Merge remote-tracking branch 'SigmaHQ/master' into quantum

.github/workflows/sigma-test.yml

@@ -24,7 +24,7 @@ jobs:
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install pipenv
+        pip install pipenv==2021.5.29
         pipenv lock
         pipenv install --dev --deploy
     - name: Test Sigma Tools and Rules

Makefile

@@ -52,6 +52,7 @@ test-sigmac:
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t lacework rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t mdatp rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t uberagent rules/ > /dev/null
+	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t athena -c tools/config/athena.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala-rule rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
@@ -99,6 +100,7 @@ test-sigmac:
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/filebeat-defaultindex.yml -t xpack-watcher rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null
+	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/hawk.yml -t hawk rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null

rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml

@@ -4,7 +4,7 @@ related:
     - id: f7385ee2-0e0c-11eb-adc1-0242ac120002
       type: derived
 description: Detects Obfuscated use of Clip.exe to execute PowerShell
-status: experimental
+status: unsupported
 author: Jonathan Cheong, oscd.community
 date: 2020/10/13
 modified: 2021/09/16

rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
       type: derived
 description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
-status: experimental
+status: unsupported
 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
 date: 2019/11/08
 modified: 2021/09/16

rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 72862bf2-0eb1-11eb-adc1-0242ac120002
       type: derived
 description: Detects Obfuscated use of stdin to execute PowerShell
-status: experimental
+status: unsupported
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
 modified: 2021/09/17

rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
       type: derived
 description: Detects Obfuscated use of Environment Variables to execute PowerShell
-status: experimental
+status: unsupported
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
 modified: 2021/09/17

rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 175997c5-803c-4b08-8bb0-70b099f47595
       type: derived  
 description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
-status: experimental
+status: unsupported
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
 modified: 2021/09/18

rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
       type: derived
 description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
-status: experimental
+status: unsupported
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
 modified: 2021/09/18

rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 487c7524-f892-4054-b263-8a0ace63fc25
       type: derived
 description: Detects Obfuscated Powershell via Stdin in Scripts
-status: experimental
+status: unsupported
 author: Nikita Nazarov, oscd.community
 date: 2020/10/12
 modified: 2021/09/18

rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 63e3365d-4824-42d8-8b82-e56810fefa0c
       type: derived
 description: Detects Obfuscated Powershell via use Clip.exe in Scripts
-status: experimental
+status: unsupported
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
 modified: 2021/09/18

rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
       type: derived
 description: Detects Obfuscated Powershell via use MSHTA in Scripts
-status: experimental
+status: unsupported
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
 modified: 2021/09/18

rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
       type: derived
 description: Detects Obfuscated Powershell via use Rundll32 in Scripts
-status: experimental
+status: unsupported
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
 modified: 2021/09/18

rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
       type: derived
 description: Detects Obfuscated Powershell via VAR++ LAUNCHER
-status: experimental
+status: unsupported
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/13
 modified: 2021/09/18

rules-unsupported/driver_load_tap_driver_installation.yml

@@ -4,7 +4,7 @@ related:
     - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
       type: derived
 description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
-status: experimental
+status: unsupported
 author: Daniil Yugoslavskiy, Ian Davis, oscd.community
 date: 2019/10/24
 modified: 2021/09/21

rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml → rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml

@@ -14,7 +14,7 @@ tags:
 status: experimental
 date: 2021/08/23
 logsource:
-  product: Windows
+  product: windows
   category: file_event
 detection:
   #useful_information: Please add more file extensions and magic bytes to the logic of your choice. 
@@ -23,22 +23,23 @@ detection:
       - 'winword.exe'
       - 'excel.exe'
       - 'powerpnt.exe'
+      - 'outlook.exe'
   selection2:
     FileName|endswith:
-    - ".exe"
-    - ".dll"
-    - ".ocx"
-    - ".com"
-    - ".ps1"
-    - ".vbs"
-    - ".sys"
-    - ".bat"
-    - ".scr"
-    - ".proj"
+      - ".exe"
+      - ".dll"
+      - ".ocx"
+      - ".com"
+      - ".ps1"
+      - ".vbs"
+      - ".sys"
+      - ".bat"
+      - ".scr"
+      - ".proj"
   selection3:
     FileMagicBytes|startswith:
-    - "4D5A"
+      - "4D5A"
   condition: selection1 and (selection2 or selection3)
 falsepositives:
-- Unknown
+  - Unknown
 level: high

rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml → rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml

@@ -3,6 +3,7 @@ id: 865c10a6-9541-4d11-9f45-9a3484e23b0a
 description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
 status: experimental
 date: 2021/09/18
+modified: 2021/11/11
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.privilege_escalation
@@ -21,7 +22,7 @@ logsource:
 detection:
     selection:
         type: 'SYSCALL'
-        SYSCALL: 'execve'
+        syscall: 'execve'
         uid: '0'
         cwd: '/var/opt/microsoft/scx/tmp'
         cmdline|contains: /etc/opt/microsoft/scx/conf/tmpdir/scx

rules-unsupported/net_dns_high_subdomain_rate.yml

@@ -39,4 +39,4 @@ detection:
 falsepositives:
     - Legitimate domain name requested, which should be added to whitelist
 level: high
-status: experimental
+status: unsupported

rules-unsupported/net_dns_large_domain_name.yml

@@ -34,4 +34,4 @@ detection:
 falsepositives:
     - Legitimate domain name requested, which should be added to whitelist
 level: high
-status: experimental
+status: unsupported

rules-unsupported/net_possible_dns_rebinding.yml

@@ -1,6 +1,6 @@
 title: Possible DNS Rebinding
 id: ec5b8711-b550-4879-9660-568aaae2c3ea
-status: experimental
+status: unsupported
 description: 'Detects DNS-answer with TTL <10.'
 date: 2019/10/25
 author: Ilyas Ochkov, oscd.community

rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml

@@ -1,7 +1,7 @@
 title: MSI Spawned Cmd and Powershell Spawned Processes
 id: 38cf8340-461b-4857-bf99-23a41f772b18
 description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell that spawned other processes
-status: experimental
+status: unsupported
 author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 date: 2020/10/13
 references:

rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml

@@ -3,7 +3,7 @@ id: 078235c5-6ec5-48e7-94b2-f8b5474379ea
 description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege 
 #look for MSI start by low privilege user, write the process guid to the suspicious_guid variable
 #look for child process from the suspicious_guid, alert if it's Windows Installer trying to install package with SYSTEM privilege
-status: experimental
+status: unsupported
 author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 date: 2020/10/13
 references: 

rules-unsupported/sysmon_process_reimaging.yml

@@ -11,7 +11,7 @@ description: Detects process reimaging defense evasion technique
 # Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
 # Rule logic is currently not supported by SIGMA.
 # Sysmon v.10.0 or newer is required for proper detection.
-status: experimental
+status: unsupported
 author: Alexey Balandin, oscd.community
 references:
     - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/

rules-unsupported/win_access_fake_files_with_stored_credentials.yml

@@ -1,7 +1,7 @@
 title: Stored Credentials in Fake Files
 id: 692b979c-f747-41dc-ad72-1f11c01b110e
 description: Search for accessing of fake files with stored credentials
-status: experimental
+status: unsupported
 author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
 date: 2020/10/05
 references: 

rules-unsupported/win_apt_apt29_tor.yml

@@ -11,7 +11,8 @@ tags:
     - attack.t1543.003
 date: 2017/11/01
 modified: 2020/08/23
-author: Thomas Patzke 
+author: Thomas Patzke
+status: unsupported
 logsource:
     product: windows
     service: system

rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml

@@ -31,4 +31,4 @@ detection:
 falsepositives:
     - Legitimate administrator adding new domain controller to already existing domain
 level: medium
-status: experimental
+status: unsupported

rules-unsupported/win_dumping_ntdsdit_via_netsync.yml

@@ -27,4 +27,4 @@ detection:
 falsepositives:
     - Legitimate administrator adding new domain controller to already existing domain
 level: medium
-status: experimental
+status: unsupported

rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml

@@ -6,7 +6,7 @@ references:
 tags:
     - attack.privilege_escalation
     - attack.t1068
-status: experimental
+status: unsupported
 author: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)
 date: 2019/06/03
 logsource:

rules-unsupported/win_mal_service_installs.yml

@@ -34,4 +34,5 @@ detection:
     condition: selection and 1 of malsvc_*
 falsepositives:
     - Penetration testing
-level: critical
+level: critical
+status: unsupported

rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml

@@ -34,4 +34,5 @@ fields:
     - ServiceFileName
 falsepositives:
     - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
-level: high
+level: high
+status: unsupported

rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml

@@ -8,7 +8,7 @@ tags:
     - attack.privilege_escalation
     - attack.t1134           # an old one
     - attack.t1134.002
-status: experimental
+status: unsupported
 author: Teymur Kheirkhabarov
 date: 2019/10/26
 modified: 2020/09/01

rules-unsupported/win_remote_schtask.yml

@@ -1,6 +1,6 @@
 title: Remote Schtasks Creation
 id: cf349c4b-99af-40fa-a051-823aa2307a84
-status: experimental
+status: unsupported
 description: Detects remote execution via scheduled task creation or update on the destination host
 author: Jai Minton, oscd.community
 date: 2020/10/05

rules-unsupported/win_remote_service.yml

@@ -1,7 +1,7 @@
 action: global
 title: Remote Service Creation
 id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46
-status: experimental
+status: unsupported
 description: Detects remote execution via service creation on the destination host
 author: Jai Minton, oscd.community
 date: 2020/10/05

rules/cloud/aws/aws_attached_malicious_lambda_layer.yml

@@ -7,6 +7,7 @@ date: 2021/09/23
 references:
     - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
 logsource:
+    product: aws
     service: cloudtrail
 detection:
     selection:

rules/cloud/aws/aws_cloudtrail_disable_logging.yml

@@ -8,6 +8,7 @@ modified: 2021/08/09
 references:
     - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
 logsource:
+    product: aws
     service: cloudtrail
 detection:
     selection_source:

rules/cloud/aws/aws_config_disable_recording.yml

@@ -6,6 +6,7 @@ author: vitaliy0x1
 date: 2020/01/21
 modified: 2021/08/09
 logsource:
+    product: aws
     service: cloudtrail
 detection:
     selection_source:

rules/cloud/aws/aws_ec2_disable_encryption.yml

@@ -12,6 +12,7 @@ tags:
     - attack.t1486
     - attack.t1565
 logsource:
+    product: aws
     service: cloudtrail
 detection:
     selection:

rules/cloud/aws/aws_ec2_download_userdata.yml

@@ -8,6 +8,7 @@ modified: 2021/08/20
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py
 logsource:
+    product: aws
     service: cloudtrail
 detection:
     selection_source:

rules/cloud/aws/aws_ec2_startup_script_change.yml

@@ -8,6 +8,7 @@ modified: 2021/08/09
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9
 logsource:
+    product: aws
     service: cloudtrail
 detection:
     selection_source:

rules/cloud/aws/aws_ec2_vm_export_failure.yml

@@ -8,6 +8,7 @@ modified: 2021/08/20
 references: 
   - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
 logsource:
+  product: aws
   service: cloudtrail
 detection:
   selection:           

rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml

@@ -7,6 +7,7 @@ date: 2021/08/15
 references:
     - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html
 logsource:
+    product: aws
     service: cloudtrail
 detection:
     selection:

rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml

@@ -7,6 +7,7 @@ date: 2021/08/15
 references:
     - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html
 logsource:
+    product: aws
     service: cloudtrail
 detection:
     selection: