diff --git a/packages/windows_open_package/correlation_rules/Task_1_05_03/metainfo.yaml b/packages/windows_open_package/correlation_rules/Task_1_05_03/metainfo.yaml new file mode 100644 index 00000000..0ddfeedc --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_1_05_03/metainfo.yaml @@ -0,0 +1,5 @@ +ContentAutoName: Task_1_05_03 +ExpertContext: + Created: 22.05.2025 + Updated: 22.05.2025 +ObjectId: SEC-CR-148026581 diff --git a/packages/windows_open_package/correlation_rules/Task_1_05_03/rule.co b/packages/windows_open_package/correlation_rules/Task_1_05_03/rule.co new file mode 100644 index 00000000..8d351f04 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_1_05_03/rule.co @@ -0,0 +1,102 @@ +event Process_Start: + key: + event_src.host + filter { + filter::NotFromCorrelator() + and filter::ProcessStart_Windows_any() + # and filter::ProcessStart_Windows_commandline("process_name", "regex_value") + # and filter::ProcessStart_Windows("process_name") + and filter::CheckWL_Process_Creation("Task_1_05_03", ) + } + +rule Task_1_05_03: Process_Start + + init { + $labels = "w_auto|CheckWL_Process_Creation" + } + + on Process_Start { + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.session_id = subject.account.session_id + $subject.account.id = subject.account.id + $subject.account.privileges = subject.account.privileges + + $object.account.session_id = object.account.session_id + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.fullname = object.account.fullname + $object.account.id = object.account.id + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + # FOR LOLBIN + #if ($object.process.parent.name == "services.exe" or $object.process.parent.name == "svchost.exe") then + # $reason = join([$reason, "Service execution"], "|") + #elif $object.process.parent.name == "scheduler.exe" then + # $reason = join([$reason, "Task execution"], "|") + #else + # $reason = join([$reason, "User execution"], "|") + #endif + + $datafield6 = datafield6 # Идентификатор сессии в формате UUID + + $datafield18 = datafield18 # Цепочка процесса-субъекта с идентификаторами + $datafield19 = datafield19 # Цепочка процесса-объекта с идентификаторами + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.fqdn = event_src.fqdn + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.rule = event_src.rule + + $alert.key = + $alert.context = # join([$alert.context, "regex_match: " + regex(lower(object.process.cmdline), "regex_from_filter", 0)], "|") + $alert.regex_match = + } + +emit { + $correlation_type = "" + + $subject = "account" + $action = "start" + $object = "process" + $status = "success" + + $importance = "" + + $category.generic = "Attack" + $category.high = "" + $category.low = "" + + $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($subject.account.id)], "|") + $incident.severity = $importance + $incident.category = "Undefined" + $incident.aggregation.timeout = 2h +} diff --git a/packages/windows_open_package/correlation_rules/Task_1_05_03/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/Task_1_05_03/tests/raw_events_1.json new file mode 100644 index 00000000..8482d385 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_1_05_03/tests/raw_events_1.json @@ -0,0 +1 @@ +22542200x8000000000000000959934Microsoft-Windows-Sysmon/OperationalDESKTOP-EOO67OB-2025-03-25 22:26:01.081{1b05aedf-8f40-67d4-ac00-000000004100}1052e9b37a3838955cb29c6018724ed0e813.azr.footprintdns.com0::ffff:172.29.1.80;C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exeDESKTOP-EOO67OB\user154100x8000000000000000959933Microsoft-Windows-Sysmon/OperationalDESKTOP-EOO67OB-2025-03-25 22:26:01.386{1b05aedf-2d79-67e3-7d0f-000000004100}7508C:\Windows\System32\wbem\WMIC.exe10.0.19041.4355 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exe"C:\Windows\System32\Wbem\WMIC.exe" process get caption,executablepath,commandline /format:csvC:\Users\user\DESKTOP-EOO67OB\user{1b05aedf-8f29-67d4-8a4a-080000000000}0x84a8a1MediumMD5=F04138FE0E6A4814BF3942E3037900F4,SHA256=BF4FA71C1495F95ADBCF3F7C7D41837E2661622C2EE3B24CD9647676047578DA,IMPHASH=527C7C66CDD13D72D793BCA3A417BCBE{1b05aedf-2d75-67e3-7b0f-000000004100}8324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" DESKTOP-EOO67OB\user11241100x8000000000000000959932Microsoft-Windows-Sysmon/OperationalDESKTOP-EOO67OB-2025-03-25 22:25:58.945{1b05aedf-2d75-67e3-7b0f-000000004100}8324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xw0ermo5.uol.ps12025-03-25 22:25:58.945DESKTOP-EOO67OB\user154100x8000000000000000959931Microsoft-Windows-Sysmon/OperationalDESKTOP-EOO67OB-2025-03-25 22:25:57.165{1b05aedf-2d75-67e3-7c0f-000000004100}11012C:\Windows\System32\conhost.exe10.0.19041.5198 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsDESKTOP-EOO67OB\user{1b05aedf-8f29-67d4-8a4a-080000000000}0x84a8a1MediumMD5=7850554B5C650163FC168AA08F18E343,SHA256=B02EE54FB2EC69673386D41119EE8ED083A6EAB3BFCA6AA2155D20CE68EF8963,IMPHASH=0F64302D3280DE299F4C51A78746F606{1b05aedf-2d75-67e3-7b0f-000000004100}8324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" DESKTOP-EOO67OB\user154100x8000000000000000959930Microsoft-Windows-Sysmon/OperationalDESKTOP-EOO67OB-2025-03-25 22:25:57.047{1b05aedf-2d75-67e3-7b0f-000000004100}8324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.19041.3996 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\user\DESKTOP-EOO67OB\user{1b05aedf-8f29-67d4-8a4a-080000000000}0x84a8a1MediumMD5=2E5A8590CF6848968FC23DE3FA1E25F1,SHA256=9785001B0DCF755EDDB8AF294A373C0B87B2498660F724E76C4D53F9C217C7A3,IMPHASH=3D08F4848535206D772DE145804FF4B6{1b05aedf-8f33-67d4-9b00-000000004100}6860C:\Windows\explorer.exeC:\Windows\Explorer.EXEDESKTOP-EOO67OB\user154100x8000000000000000959929Microsoft-Windows-Sysmon/OperationalDESKTOP-EOO67OB-2025-03-25 22:25:56.036{1b05aedf-2d74-67e3-7a0f-000000004100}7704C:\Windows\System32\smartscreen.exe10.0.19041.5369 (WinBuild.160101.0800)Windows Defender SmartScreenMicrosoft® Windows® Operating SystemMicrosoft Corporationsmartscreen.exeC:\Windows\System32\smartscreen.exe -EmbeddingC:\Windows\system32\DESKTOP-EOO67OB\user{1b05aedf-8f29-67d4-8a4a-080000000000}0x84a8a1MediumMD5=419701D67559E04E345E092944187DBB,SHA256=A5F50D8F1E61A08C8C6FE20A41122187C1BC0ED2129FAA6DC7FEE98F7829FB64,IMPHASH=D671DD5FDB49D6ACE006E8FFF0BD6DF9{1b05aedf-8f19-67d4-0d00-000000004100}864C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/Task_1_05_03/tests/raw_events_2.json b/packages/windows_open_package/correlation_rules/Task_1_05_03/tests/raw_events_2.json new file mode 100644 index 00000000..48cefaad --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_1_05_03/tests/raw_events_2.json @@ -0,0 +1 @@ +{"event_src":{"title":"sysmon"},"msgid":"1","object":{"process":{"fullpath":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","cmdline":"powershell.exe -ExecutionPolicy Unrestricted -Command \"reg add HKCU\\Software\\Microsoft\\Windows Script\\Settings /v AmsiEnable /t REG_DWORD /d 0 /f\""}}} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/Task_1_05_03/tests/test_1.sc b/packages/windows_open_package/correlation_rules/Task_1_05_03/tests/test_1.sc new file mode 100644 index 00000000..139597f9 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_1_05_03/tests/test_1.sc @@ -0,0 +1,2 @@ + + diff --git a/packages/windows_open_package/correlation_rules/Task_1_05_03/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/Task_1_05_03/tests/test_conds_1.tc new file mode 100644 index 00000000..6f0b5a5b --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_1_05_03/tests/test_conds_1.tc @@ -0,0 +1,2 @@ +table_list default +expect 1 {"correlation_name": "Task_1_05_03"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/Task_1_05_03/tests/test_conds_2.tc b/packages/windows_open_package/correlation_rules/Task_1_05_03/tests/test_conds_2.tc new file mode 100644 index 00000000..ee26338f --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_1_05_03/tests/test_conds_2.tc @@ -0,0 +1,5 @@ +# Вайтлистинг +table_list default +table_list {"Common_whitelist_auto": [{"rule": "Task_1_05_03", "specific_value": ""}]} + +expect not {"correlation_name": "Task_1_05_03"} diff --git a/packages/windows_open_package/correlation_rules/Task_2_05_03/metainfo.yaml b/packages/windows_open_package/correlation_rules/Task_2_05_03/metainfo.yaml new file mode 100644 index 00000000..23e4ef0b --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_2_05_03/metainfo.yaml @@ -0,0 +1,5 @@ +ContentAutoName: Task_2_05_03 +ExpertContext: + Created: 23.05.2025 + Updated: 23.05.2025 +ObjectId: SEC-CR-960147016 diff --git a/packages/windows_open_package/correlation_rules/Task_2_05_03/rule.co b/packages/windows_open_package/correlation_rules/Task_2_05_03/rule.co new file mode 100644 index 00000000..51e19b33 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_2_05_03/rule.co @@ -0,0 +1,102 @@ +event Process_Start: + key: + event_src.host + filter { + filter::NotFromCorrelator() + and filter::ProcessStart_Windows_any() + # and filter::ProcessStart_Windows_commandline("process_name", "regex_value") + # and filter::ProcessStart_Windows("process_name") + and filter::CheckWL_Process_Creation("Task_2_05_03", ) + } + +rule Task_2_05_03: Process_Start + + init { + $labels = "w_auto|CheckWL_Process_Creation" + } + + on Process_Start { + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.session_id = subject.account.session_id + $subject.account.id = subject.account.id + $subject.account.privileges = subject.account.privileges + + $object.account.session_id = object.account.session_id + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.fullname = object.account.fullname + $object.account.id = object.account.id + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + # FOR LOLBIN + #if ($object.process.parent.name == "services.exe" or $object.process.parent.name == "svchost.exe") then + # $reason = join([$reason, "Service execution"], "|") + #elif $object.process.parent.name == "scheduler.exe" then + # $reason = join([$reason, "Task execution"], "|") + #else + # $reason = join([$reason, "User execution"], "|") + #endif + + $datafield6 = datafield6 # Идентификатор сессии в формате UUID + + $datafield18 = datafield18 # Цепочка процесса-субъекта с идентификаторами + $datafield19 = datafield19 # Цепочка процесса-объекта с идентификаторами + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.fqdn = event_src.fqdn + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.rule = event_src.rule + + $alert.key = + $alert.context = # join([$alert.context, "regex_match: " + regex(lower(object.process.cmdline), "regex_from_filter", 0)], "|") + $alert.regex_match = + } + +emit { + $correlation_type = "" + + $subject = "account" + $action = "start" + $object = "process" + $status = "success" + + $importance = "" + + $category.generic = "Attack" + $category.high = "" + $category.low = "" + + $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($subject.account.id)], "|") + $incident.severity = $importance + $incident.category = "Undefined" + $incident.aggregation.timeout = 2h +} diff --git a/packages/windows_open_package/correlation_rules/Task_2_05_03/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/Task_2_05_03/tests/raw_events_1.json new file mode 100644 index 00000000..e69de29b diff --git a/packages/windows_open_package/correlation_rules/Task_2_05_03/tests/raw_events_2.json b/packages/windows_open_package/correlation_rules/Task_2_05_03/tests/raw_events_2.json new file mode 100644 index 00000000..e69de29b diff --git a/packages/windows_open_package/correlation_rules/Task_2_05_03/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/Task_2_05_03/tests/test_conds_1.tc new file mode 100644 index 00000000..1ced5f9f --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_2_05_03/tests/test_conds_1.tc @@ -0,0 +1,2 @@ +table_list default +expect 1 {"correlation_name": "Task_2_05_03"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/Task_2_05_03/tests/test_conds_2.tc b/packages/windows_open_package/correlation_rules/Task_2_05_03/tests/test_conds_2.tc new file mode 100644 index 00000000..2d8febb5 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_2_05_03/tests/test_conds_2.tc @@ -0,0 +1,5 @@ +# Вайтлистинг +table_list default +table_list {"Common_whitelist_auto": [{"rule": "Task_2_05_03", "specific_value": ""}]} + +expect not {"correlation_name": "Task_2_05_03"} diff --git a/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/metainfo.yaml b/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/metainfo.yaml new file mode 100644 index 00000000..760a78d0 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/metainfo.yaml @@ -0,0 +1,5 @@ +ContentAutoName: Task_5_1_1_5_03 +ExpertContext: + Created: 27.05.2025 + Updated: 27.05.2025 +ObjectId: SEC-CR-210460128 diff --git a/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/rule.co b/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/rule.co new file mode 100644 index 00000000..6cead2db --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/rule.co @@ -0,0 +1,102 @@ +event Process_Start: + key: + event_src.host + filter { + filter::NotFromCorrelator() + and filter::ProcessStart_Windows_any() + # and filter::ProcessStart_Windows_commandline("process_name", "regex_value") + # and filter::ProcessStart_Windows("process_name") + and filter::CheckWL_Process_Creation("Task_5_1_1_5_03", ) + } + +rule Task_5_1_1_5_03: Process_Start + + init { + $labels = "w_auto|CheckWL_Process_Creation" + } + + on Process_Start { + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.session_id = subject.account.session_id + $subject.account.id = subject.account.id + $subject.account.privileges = subject.account.privileges + + $object.account.session_id = object.account.session_id + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.fullname = object.account.fullname + $object.account.id = object.account.id + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + # FOR LOLBIN + #if ($object.process.parent.name == "services.exe" or $object.process.parent.name == "svchost.exe") then + # $reason = join([$reason, "Service execution"], "|") + #elif $object.process.parent.name == "scheduler.exe" then + # $reason = join([$reason, "Task execution"], "|") + #else + # $reason = join([$reason, "User execution"], "|") + #endif + + $datafield6 = datafield6 # Идентификатор сессии в формате UUID + + $datafield18 = datafield18 # Цепочка процесса-субъекта с идентификаторами + $datafield19 = datafield19 # Цепочка процесса-объекта с идентификаторами + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.fqdn = event_src.fqdn + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.rule = event_src.rule + + $alert.key = + $alert.context = # join([$alert.context, "regex_match: " + regex(lower(object.process.cmdline), "regex_from_filter", 0)], "|") + $alert.regex_match = + } + +emit { + $correlation_type = "" + + $subject = "account" + $action = "start" + $object = "process" + $status = "success" + + $importance = "" + + $category.generic = "Attack" + $category.high = "" + $category.low = "" + + $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($subject.account.id)], "|") + $incident.severity = $importance + $incident.category = "Undefined" + $incident.aggregation.timeout = 2h +} diff --git a/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/tests/raw_events_1.json new file mode 100644 index 00000000..e69de29b diff --git a/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/tests/raw_events_2.json b/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/tests/raw_events_2.json new file mode 100644 index 00000000..e69de29b diff --git a/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/tests/test_conds_1.tc new file mode 100644 index 00000000..deea57d3 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/tests/test_conds_1.tc @@ -0,0 +1,2 @@ +table_list default +expect 1 {"correlation_name": "Task_5_1_1_5_03"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/tests/test_conds_2.tc b/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/tests/test_conds_2.tc new file mode 100644 index 00000000..6274c901 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_1_1_5_03/tests/test_conds_2.tc @@ -0,0 +1,5 @@ +# Вайтлистинг +table_list default +table_list {"Common_whitelist_auto": [{"rule": "Task_5_1_1_5_03", "specific_value": ""}]} + +expect not {"correlation_name": "Task_5_1_1_5_03"} diff --git a/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/metainfo.yaml b/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/metainfo.yaml new file mode 100644 index 00000000..b752e79e --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/metainfo.yaml @@ -0,0 +1,5 @@ +ContentAutoName: Task_5_2_1_5_03 +ExpertContext: + Created: 28.05.2025 + Updated: 28.05.2025 +ObjectId: SEC-CR-201413333 diff --git a/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/rule.co b/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/rule.co new file mode 100644 index 00000000..527e7dc9 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/rule.co @@ -0,0 +1,102 @@ +event Process_Start: + key: + event_src.host + filter { + filter::NotFromCorrelator() + and filter::ProcessStart_Windows_any() + # and filter::ProcessStart_Windows_commandline("process_name", "regex_value") + # and filter::ProcessStart_Windows("process_name") + and filter::CheckWL_Process_Creation("Task_5_2_1_5_03", ) + } + +rule Task_5_2_1_5_03: Process_Start + + init { + $labels = "w_auto|CheckWL_Process_Creation" + } + + on Process_Start { + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.session_id = subject.account.session_id + $subject.account.id = subject.account.id + $subject.account.privileges = subject.account.privileges + + $object.account.session_id = object.account.session_id + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.fullname = object.account.fullname + $object.account.id = object.account.id + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + # FOR LOLBIN + #if ($object.process.parent.name == "services.exe" or $object.process.parent.name == "svchost.exe") then + # $reason = join([$reason, "Service execution"], "|") + #elif $object.process.parent.name == "scheduler.exe" then + # $reason = join([$reason, "Task execution"], "|") + #else + # $reason = join([$reason, "User execution"], "|") + #endif + + $datafield6 = datafield6 # Идентификатор сессии в формате UUID + + $datafield18 = datafield18 # Цепочка процесса-субъекта с идентификаторами + $datafield19 = datafield19 # Цепочка процесса-объекта с идентификаторами + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.fqdn = event_src.fqdn + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.rule = event_src.rule + + $alert.key = + $alert.context = # join([$alert.context, "regex_match: " + regex(lower(object.process.cmdline), "regex_from_filter", 0)], "|") + $alert.regex_match = + } + +emit { + $correlation_type = "" + + $subject = "account" + $action = "start" + $object = "process" + $status = "success" + + $importance = "" + + $category.generic = "Attack" + $category.high = "" + $category.low = "" + + $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($subject.account.id)], "|") + $incident.severity = $importance + $incident.category = "Undefined" + $incident.aggregation.timeout = 2h +} diff --git a/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/tests/raw_events_1.json new file mode 100644 index 00000000..e69de29b diff --git a/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/tests/raw_events_2.json b/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/tests/raw_events_2.json new file mode 100644 index 00000000..e69de29b diff --git a/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/tests/test_conds_1.tc new file mode 100644 index 00000000..d40aeedf --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/tests/test_conds_1.tc @@ -0,0 +1,2 @@ +table_list default +expect 1 {"correlation_name": "Task_5_2_1_5_03"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/tests/test_conds_2.tc b/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/tests/test_conds_2.tc new file mode 100644 index 00000000..457601b5 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_2_1_5_03/tests/test_conds_2.tc @@ -0,0 +1,5 @@ +# Вайтлистинг +table_list default +table_list {"Common_whitelist_auto": [{"rule": "Task_5_2_1_5_03", "specific_value": ""}]} + +expect not {"correlation_name": "Task_5_2_1_5_03"} diff --git a/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/metainfo.yaml b/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/metainfo.yaml new file mode 100644 index 00000000..0d4f0f8d --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/metainfo.yaml @@ -0,0 +1,5 @@ +ContentAutoName: Task_5_3_1_5_03 +ExpertContext: + Created: 28.05.2025 + Updated: 28.05.2025 +ObjectId: SEC-CR-106251410 diff --git a/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/rule.co b/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/rule.co new file mode 100644 index 00000000..978a9ad7 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/rule.co @@ -0,0 +1,102 @@ +event Process_Start: + key: + event_src.host + filter { + filter::NotFromCorrelator() + and filter::ProcessStart_Windows_any() + # and filter::ProcessStart_Windows_commandline("process_name", "regex_value") + # and filter::ProcessStart_Windows("process_name") + and filter::CheckWL_Process_Creation("Task_5_3_1_5_03", ) + } + +rule Task_5_3_1_5_03: Process_Start + + init { + $labels = "w_auto|CheckWL_Process_Creation" + } + + on Process_Start { + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.session_id = subject.account.session_id + $subject.account.id = subject.account.id + $subject.account.privileges = subject.account.privileges + + $object.account.session_id = object.account.session_id + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.fullname = object.account.fullname + $object.account.id = object.account.id + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + # FOR LOLBIN + #if ($object.process.parent.name == "services.exe" or $object.process.parent.name == "svchost.exe") then + # $reason = join([$reason, "Service execution"], "|") + #elif $object.process.parent.name == "scheduler.exe" then + # $reason = join([$reason, "Task execution"], "|") + #else + # $reason = join([$reason, "User execution"], "|") + #endif + + $datafield6 = datafield6 # Идентификатор сессии в формате UUID + + $datafield18 = datafield18 # Цепочка процесса-субъекта с идентификаторами + $datafield19 = datafield19 # Цепочка процесса-объекта с идентификаторами + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.fqdn = event_src.fqdn + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.rule = event_src.rule + + $alert.key = + $alert.context = # join([$alert.context, "regex_match: " + regex(lower(object.process.cmdline), "regex_from_filter", 0)], "|") + $alert.regex_match = + } + +emit { + $correlation_type = "" + + $subject = "account" + $action = "start" + $object = "process" + $status = "success" + + $importance = "" + + $category.generic = "Attack" + $category.high = "" + $category.low = "" + + $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($subject.account.id)], "|") + $incident.severity = $importance + $incident.category = "Undefined" + $incident.aggregation.timeout = 2h +} diff --git a/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/tests/raw_events_1.json new file mode 100644 index 00000000..e69de29b diff --git a/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/tests/raw_events_2.json b/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/tests/raw_events_2.json new file mode 100644 index 00000000..e69de29b diff --git a/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/tests/test_conds_1.tc new file mode 100644 index 00000000..b8858188 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/tests/test_conds_1.tc @@ -0,0 +1,2 @@ +table_list default +expect 1 {"correlation_name": "Task_5_3_1_5_03"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/tests/test_conds_2.tc b/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/tests/test_conds_2.tc new file mode 100644 index 00000000..144e33a1 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_3_1_5_03/tests/test_conds_2.tc @@ -0,0 +1,5 @@ +# Вайтлистинг +table_list default +table_list {"Common_whitelist_auto": [{"rule": "Task_5_3_1_5_03", "specific_value": ""}]} + +expect not {"correlation_name": "Task_5_3_1_5_03"} diff --git a/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/metainfo.yaml b/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/metainfo.yaml new file mode 100644 index 00000000..f909fa32 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/metainfo.yaml @@ -0,0 +1,5 @@ +ContentAutoName: Task_5_4_1_5_03 +ExpertContext: + Created: 28.05.2025 + Updated: 28.05.2025 +ObjectId: SEC-CR-898737324 diff --git a/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/rule.co b/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/rule.co new file mode 100644 index 00000000..ae795810 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/rule.co @@ -0,0 +1,102 @@ +event Process_Start: + key: + event_src.host + filter { + filter::NotFromCorrelator() + and filter::ProcessStart_Windows_any() + # and filter::ProcessStart_Windows_commandline("process_name", "regex_value") + # and filter::ProcessStart_Windows("process_name") + and filter::CheckWL_Process_Creation("Task_5_4_1_5_03", ) + } + +rule Task_5_4_1_5_03: Process_Start + + init { + $labels = "w_auto|CheckWL_Process_Creation" + } + + on Process_Start { + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.session_id = subject.account.session_id + $subject.account.id = subject.account.id + $subject.account.privileges = subject.account.privileges + + $object.account.session_id = object.account.session_id + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.fullname = object.account.fullname + $object.account.id = object.account.id + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + # FOR LOLBIN + #if ($object.process.parent.name == "services.exe" or $object.process.parent.name == "svchost.exe") then + # $reason = join([$reason, "Service execution"], "|") + #elif $object.process.parent.name == "scheduler.exe" then + # $reason = join([$reason, "Task execution"], "|") + #else + # $reason = join([$reason, "User execution"], "|") + #endif + + $datafield6 = datafield6 # Идентификатор сессии в формате UUID + + $datafield18 = datafield18 # Цепочка процесса-субъекта с идентификаторами + $datafield19 = datafield19 # Цепочка процесса-объекта с идентификаторами + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.fqdn = event_src.fqdn + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.rule = event_src.rule + + $alert.key = + $alert.context = # join([$alert.context, "regex_match: " + regex(lower(object.process.cmdline), "regex_from_filter", 0)], "|") + $alert.regex_match = + } + +emit { + $correlation_type = "" + + $subject = "account" + $action = "start" + $object = "process" + $status = "success" + + $importance = "" + + $category.generic = "Attack" + $category.high = "" + $category.low = "" + + $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($subject.account.id)], "|") + $incident.severity = $importance + $incident.category = "Undefined" + $incident.aggregation.timeout = 2h +} diff --git a/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/tests/raw_events_1.json new file mode 100644 index 00000000..e69de29b diff --git a/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/tests/raw_events_2.json b/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/tests/raw_events_2.json new file mode 100644 index 00000000..e69de29b diff --git a/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/tests/test_conds_1.tc new file mode 100644 index 00000000..e9262666 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/tests/test_conds_1.tc @@ -0,0 +1,2 @@ +table_list default +expect 1 {"correlation_name": "Task_5_4_1_5_03"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/tests/test_conds_2.tc b/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/tests/test_conds_2.tc new file mode 100644 index 00000000..25223524 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/Task_5_4_1_5_03/tests/test_conds_2.tc @@ -0,0 +1,5 @@ +# Вайтлистинг +table_list default +table_list {"Common_whitelist_auto": [{"rule": "Task_5_4_1_5_03", "specific_value": ""}]} + +expect not {"correlation_name": "Task_5_4_1_5_03"}