) date: 2023/01/27 references: - https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners @@ -31,23 +31,13 @@ detection: - 'org.remove_self_hosted_runner' - 'org.runner_group_created' - 'org.runner_group_removed' - - 'org.runner_group_updated' - - 'org.runner_group_runners_added' - 'org.runner_group_runner_removed' + - 'org.runner_group_runners_added' - 'org.runner_group_runners_updated' + - 'org.runner_group_updated' - 'repo.register_self_hosted_runner' - 'repo.remove_self_hosted_runner' condition: selection -fields: - - 'action' - - 'actor' - - 'org' - - 'actor_location.country_code' - - 'transport_protocol_name' - - 'repository' - - 'repo' - - 'repository_public' - - '@timestamp' falsepositives: - Allowed self-hosted runners changes in the environment. - A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days. diff --git a/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml b/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml index a299ca3ed2d..11340a82f18 100644 --- a/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml +++ b/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml @@ -17,11 +17,6 @@ detection: c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/' cs-method: 'GET' condition: selection -fields: - - ClientIP - - c-uri - - c-useragent - - cs-method falsepositives: - Administrative scripts that download files from the Internet - Administrative scripts that retrieve certain website contents diff --git a/rules/web/proxy_generic/proxy_baby_shark.yml b/rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml similarity index 72% rename from rules/web/proxy_generic/proxy_baby_shark.yml rename to rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml index e167e138986..517e51994ff 100644 --- a/rules/web/proxy_generic/proxy_baby_shark.yml +++ b/rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml @@ -1,12 +1,12 @@ -title: BabyShark Agent Pattern +title: HackTool - BabyShark Agent Default URL Pattern id: 304810ed-8853-437f-9e36-c4975c3dfd7e status: test -description: Detects Baby Shark C2 Framework communication patterns +description: Detects Baby Shark C2 Framework default communication patterns references: - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845 author: Florian Roth (Nextron Systems) date: 2021/06/09 -modified: 2022/08/15 +modified: 2024/02/15 tags: - attack.command_and_control - attack.t1071.001 @@ -17,5 +17,5 @@ detection: c-uri|contains: 'momyshark\?key=' condition: selection falsepositives: - - Unknown + - Unlikely level: critical diff --git a/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml b/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml new file mode 100644 index 00000000000..6eaa03271f2 --- /dev/null +++ b/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml @@ -0,0 +1,60 @@ +title: HackTool - CobaltStrike Malleable Profile Patterns - Proxy +id: f3f21ce1-cdef-4bfc-8328-ed2e826f5fac +related: + - id: 953b895e-5cc9-454b-b183-7f3db555452e + type: obsoletes + - id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8 + type: obsoletes + - id: 37325383-740a-403d-b1a2-b2b4ab7992e7 + type: obsoletes + - id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc + type: obsoletes +status: test +description: Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods). +references: + - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile + - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100 + - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile + - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/ + - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile +author: Markus Neis, Florian Roth (Nextron Systems) +date: 2024/02/15 +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 +logsource: + category: proxy +detection: + selection_amazon_1: + c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' + cs-method: 'GET' + c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books' + cs-host: 'www.amazon.com' + cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996' + selection_amazon_2: + c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' + cs-method: 'POST' + c-uri: '/N4215/adj/amzn.us.sr.aps' + cs-host: 'www.amazon.com' + selection_generic_1: + c-useragent: + - 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)' + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )' + - 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08' + selection_generic_2: + c-useragent|endswith: '; MANM; MANM)' + selection_oscp: + c-uri|contains: '/oscp/' + cs-host: 'ocsp.verisign.com' + selection_onedrive: + cs-method: 'GET' + c-uri|endswith: '\?manifest=wac' + cs-host: 'onedrive.live.com' + filter_main_onedrive: + c-uri|startswith: 'http' + c-uri|contains: '://onedrive.live.com/' + condition: 1 of selection_* and not 1 of filter_main_* +falsepositives: + - Unknown +level: high diff --git a/rules/web/proxy_generic/proxy_empire_ua_uri_combos.yml b/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml similarity index 91% rename from rules/web/proxy_generic/proxy_empire_ua_uri_combos.yml rename to rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml index 0bdd09f1a79..f7236717142 100644 --- a/rules/web/proxy_generic/proxy_empire_ua_uri_combos.yml +++ b/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml @@ -1,4 +1,4 @@ -title: Empire UserAgent URI Combo +title: HackTool - Empire UserAgent URI Combo id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8 status: test description: Detects user agent and URI paths used by empire agents @@ -6,7 +6,7 @@ references: - https://github.com/BC-SECURITY/Empire author: Florian Roth (Nextron Systems) date: 2020/07/13 -modified: 2022/08/05 +modified: 2024/02/26 tags: - attack.defense_evasion - attack.command_and_control diff --git a/rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml b/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml similarity index 76% rename from rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml rename to rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml index aa520cb3c2b..b89fcf8d719 100644 --- a/rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml +++ b/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml @@ -1,12 +1,13 @@ -title: Advanced IP/Port Scanner Update Check +title: PUA - Advanced IP/Port Scanner Update Check id: 1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d status: test -description: Detect update check performed by Advanced IP Scanner and Advanced Port Scanner +description: Detect the update check performed by Advanced IP/Port Scanner utilities. references: - https://www.advanced-ip-scanner.com/ - https://www.advanced-port-scanner.com/ author: Axel Olsson date: 2022/08/14 +modified: 2024/02/15 tags: - attack.discovery - attack.t1590 @@ -25,8 +26,6 @@ detection: - 'rmode=' - 'product=' condition: selection -fields: - - c-ip falsepositives: - - Legitimate use by administrators + - Expected if you legitimately use the Advanced IP or Port Scanner utilities in your environement. level: medium diff --git a/rules/web/proxy_generic/proxy_raw_paste_service_access.yml b/rules/web/proxy_generic/proxy_raw_paste_service_access.yml index d484d133527..5a3d53fc412 100644 --- a/rules/web/proxy_generic/proxy_raw_paste_service_access.yml +++ b/rules/web/proxy_generic/proxy_raw_paste_service_access.yml @@ -26,10 +26,6 @@ detection: - 'pastebin.pl/' - 'paste.ee/' condition: selection -fields: - - ClientIP - - c-uri - - c-useragent falsepositives: - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste) level: high diff --git a/rules/web/proxy_generic/proxy_empty_ua.yml b/rules/web/proxy_generic/proxy_ua_empty.yml similarity index 73% rename from rules/web/proxy_generic/proxy_empty_ua.yml rename to rules/web/proxy_generic/proxy_ua_empty.yml index 031ec69691a..d588f58c533 100644 --- a/rules/web/proxy_generic/proxy_empty_ua.yml +++ b/rules/web/proxy_generic/proxy_ua_empty.yml @@ -1,7 +1,9 @@ -title: Empty User Agent +title: HTTP Request With Empty User Agent id: 21e44d78-95e7-421b-a464-ffd8395659c4 status: test -description: Detects suspicious empty user agent strings in proxy logs +description: | + Detects a potentially suspicious empty user agent strings in proxy log. + Could potentially indicate an uncommon request method. references: - https://twitter.com/Carlos_Perez/status/883455096645931008 author: Florian Roth (Nextron Systems) @@ -18,10 +20,6 @@ detection: # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString c-useragent: '' condition: selection -fields: - - ClientIP - - c-uri - - c-useragent falsepositives: - Unknown level: medium diff --git a/rules/web/proxy_generic/proxy_powershell_ua.yml b/rules/web/proxy_generic/proxy_ua_powershell.yml similarity index 93% rename from rules/web/proxy_generic/proxy_powershell_ua.yml rename to rules/web/proxy_generic/proxy_ua_powershell.yml index 07dbe1963cf..16357dd5fc2 100644 --- a/rules/web/proxy_generic/proxy_powershell_ua.yml +++ b/rules/web/proxy_generic/proxy_ua_powershell.yml @@ -17,10 +17,6 @@ detection: selection: c-useragent|contains: ' WindowsPowerShell/' condition: selection -fields: - - ClientIP - - c-uri - - c-useragent falsepositives: - Administrative scripts that download files from the Internet - Administrative scripts that retrieve certain website contents diff --git a/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml b/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml index 51f4f303cfc..adadace58ad 100644 --- a/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml +++ b/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml @@ -8,7 +8,7 @@ references: - https://blog.harmj0y.net/redteaming/another-word-on-delegation/ author: '@neu5ron' date: 2017/04/13 -modified: 2021/11/27 +modified: 2024/02/26 tags: - attack.t1098 - attack.persistence @@ -19,9 +19,12 @@ logsource: detection: selection1: EventID: 4738 + filter_empty: + AllowedToDelegateTo: + - '' + - '-' filter_null: - - AllowedToDelegateTo: '-' - - AllowedToDelegateTo: + AllowedToDelegateTo: null selection_5136_1: EventID: 5136 AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo' @@ -32,7 +35,7 @@ detection: selection_5136_3: EventID: 5136 AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity' - condition: (selection1 and not filter_null) or 1 of selection_5136_* + condition: (selection1 and not 1 of filter_*) or 1 of selection_5136_* falsepositives: - Unknown level: high diff --git a/tests/sigma_cli_conf.yml b/tests/sigma_cli_conf.yml index fc640d883dd..03ebc620c84 100644 --- a/tests/sigma_cli_conf.yml +++ b/tests/sigma_cli_conf.yml @@ -59,7 +59,7 @@ exclusions: c37510b8-2107-4b78-aa32-72f251e7a844: escaped_wildcard c462f537-a1e3-41a6-b5fc-b2c2cef9bf82: escaped_wildcard c73124a7-3e89-44a3-bdc1-25fe4df754b1: escaped_wildcard - c9b33401-cc6a-4cf6-83bb-57ddcb2407fc: escaped_wildcard + f3f21ce1-cdef-4bfc-8328-ed2e826f5fac: escaped_wildcard d84c0ded-edd7-4123-80ed-348bb3ccc4d5: escaped_wildcard db885529-903f-4c5d-9864-28fe199e6370: escaped_wildcard dd218fb6-4d02-42dc-85f0-a0a376072efd: escaped_wildcard