Merge pull request SigmaHQ#3002 from phantinuss/master

Various new Rule Tests
gholdzhang · May 11, 2022 · 2b0db86 · 2b0db86
2 parents 4b829c4 + 6f92a11
commit 2b0db86
Show file tree

Hide file tree

Showing 175 changed files with 533 additions and 610 deletions.
diff --git a/rules/cloud/azure/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/azure_kubernetes_admission_controller.yml
@@ -12,14 +12,12 @@ logsource:
   service: activitylogs
 detection:
     selection1:
-          properties.message|startswith:
-            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
+          properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
           properties.message|endswith:
             - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE
             - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE
     selection2:
-          properties.message|startswith:
-            - MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
+          properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
           properties.message|endswith:
             - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE
             - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE

diff --git a/rules/cloud/azure/azure_kubernetes_cronjob.yml b/rules/cloud/azure/azure_kubernetes_cronjob.yml
@@ -14,14 +14,12 @@ logsource:
     service: activitylogs
 detection:
     selection1:
-          properties.message|startswith:
-            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH
+          properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH
           properties.message|endswith:
             - /CRONJOBS/WRITE
             - /JOBS/WRITE
     selection2:
-          properties.message|startswith:
-            - MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH
+          properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH
           properties.message|endswith:
             - /CRONJOBS/WRITE
             - /JOBS/WRITE
@@ -32,5 +30,5 @@ tags:
     - attack.privilege_escalation
     - attack.execution
 falsepositives:
-    - Azure Kubernetes CronJob/Job may be done by a system administrator. 
+    - Azure Kubernetes CronJob/Job may be done by a system administrator.
     - If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml
@@ -11,8 +11,7 @@ logsource:
   service: activitylogs
 detection:
     selection1:
-        properties.message: 
-            - MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
+        properties.message: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
     condition: selection1
 level: high
 falsepositives:

diff --git a/rules/cloud/azure/azure_suppression_rule_created.yml b/rules/cloud/azure/azure_suppression_rule_created.yml
@@ -11,13 +11,12 @@ logsource:
   service: activitylogs
 detection:
     selection:
-        properties.message: 
-            - MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE
+        properties.message: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE
     condition: selection
 level: medium
 tags:
     - attack.impact
 falsepositives:
- - Suppression Rule being created may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Suppression Rule being created may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
  - Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
diff --git a/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml b/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml
@@ -12,16 +12,14 @@ logsource:
   service: gcp.audit
 detection:
     selection1:
-        gcp.audit.method_name|startswith: 
-            - admissionregistration.k8s.io.v*.mutatingwebhookconfigurations.
-        gcp.audit.method_name|endswith: 
+        gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.mutatingwebhookconfigurations.
+        gcp.audit.method_name|endswith:
             - create
             - patch
             - replace
     selection2:
-        gcp.audit.method_name|startswith: 
-            - admissionregistration.k8s.io.v*.validatingwebhookconfigurations.
-        gcp.audit.method_name|endswith: 
+        gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.validatingwebhookconfigurations.
+        gcp.audit.method_name|endswith:
             - create
             - patch
             - replace

diff --git a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml
@@ -18,7 +18,7 @@ detection:
     status: success
   condition: selection
 falsepositives:
-  -
+  - Unknown
 level: medium
 tags:
   - attack.initial_access

diff --git a/rules/cloud/okta/okta_unauthorized_access_to_app.yml b/rules/cloud/okta/okta_unauthorized_access_to_app.yml
@@ -13,8 +13,7 @@ logsource:
   service: okta
 detection:
     selection:
-        displaymessage:
-            - User attempted unauthorized access to app
+        displaymessage: User attempted unauthorized access to app
     condition: selection
 level: medium
 tags:

diff --git a/rules/compliance/workstation_was_locked.yml b/rules/compliance/workstation_was_locked.yml
@@ -15,8 +15,7 @@ logsource:
     service: security
 detection:
     selection:
-        EventID:
-            - 4800
+        EventID: 4800
     condition: selection
 falsepositives:
     - Unknown

diff --git a/rules/linux/auditd/lnx_auditd_audio_capture.yml b/rules/linux/auditd/lnx_auditd_audio_capture.yml
@@ -15,12 +15,9 @@ logsource:
 detection:
    selection:
        type: EXECVE
-       a0:
-           - arecord
-       a1:
-           - '-vv'
-       a2:
-           - '-fdat'
+       a0: arecord
+       a1: '-vv'
+       a2: '-fdat'
    condition: selection
 tags:
    - attack.collection

diff --git a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml
@@ -12,8 +12,7 @@ logsource:
   service: auditd
 detection:
   selection:
-    key:
-      - 'susp_activity'
+    key: 'susp_activity'
   condition: selection
 falsepositives:
   - Admin or User activity

diff --git a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml
@@ -29,7 +29,7 @@ fields:
   - key
 falsepositives:
   - Legitimate administrative activity
-  - Ligitimate software, cleaning hist file
+  - Legitimate software, cleaning hist file
 level: medium
 tags:
   - attack.credential_access

diff --git a/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml b/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml
@@ -16,12 +16,11 @@ detection:
     type: 'PATH'
     nametype: 'CREATE'
   name_1:
-    name|startswith: 
+    name|startswith:
          - '/usr/lib/systemd/system/'
          - '/etc/systemd/system/'
   name_2:
-    name|contains:
-         - '/.config/systemd/user/'
+    name|contains: '/.config/systemd/user/'
   condition: path and 1 of name_*
 falsepositives:
   - Admin work like legit service installs.

diff --git a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml
@@ -19,8 +19,7 @@ logsource:
 detection:
    commands:
        type: EXECVE
-       a0:
-           - unzip
+       a0: unzip
    a1:
        a1|endswith:
            - '.jpg'

diff --git a/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml b/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml
@@ -3,7 +3,7 @@ id: f8341cb2-ee25-43fa-a975-d8a5a9714b39
 status: experimental
 description: Detects the usage of the unsafe bpftrace option
 author: Andreas Hunkeler (@Karneades)
-tags: 
+tags:
   - attack.execution
   - attack.t1059.004
 references:
@@ -15,10 +15,8 @@ logsource:
   product: linux
 detection:
   selection1:
-    Image|endswith:
-      - 'bpftrace'
-    CommandLine|contains:
-      - '--unsafe'
+    Image|endswith: 'bpftrace'
+    CommandLine|contains: '--unsafe'
   condition: selection1
 falsepositives:
   - Legitimate usage of the unsafe option

diff --git a/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/rules/linux/process_creation/proc_creation_lnx_local_account.yml
@@ -12,25 +12,19 @@ logsource:
   product: linux
 detection:
   selection_1:
-    Image|endswith:
-      - '/lastlog'
+    Image|endswith: '/lastlog'
   selection_2:
-    CommandLine|contains:
-      - '''x:0:'''
+    CommandLine|contains: '''x:0:'''
   selection_3:
-    Image|endswith:
-      - '/cat'
+    Image|endswith: '/cat'
     CommandLine|contains:
       - '/etc/passwd'
       - '/etc/sudoers'
   selection_4:
-    Image|endswith:
-      - '/id'
+    Image|endswith: '/id'
   selection_5:
-    Image|endswith:
-      - '/lsof'
-    CommandLine|contains:
-      - '-u'
+    Image|endswith: '/lsof'
+    CommandLine|contains: '-u'
   condition: 1 of selection*
 falsepositives:
   - Legitimate administration activities

diff --git a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml
@@ -12,13 +12,10 @@ logsource:
   product: linux
 detection:
   selection_1:
-    Image|endswith:
-      - '/groups'
+    Image|endswith: '/groups'
   selection_2:
-    Image|endswith:
-      - '/cat'
-    CommandLine|contains:
-      - '/etc/group'
+    Image|endswith: '/cat'
+    CommandLine|contains: '/etc/group'
   condition: 1 of selection*
 falsepositives:
   - Legitimate administration activities

diff --git a/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml b/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml
@@ -12,10 +12,8 @@ logsource:
   product: linux
 detection:
   selection:
-    Image|endswith:
-      - 'crontab'
-    CommandLine|contains:
-      - '/tmp/'
+    Image|endswith: 'crontab'
+    CommandLine|contains: '/tmp/'
   condition: selection
 falsepositives:
   - Legitimate administration activities

diff --git a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml
@@ -5,7 +5,7 @@ description: Detects suspicious sub processes of web server processes
 references:
    - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
 date: 2021/10/15
-modified: 2022/03/14
+modified: 2022/05/09
 author: Florian Roth
 tags:
     - attack.persistence
@@ -26,18 +26,18 @@ detection:
       ParentCommandLine|contains|all:
          - '/bin/java'
          - 'tomcat'
-   selection_websphere:  # ? just guessing 
+   selection_websphere:  # ? just guessing
       ParentCommandLine|contains|all:
          - '/bin/java'
          - 'websphere'
    selection_sub_processes:
-      Image|endswith: 
+      Image|endswith:
          - '/whoami'
          - '/ifconfig'
          - '/usr/bin/ip'
          - '/bin/uname'
-   condition: selection_sub_processes and ( selection_general or selection_tomcat )
+   condition: selection_sub_processes and ( selection_general or selection_tomcat or selection_websphere)
 falsepositives:
-   - Web applications that invoke Linux command line tools 
+   - Web applications that invoke Linux command line tools
 level: critical
 
diff --git a/rules/macos/process_creation/proc_creation_macos_applescript.yml b/rules/macos/process_creation/proc_creation_macos_applescript.yml
@@ -12,10 +12,8 @@ logsource:
   product: macos
 detection:
   selection:
-    Image|endswith:
-      - '/osascript'
-    CommandLine|contains|all:
-      - '-e'
+    Image|endswith: '/osascript'
+    CommandLine|contains: '-e'
   condition: selection
 falsepositives:
   - Application installers might contain scripts as part of the installation process.

diff --git a/rules/macos/process_creation/proc_creation_macos_binary_padding.yml b/rules/macos/process_creation/proc_creation_macos_binary_padding.yml
@@ -12,15 +12,11 @@ logsource:
   category: process_creation
 detection:
   selection1:
-    Image|endswith:
-      - '/truncate'
-    CommandLine|contains:
-      - '-s'
+    Image|endswith: '/truncate'
+    CommandLine|contains: '-s'
   selection2:
-    Image|endswith:
-      - '/dd'
-    CommandLine|contains:
-      - 'if='
+    Image|endswith: '/dd'
+    CommandLine|contains: 'if='
   filter:
     CommandLine|contains: 'of='
   condition: selection1 or (selection2 and not filter)

diff --git a/rules/macos/process_creation/proc_creation_macos_create_account.yml b/rules/macos/process_creation/proc_creation_macos_create_account.yml
@@ -12,10 +12,8 @@ logsource:
   product: macos
 detection:
   selection:
-    Image|endswith:
-      - '/dscl'
-    CommandLine|contains:
-      - 'create'
+    Image|endswith: '/dscl'
+    CommandLine|contains: 'create'
   condition: selection
 falsepositives:
   - Legitimate administration activities

diff --git a/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml b/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml
@@ -12,10 +12,8 @@ logsource:
   category: process_creation
 detection:
   selection1:
-    Image|endswith:
-      - '/grep'
-    CommandLine|contains:
-      - 'password'
+    Image|endswith: '/grep'
+    CommandLine|contains: 'password'
   selection2:
     CommandLine|contains: 'laZagne'
   condition: selection1 or selection2

diff --git a/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml b/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml
@@ -13,8 +13,7 @@ logsource:
     category: process_creation
 detection:
     selection1:
-        Image:
-            - '/usr/sbin/osascript'
+        Image: '/usr/sbin/osascript'
     selection2:
         CommandLine|contains|all:
             - '-e'