Initial commit

.vscode/launch.json

@@ -0,0 +1,16 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Python: Main File",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}/src/main.py",
+            "console": "integratedTerminal",
+            "env": {"PYTHONPATH": "${workspaceFolder}"}
+        }
+    ]
+}

.vscode/settings.json

@@ -0,0 +1,6 @@
+{
+    "python.pythonPath": "${workspaceFolder}/venv/Scripts/python.exe",
+    "python.linting.pylintPath": "${workspaceFolder}/venv/Scripts/pylint.exe",
+    "python.linting.pylintEnabled": true,
+    "python.linting.enabled": true
+}

_pip_install.sh

@@ -0,0 +1,17 @@
+#! /bin/bash
+
+# Check you have an activated venv and you're in the right directory for it
+if [[ $VIRTUAL_ENV == $PWD'/.venv' ]]; then
+    echo "Upgrading pip in present virtual environment"
+    pip install --upgrade pip
+    echo "Installing requirements in present virtual environment"
+    pip install -r requirements.txt
+else
+    echo "
+    ---------------------------------------------------------------------------------
+        You need to have THIS directory's .venv activated to install requirements!
+        You are now in:    $PWD
+        Your venv is from: $([ -z ${VIRTUAL_ENV+x} ] && echo "NONE" || echo "$VIRTUAL_ENV")
+    ---------------------------------------------------------------------------------
+    "
+fi

rules/application/app_python_sql_exceptions.yml

@@ -0,0 +1,26 @@
+title: Python SQL Exceptions
+id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
+status: stable
+description: Generic rule for SQL exceptions in Python according to PEP 249
+author: Thomas Patzke
+date: 2017/08/12
+modified: 2020/09/01
+references:
+    - https://www.python.org/dev/peps/pep-0249/#exceptions
+logsource:
+    category: application
+    product: python
+detection:
+    exceptions:
+        - DataError
+        - IntegrityError
+        - ProgrammingError
+        - OperationalError
+    condition: exceptions
+falsepositives:
+    - Application bugs
+    - Penetration testing
+level: medium
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/application/app_sqlinjection_errors.yml

@@ -0,0 +1,30 @@
+title: Suspicious SQL Error Messages
+id: 8a670c6d-7189-4b1c-8017-a417ca84a086
+status: experimental
+description: Detects SQL error messages that indicate probing for an injection attack
+author: Bjoern Kimminich
+date: 2017/11/27
+modified: 2020/09/01
+references:
+    - http://www.sqlinjection.net/errors
+logsource:
+    category: application
+    product: sql
+detection:
+    keywords:
+        # Oracle
+        - quoted string not properly terminated
+        # MySQL
+        - You have an error in your SQL syntax
+        # SQL Server
+        - Unclosed quotation mark
+        # SQLite
+        - 'near "*": syntax error'
+        - SELECTs to the left and right of UNION do not have the same number of result columns
+    condition: keywords
+falsepositives:
+    - Application bugs
+level: high
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/application/appframework_django_exceptions.yml

@@ -0,0 +1,37 @@
+title: Django Framework Exceptions
+id: fd435618-981e-4a7c-81f8-f78ce480d616
+status: stable
+description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
+author: Thomas Patzke
+date: 2017/08/05
+modified: 2020/09/01
+references:
+    - https://docs.djangoproject.com/en/1.11/ref/exceptions/
+    - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
+logsource:
+    category: application
+    product: django
+detection:
+    keywords:
+        - SuspiciousOperation
+        # Subclasses of SuspiciousOperation
+        - DisallowedHost
+        - DisallowedModelAdminLookup
+        - DisallowedModelAdminToField
+        - DisallowedRedirect
+        - InvalidSessionKey
+        - RequestDataTooBig
+        - SuspiciousFileOperation
+        - SuspiciousMultipartForm
+        - SuspiciousSession
+        - TooManyFieldsSent
+        # Further security-related exceptions
+        - PermissionDenied
+    condition: keywords
+falsepositives:
+    - Application bugs
+    - Penetration testing
+level: medium
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/application/appframework_ruby_on_rails_exceptions.yml

@@ -0,0 +1,30 @@
+title: Ruby on Rails Framework Exceptions
+id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
+status: stable
+description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
+author: Thomas Patzke
+date: 2017/08/06
+modified: 2020/09/01
+references:
+    - http://edgeguides.rubyonrails.org/security.html
+    - http://guides.rubyonrails.org/action_controller_overview.html
+    - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
+    - https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
+logsource:
+    category: application
+    product: ruby_on_rails
+detection:
+    keywords:
+        - ActionController::InvalidAuthenticityToken
+        - ActionController::InvalidCrossOriginRequest
+        - ActionController::MethodNotAllowed
+        - ActionController::BadRequest
+        - ActionController::ParameterMissing
+    condition: keywords
+falsepositives:
+    - Application bugs
+    - Penetration testing
+level: medium
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/application/appframework_spring_exceptions.yml

@@ -0,0 +1,29 @@
+title: Spring Framework Exceptions
+id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
+status: stable
+description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
+author: Thomas Patzke
+date: 2017/08/06
+modified: 2020/09/01
+references:
+    - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
+logsource:
+    category: application
+    product: spring
+detection:
+    keywords:
+        - AccessDeniedException
+        - CsrfException
+        - InvalidCsrfTokenException
+        - MissingCsrfTokenException
+        - CookieTheftException
+        - InvalidCookieException
+        - RequestRejectedException
+    condition: keywords
+falsepositives:
+    - Application bugs
+    - Penetration testing
+level: medium
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/apt/apt_silence_downloader_v3.yml

@@ -0,0 +1,40 @@
+title: Silence.Downloader V3
+id: 170901d1-de11-4de7-bccb-8fa13678d857
+status: experimental
+description: Detects Silence downloader. These commands are hardcoded into the binary.
+author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
+date: 2019/11/01
+modified: 2020/09/01
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_recon:
+        Image|endswith:
+            - '\tasklist.exe'
+            - '\qwinsta.exe'
+            - '\ipconfig.exe'
+            - '\hostname.exe'
+        CommandLine|contains: '>>'
+        CommandLine|endswith: 'temps.dat'
+    selection_persistence:
+        CommandLine|contains: '/C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d'
+    condition: selection_recon | near selection_persistence # requires both
+fields:
+    - ComputerName
+    - User
+    - Image
+    - CommandLine
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.persistence
+    - attack.t1547.001
+    - attack.t1060  # an old one
+    - attack.discovery
+    - attack.t1057
+    - attack.t1082
+    - attack.t1016
+    - attack.t1033
+    - attack.g0091

rules/apt/apt_silence_eda.yml

@@ -0,0 +1,43 @@
+title: Silence.EDA Detection
+id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
+status: experimental
+description: Detects Silence empireDNSagent
+author: Alina Stepchenkova, Group-IB, oscd.community
+date: 2019/11/01
+modified: 2020/09/01
+logsource:
+    product: windows
+    service: powershell
+detection:
+    empire:
+        ScriptBlockText|contains|all:           # better to randomise the order
+            - 'System.Diagnostics.Process'
+            - 'Stop-Computer'
+            - 'Restart-Computer'
+            - 'Exception in execution'
+            - '$cmdargs'
+            - 'Close-Dnscat2Tunnel'
+    dnscat:
+         ScriptBlockText|contains|all:          # better to randomise the order
+            - 'set type=$LookupType`nserver'
+            - '$Command | nslookup 2>&1 | Out-String'
+            - 'New-RandomDNSField'
+            - '[Convert]::ToString($SYNOptions, 16)'
+            - '$Session.Dead = $True'
+            - '$Session["Driver"] -eq'
+    condition: empire and dnscat
+falsepositives:
+    - Unknown
+level: critical
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  # an old one
+    - attack.command_and_control
+    - attack.t1071.004
+    - attack.t1071  # an old one
+    - attack.t1572
+    - attack.impact
+    - attack.t1529
+    - attack.g0091
+    - attack.s0363

rules/cloud/aws_cloudtrail_disable_logging.yml

@@ -0,0 +1,26 @@
+title: AWS CloudTrail Important Change
+id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
+status: experimental
+description: Detects disabling, deleting and updating of a Trail
+author: vitaliy0x1
+date: 2020/01/21
+references:
+    - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: cloudtrail.amazonaws.com
+    events:
+        - eventName:
+            - StopLogging
+            - UpdateTrail
+            - DeleteTrail
+    condition: selection_source AND events
+falsepositives:
+    - Valid change in a Trail
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+    - attack.t1089  # an old one

rules/cloud/aws_config_disable_recording.yml

@@ -0,0 +1,23 @@
+title: AWS Config Disabling Channel/Recorder
+id: 07330162-dba1-4746-8121-a9647d49d297
+status: experimental
+description: Detects AWS Config Service disabling
+author: vitaliy0x1
+date: 2020/01/21
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: config.amazonaws.com
+    events:
+        - eventName:
+            - DeleteDeliveryChannel
+            - StopConfigurationRecorder
+    condition: selection_source AND events
+falsepositives:
+    - Valid change in AWS Config Service
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+    - attack.t1089  # an old one

rules/cloud/aws_ec2_download_userdata.yml

@@ -0,0 +1,26 @@
+title: AWS EC2 Download Userdata
+id: 26ff4080-194e-47e7-9889-ef7602efed0c
+status: experimental
+description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
+author: faloker
+date: 2020/02/11
+modified: 2020/09/01
+references:
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: ec2.amazonaws.com
+    selection_requesttype:
+        - requestParameters.attribute: userData
+    selection_eventname:
+        - eventName: DescribeInstanceAttribute
+    timeframe: 30m
+    condition: all of them | count() > 10
+falsepositives:
+    - Assets management software like device42
+level: medium
+tags:
+    - attack.exfiltration 
+    - attack.t1020