Добавлено правило корреляции

Download_file_via_bits, которое обнаруживает
создание временного файла службой BITS,
название файла должно совпадать с патерном
bit[\w\d]+\.tmp

packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/i18n/i18n_en.yaml

@@ -0,0 +1,4 @@
+Description: 'When downloading a file using BITS, a temporary BIT<set>.tmp file is created'
+EventDescriptions:
+    - LocalizationId: 'corrname_Download_file_via_bits'
+      EventDescription: 'A temporary BITS service file has been created on the {event_src.host} host {object.fullpath}'

packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/i18n/i18n_ru.yaml

@@ -0,0 +1,4 @@
+Description: 'При загрузке файла с помощью BITS, создается временный файл BIT<seq>.tmp'
+EventDescriptions:
+    - LocalizationId: 'corrname_Download_file_via_bits'
+      EventDescription: 'На хосте {event_src.host} создан временный файл службы BITS {object.fullpath}'

packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/metainfo.yaml

@@ -0,0 +1,28 @@
+ContentAutoName: Download_file_via_bits
+ExpertContext:
+    Created: 21.07.2024
+    Updated: 21.07.2024
+    KnowledgeHolders:
+        - d3f0x0 (Vadim Varganov)
+    Usecases:
+        - Download payload via BITS
+    Falsepositives:
+        - Administrative action
+    References: []
+    Improvements: []
+    DataSources:
+        - Provider: Microsoft-Windows-Security-Auditing
+          EventID:
+              - 4663
+        - Provider: Microsoft-Windows-Sysmon
+          EventID:
+              - 11
+ObjectId: SEC-CR-581325244
+ContentRelations:
+    Implements:
+        ATTACK:
+            command-and-control:
+                - T1105
+EventDescriptions:
+    - Criteria: correlation_name = "Download_file_via_bits"
+      LocalizationId: corrname_Download_file_via_bits

packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/rule.co

@@ -0,0 +1,71 @@
+event Create_file:
+    key:
+        event_src.host 
+    filter {
+        filter::NotFromCorrelator() 
+        and filter::FileCreate_Windows()
+        and regex(lower(object.name), "bit[\w\d]+\.tmp", 0) != null
+    }
+
+rule Download_file_via_bits: Create_file
+
+on Create_file {
+    $datafield1 = datafield1
+    $datafield5 = datafield5
+
+    $event_src.ip = event_src.ip
+    $event_src.hostname = event_src.hostname
+    $event_src.host = event_src.host
+    $event_src.asset = event_src.asset
+    $event_src.title = event_src.title
+    $event_src.subsys = event_src.subsys
+    $event_src.vendor = event_src.vendor
+    $event_src.category = event_src.category
+    $event_src.rule = event_src.rule
+
+    $importance = importance
+
+    $object.name = object.name
+    $object.path = object.path
+    $object.fullpath = object.fullpath
+    $object.type = object.type
+    $object.property = object.property
+    $object.value = object.value
+    $object.new_value = object.new_value
+    $object.query = object.query
+
+    $status = status
+
+    $subject = subject
+    $subject.account.name = subject.account.name
+    $subject.account.fullname = subject.account.fullname
+    $subject.account.domain = subject.account.domain
+    $subject.account.session_id = subject.account.session_id
+    $subject.account.id = subject.account.id
+    $subject.account.privileges = subject.account.privileges
+
+    $subject.process.id = subject.process.id
+    $subject.process.name = subject.process.name
+    $subject.process.path = subject.process.path
+    $subject.process.fullpath = subject.process.fullpath
+    $subject.process.hash = subject.process.hash
+    $subject.process.version = subject.process.version
+    $subject.process.cmdline = subject.process.cmdline
+    $subject.process.guid = subject.process.guid
+    $subject.process.meta = subject.process.meta
+    $subject.process.original_name = subject.process.original_name
+    $subject.process.cwd = subject.process.cwd
+    $subject.process.chain = subject.process.chain
+
+}
+
+emit {
+    $correlation_type = "event"
+
+    $subject = "process"
+    $action = "download"
+    $object = "file_object"
+    $status = "success"
+
+    $importance = "medium"
+}

packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/tests/raw_events_1.json

@@ -0,0 +1 @@
+{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\"},\"EventID\":\"4663\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"12800\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2024-07-22T03:40:29.682708600Z\"},\"EventRecordID\":\"145236\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"3256\"},\"Channel\":\"Security\",\"Computer\":\"DESKTOP-5SG4NV1\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"DESKTOP-5SG4NV1$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"ObjectServer\",\"text\":\"Security\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"ObjectName\",\"text\":\"C:\\\\Users\\\\qwer\\\\Downloads\\\\BIT32C7.tmp\"},{\"Name\":\"HandleId\",\"text\":\"0x89c\"},{\"Name\":\"AccessList\",\"text\":\"%%4417\"},{\"Name\":\"AccessMask\",\"text\":\"0x2\"},{\"Name\":\"ProcessId\",\"text\":\"0xd3c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ResourceAttributes\",\"text\":\"S:AI(RA;ID;;;;WD;(\\\"IMAGELOAD\\\",TU,0x0,1))\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-21T17:41:28.395Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"72e39fe5-75c5-42a0-b706-20b726a23d99"}

packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/tests/test_conds_1.tc

@@ -0,0 +1 @@
+expect 1 {"action":"download","correlation_name":"Download_file_via_bits","correlation_type":"event","datafield1":"0x89c","datafield5":"0x2","event_src.category":"Operating system","event_src.host":"desktop-5sg4nv1","event_src.hostname":"desktop-5sg4nv1","event_src.subsys":"Security","event_src.title":"windows","event_src.vendor":"microsoft","importance":"medium","object":"file_object","object.fullpath":"c:\\users\\qwer\\downloads\\bit32c7.tmp","object.name":"bit32c7.tmp","object.path":"c:\\users\\qwer\\downloads\\","object.property":"GrantedAccess","object.type":"file","object.value":"0x2","status":"success","subject":"process","subject.account.domain":"workgroup","subject.account.id":"S-1-5-18","subject.account.name":"desktop-5sg4nv1$","subject.account.privileges":"%%4417","subject.account.session_id":"999","subject.process.fullpath":"C:\\Windows\\System32\\svchost.exe","subject.process.id":"3388","subject.process.name":"svchost.exe","subject.process.path":"C:\\Windows\\System32\\"}