Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chg: Sigma v2 compliant MitreTactics tag format #1395

Merged
merged 2 commits into from
Aug 14, 2024
Merged

chg: Sigma v2 compliant MitreTactics tag format #1395

merged 2 commits into from
Aug 14, 2024

Conversation

fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Aug 12, 2024
edited
Loading

What Changed

The following pull request changed the tag format of Sigma's MitreTactics from _ to -. So I modified the Hayabusa side to follow that specification.

The above pull request is for today, so it will be merged in today's job in the hayabusa_rules repository.

Test

I have confirmed that we can output MitreTactics for the latest Sigma(SigmaHQ/sigma@760597d) repository as follows.

{
    "Timestamp": "2021-11-18 16:43:22.487 +09:00",
    "RuleTitle": "EVTX Created In Uncommon Location",
    "Level": "med",
    "Computer": "PC-01.cybercat.local",
    "Channel": "Sysmon",
    "EventID": 11,
    "RuleAuthor": "D3F7A5105",
    "RuleModifiedDate": "2024-03-26",
    "Status": "experimental",
    "RecordID": 13280,
    "Details": {
        "Path": "C:\\Users\\pc1-user\\Desktop\\sysmon.evtx",
        "Proc": "C:\\Windows\\system32\\mmc.exe",
        "PID": 3116,
        "PGUID": "510C1E8A-FFD9-6195-4401-000000000F00"
    },
    "ExtraFieldInfo": {
        "CreationUtcTime": "2021-11-18 07:43:22.460",
        "RuleName": "-",
        "User": "CYBERCAT\\pc1-user",
        "UtcTime": "2021-11-18 07:43:22.460"
    },
    "MitreTactics": [
        "Evas"
    ],
    "MitreTags": [
        "T1562.002"
    ],
    "OtherTags": [
        "sysmon"
    ],
    "Provider": "Sysmon",
    "RuleCreationDate": "2023-01-02",
    "RuleFile": "file_event_win_create_evtx_non_common_locations.yml",
    "EvtxFile": "../hayabusa-sample-evtx/YamatoSecurity/DefenseEvasion/T1218.004_SignedBinaryProxyExecutionInstallUtil_Sysmon.evtx"
}

I would appreciate it if you could check it out when you have time🙏

@fukusuket fukusuket added the enhancement New feature or request label Aug 12, 2024
@fukusuket fukusuket self-assigned this Aug 12, 2024
@fukusuket fukusuket added this to the v2.17.0 milestone Aug 12, 2024
@fukusuket fukusuket changed the title chg: Sigma v2 compliant mitre tag format chg: Sigma v2 compliant MitreTactics tag format Aug 12, 2024
@fukusuket fukusuket marked this pull request as ready for review August 12, 2024 12:37
@YamatoSecurity
Copy link
Collaborator

@fukusuket Thanks! I didn't notice this. It seems that there are still at least 85 files that still use the defense_evasion old format. Maybe we can submit a PR to fix them upstream? (or else we would have to handle both formats which I don't want to do unless they are keeping them for some reason..)

Since most rules now use this format, I will merge this.

YamatoSecurity
YamatoSecurity approved these changes Aug 14, 2024
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fukusuket LGTM! Thanks!

@YamatoSecurity YamatoSecurity merged commit 83e428d into main Aug 14, 2024
5 checks passed
@YamatoSecurity YamatoSecurity deleted the update-mitre-tactics-sigmav2 branch August 14, 2024 01:04
@fukusuket
Copy link
Collaborator Author

@YamatoSecurity

It seems that there are still at least 85 files that still use the defense_evasion old format. Maybe we can submit a PR to fix them upstream?

I see..., I will check and create a PR on the Sigma side if necessary!💪

@fukusuket
Copy link
Collaborator Author

fukusuket commented Aug 14, 2024
edited
Loading

@YamatoSecurity
I checked _ following script , It seems that only deprecated or unsupported _ remains🤔 Since the Sigma team does not maintain the rules for this folder, I think we might be better to handle both on the Hayabusa side...? (config/mitre_tactics.txt will be doubled... :( )

import os
import yaml

def find_files_with_underscore_tags(directory):
    files_with_underscore_tags = []

    for root, _, files in os.walk(directory):
        for file in files:
            if file.endswith('.yml') or file.endswith('.yaml'):
                file_path = os.path.join(root, file)
                with open(file_path, 'r') as f:
                    try:
                        content = yaml.safe_load(f)
                        tags = content.get('tags', [])
                        if any('_' in tag for tag in tags):
                            files_with_underscore_tags.append(file_path)
                    except yaml.YAMLError as e:
                        print(f"Error parsing {file_path}: {e}")

    return files_with_underscore_tags

# Example usage
directory = './'
files = find_files_with_underscore_tags(directory)
for file in files:
    print(file)
./unsupported/windows/driver_load_invoke_obfuscation_via_use_mshta_services.yml
./unsupported/windows/win_security_susp_failed_logons_single_source.yml
./unsupported/windows/win_security_susp_samr_pwset.yml
./unsupported/windows/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
./unsupported/windows/win_security_susp_failed_logons_single_source_ntlm.yml
./unsupported/windows/file_event_executable_and_script_creation_by_office_using_file_ext.yml
./unsupported/windows/win_metasploit_or_impacket_smb_psexec_service_install.yml
./unsupported/windows/driver_load_invoke_obfuscation_obfuscated_iex_services.yml
./unsupported/windows/sysmon_always_install_elevated_parent_child_correlated.yml
./unsupported/windows/driver_load_invoke_obfuscation_stdin+_services.yml
./unsupported/windows/win_security_susp_failed_logons_single_process.yml
./unsupported/windows/driver_load_invoke_obfuscation_via_stdin_services.yml
./unsupported/windows/win_security_susp_failed_remote_logons_single_source.yml
./unsupported/windows/win_security_susp_failed_logons_single_source_kerberos.yml
./unsupported/windows/driver_load_invoke_obfuscation_via_use_clip_services.yml
./unsupported/windows/driver_load_invoke_obfuscation_via_var++_services.yml
./unsupported/windows/posh_ps_cl_mutexverifiers_lolscript_count.yml
./unsupported/windows/win_access_fake_files_with_stored_credentials.yml
./unsupported/windows/win_mal_service_installs.yml
./unsupported/windows/image_load_mimikatz_inmemory_detection.yml
./unsupported/windows/driver_load_invoke_obfuscation_var+_services.yml
./unsupported/windows/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml
./unsupported/windows/win_dumping_ntdsdit_via_dcsync.yml
./unsupported/windows/win_security_susp_failed_logons_single_source_kerberos3.yml
./unsupported/windows/win_security_susp_failed_logons_single_source_kerberos2.yml
./unsupported/windows/driver_load_invoke_obfuscation_clip+_services.yml
./unsupported/windows/dns_query_win_possible_dns_rebinding.yml
./unsupported/windows/win_security_susp_failed_logons_explicit_credentials.yml
./unsupported/windows/posh_ps_cl_invocation_lolscript_count.yml
./unsupported/windows/driver_load_invoke_obfuscation_via_rundll_services.yml
./unsupported/windows/win_possible_privilege_escalation_using_rotten_potato.yml
./unsupported/windows/sysmon_non_priv_program_files_move.yml
./unsupported/windows/win_remote_schtask.yml
./unsupported/windows/proc_creation_win_correlation_apt_turla_commands_medium.yml
./unsupported/windows/driver_load_invoke_obfuscation_via_compress_services.yml
./unsupported/windows/win_security_rare_schtasks_creations.yml
./unsupported/windows/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
./unsupported/windows/win_security_susp_failed_logons_single_source2.yml
./unsupported/windows/win_susp_failed_hidden_share_mount.yml
./unsupported/windows/driver_load_invoke_obfuscation_via_use_rundll32_services.yml
./unsupported/windows/proc_creation_win_correlation_dnscat2_powershell_implementation.yml
./unsupported/windows/win_suspicious_werfault_connection_outbound.yml
./unsupported/windows/win_security_susp_failed_logons_single_source_ntlm2.yml
./unsupported/windows/win_dumping_ntdsdit_via_netsync.yml
./unsupported/windows/win_system_rare_service_installs.yml
./deprecated/windows/proc_creation_win_apt_hurricane_panda.yml
./deprecated/windows/registry_set_add_hidden_user.yml
./deprecated/windows/proc_access_win_in_memory_assembly_execution.yml
./deprecated/windows/proc_creation_win_renamed_powershell.yml
./deprecated/windows/proc_creation_win_wuauclt_execution.yml
./deprecated/windows/proc_creation_win_lolbins_by_office_applications.yml
./deprecated/windows/proc_creation_win_powershell_service_modification.yml
./deprecated/windows/net_connection_win_susp_epmap.yml
./deprecated/windows/sysmon_mimikatz_detection_lsass.yml
./deprecated/windows/process_creation_syncappvpublishingserver_exe.yml
./deprecated/windows/proc_creation_win_powershell_base64_listing_shadowcopy.yml
./deprecated/windows/image_load_susp_uncommon_image_load.yml
./deprecated/windows/proc_creation_win_renamed_psexec.yml
./deprecated/windows/win_susp_vssadmin_ntds_activity.yml
./deprecated/windows/proc_creation_win_cmd_redirect_to_stream.yml
./deprecated/windows/proc_creation_win_indirect_cmd.yml
./deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml
./deprecated/windows/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
./deprecated/windows/proc_creation_win_rundll32_script_run.yml
./deprecated/windows/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml
./deprecated/windows/proc_creation_win_apt_gallium.yml
./deprecated/windows/pipe_created_psexec_pipes_artifacts.yml
./deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml
./deprecated/windows/proc_creation_win_apt_dragonfly.yml
./deprecated/windows/file_event_win_mimikatz_memssp_log_file.yml
./deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml
./deprecated/windows/driver_load_win_mal_creddumper.yml
./deprecated/windows/proc_creation_win_lolbin_office.yml
./deprecated/windows/posh_ps_invoke_nightmare.yml
./deprecated/windows/proc_creation_win_rundll32_js_runhtmlapplication.yml
./deprecated/windows/proc_creation_win_lolbas_execution_of_wuauclt.yml
./deprecated/windows/proc_creation_win_msdt_diagcab.yml
./deprecated/windows/registry_set_office_security.yml
./deprecated/windows/proc_creation_win_odbcconf_susp_exec.yml
./deprecated/windows/posh_pm_powercat.yml
./deprecated/windows/proc_creation_win_possible_applocker_bypass.yml
./deprecated/windows/proc_creation_win_lolbin_rdrleakdiag.yml
./deprecated/windows/posh_ps_cl_invocation_lolscript.yml
./deprecated/windows/proc_access_win_susp_invoke_patchingapi.yml
./deprecated/windows/net_connection_win_binary_github_com.yml
./deprecated/windows/win_system_susp_sam_dump.yml
./deprecated/windows/posh_ps_cl_mutexverifiers_lolscript.yml
./deprecated/windows/proc_access_win_lsass_susp_access.yml
./deprecated/windows/proc_creation_win_certutil_susp_execution.yml
./deprecated/windows/proc_creation_win_regsvr32_anomalies.yml
./deprecated/windows/win_system_service_install_susp_double_ampersand.yml
./deprecated/windows/driver_load_win_vuln_drivers_names.yml
./deprecated/windows/posh_ps_access_to_chrome_login_data.yml
./deprecated/windows/proc_creation_win_susp_commandline_chars.yml
./deprecated/windows/proc_creation_win_invoke_obfuscation_via_rundll.yml
./deprecated/windows/driver_load_win_vuln_lenovo_driver.yml
./deprecated/windows/registry_set_creation_service_uncommon_folder.yml
./deprecated/windows/proc_creation_win_root_certificate_installed.yml
./deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
./deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml
./deprecated/windows/file_event_win_hktl_createminidump.yml
./deprecated/windows/file_event_win_crackmapexec_patterns.yml
./deprecated/windows/file_event_win_access_susp_teams.yml
./deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml
./deprecated/windows/win_susp_esentutl_activity.yml
./deprecated/windows/driver_load_win_vuln_dell_driver.yml
./deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
./deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml
./deprecated/windows/proc_access_win_pypykatz_cred_dump_lsass_access.yml
./deprecated/windows/proc_creation_win_powershell_bitsjob.yml
./deprecated/windows/win_defender_disabled.yml
./deprecated/windows/proc_creation_win_renamed_paexec.yml
./deprecated/windows/proc_creation_win_reg_dump_sam.yml
./deprecated/windows/proc_creation_win_powershell_xor_encoded_command.yml
./deprecated/windows/proc_creation_win_apt_muddywater_dnstunnel.yml
./deprecated/windows/image_load_side_load_scm.yml
./deprecated/windows/proc_creation_win_new_service_creation.yml
./deprecated/windows/proc_creation_win_office_spawning_wmi_commandline.yml
./deprecated/windows/powershell_syncappvpublishingserver_exe.yml
./deprecated/windows/driver_load_win_vuln_hw_driver.yml
./deprecated/windows/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml
./deprecated/windows/proc_creation_win_credential_acquisition_registry_hive_dumping.yml
./deprecated/windows/proc_creation_win_powershell_base64_shellcode.yml
./deprecated/windows/image_load_side_load_advapi32.yml
./deprecated/windows/win_lateral_movement_condrv.yml
./deprecated/windows/file_event_win_susp_clr_logs.yml
./deprecated/windows/proc_creation_win_whoami_as_system.yml
./deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
./deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml
./deprecated/windows/file_event_win_lsass_memory_dump_file_creation.yml
./deprecated/windows/proc_creation_win_wmic_execution_via_office_process.yml
./deprecated/windows/driver_load_win_mal_poortry_driver.yml
./deprecated/windows/proc_creation_win_sc_delete_av_services.yml
./deprecated/windows/proc_creation_win_lolbin_findstr.yml
./deprecated/windows/image_load_side_load_svchost_dlls.yml
./deprecated/windows/proc_access_win_lazagne_cred_dump_lsass_access.yml
./deprecated/windows/proc_creation_win_winword_dll_load.yml
./deprecated/windows/file_event_win_access_susp_unattend_xml.yml
./deprecated/windows/proc_creation_win_susp_squirrel_lolbin.yml
./deprecated/windows/registry_set_disable_microsoft_office_security_features.yml
./deprecated/windows/net_connection_win_reddit_api_non_browser_access.yml

@YamatoSecurity
Copy link
Collaborator

I see. That is unfortunate they didn't update it for those rules. How about we update the tags in our conversion tool? This way we don't need to update Hayabusa and they all use the same v2 format.

@fukusuket
Copy link
Collaborator Author

I see, That's better! I'll fix the converter!💪

@fukusuket fukusuket mentioned this pull request Aug 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

@hitenkoku hitenkoku hitenkoku approved these changes

Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.17.0
Development

Successfully merging this pull request may close these issues.
3 participants
@fukusuket @YamatoSecurity @hitenkoku