search

Velocidex / velociraptor-sigma-rules

A Compiler from Sigma rules to VQL
10 stars 4 forks source link

Some `Sigma.Windows.Hayabusa.Rule` rules does not detect logs(`Hayabusa v2.15.0` and `Velociraptor v0.72`) #30

Closed fukusuket closed 6 months ago

fukusuket commented 7 months ago

Hello :) Since the Hayabusa Ruleset were recently updated, I compared the results of Hayabusa and Velociraptor Sigma plugin.

I would appreciate it if you could check it out. Thank you!

Test condition

Hayabusa

Velociraptor

Detection result diff

The following rules are detected by Hayabusa, but not by Velociraptor Sigma plugin. The following rules can be searched at This site, so I think they are included in the rule set. Is my understanding correct? No Rule Detected Log
1 BITS Transfer Job With Uncommon Or Suspicious Remote TLD https://github.com/Velocidex/velociraptor-sigma-rules/issues/30#issuecomment-2080399031
2 CodeIntegrity - Unmet Signing Level Requirements By File Under Validation https://github.com/Velocidex/velociraptor-sigma-rules/issues/30#issuecomment-2080399290
3 Credential Manager Accessed https://github.com/Velocidex/velociraptor-sigma-rules/issues/30#issuecomment-2080399643
4 Credential Manager Enumerated https://github.com/Velocidex/velociraptor-sigma-rules/issues/30#issuecomment-2080402092
5 Device Conn https://github.com/Velocidex/velociraptor-sigma-rules/issues/30#issuecomment-2080402202
6 MSI Installation From Suspicious Locations https://github.com/Velocidex/velociraptor-sigma-rules/issues/30#issuecomment-2080402212
7 Microsoft Defender Blocked from Loading Unsigned DLL https://github.com/Velocidex/velociraptor-sigma-rules/issues/30#issuecomment-2080402223
8 Microsoft Defender Tamper Protection Trigger https://github.com/Velocidex/velociraptor-sigma-rules/issues/30#issuecomment-2080402231
9 Office App PopUp https://github.com/Velocidex/velociraptor-sigma-rules/issues/30#issuecomment-2080403640
10 RDP Attempt https://github.com/Velocidex/velociraptor-sigma-rules/issues/30#issuecomment-2080403663
11 RDP Conn Attempt https://github.com/Velocidex/velociraptor-sigma-rules/issues/30#issuecomment-2080403684
fukusuket commented 7 months ago

No.1 BITS Transfer Job With Uncommon Or Suspicious Remote TLD

hayabusa's detected event log(json)

{
    "Timestamp": "2024-03-31 08:00:54.876 +09:00",
    "RuleTitle": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD",
    "Level": "med",
    "Computer": "mouse",
    "Channel": "BitsCli",
    "EventID": 16403,
    "RecordID": 7602,
    "Details": {
    },
    "ExtraFieldInfo": {
        "ClientProcessStartKey": 20547673299883310,
        "LocalName": "C:\\Windows\\TEMP\\v64_16.0.17328.20184CheckReachableDE4BF1F9-5DB1-43E9-B2D7-57B8C82E0BA4",
        "RemoteName": "http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.17328.20184.cab",
        "User": "NT AUTHORITY\\SYSTEM",
        "fileCount": 1,
        "jobId": "58DD3DA8-D6AF-4B7F-85BF-42968B4466CF",
        "jobOwner": "NT AUTHORITY\\SYSTEM",
        "jobTitle": "Microsoft Office Click-to-Run",
        "processId": 11848
    }
}
fukusuket commented 7 months ago

No.2 CodeIntegrity - Unmet Signing Level Requirements By File Under Validation

hayabusa's detected event log(json)

{
    "Timestamp": "2023-10-21 09:06:25.095 +09:00",
    "RuleTitle": "CodeIntegrity - Unmet Signing Level Requirements By File Under Validation",
    "Level": "low",
    "Computer": "mouse",
    "Channel": "CodeInteg",
    "EventID": 3033,
    "RecordID": 11909,
    "Details": {
    },
    "ExtraFieldInfo": {
        "FileNameBuffer": "\\Device\\HarddiskVolume3\\Program Files\\McAfee\\WPS\\1.11.279.1\\mc-sec-plugin-x64.dll",
        "FileNameLength": 81,
        "ProcessNameBuffer": "\\Device\\HarddiskVolume3\\Windows\\System32\\svchost.exe",
        "ProcessNameLength": 52,
        "RequestedPolicy": 12,
        "Status": 3221226536,
        "ValidatedPolicy": 1
    }
}
fukusuket commented 7 months ago

No.3 Credential Manager Accessed

hayabusa's detected event log(json)

{
    "Timestamp": "2024-03-30 13:19:38.030 +09:00",
    "RuleTitle": "Credential Manager Accessed",
    "Level": "low",
    "Computer": "mouse",
    "Channel": "Sec",
    "EventID": 5379,
    "RecordID": 291312,
    "Details": {
        "PID": 14476,
        "SrcUser": "fukus",
        "Tgt": "MicrosoftAccount:user=xxxxx",
        "CredsReturned": 1,
        "ReturnCode": 0,
        "LID": "0xba35ae3",
        "SrcSID": "S-1-5-21-2349003748-4255172932-178375392-1002"
    },
    "ExtraFieldInfo": {
        "ProcessCreationTime": "2024-03-30T04:19:36.747978Z",
        "ReadOperation": "%%8099",
        "SubjectDomainName": "MOUSE"
    }
}
fukusuket commented 7 months ago

No.4 Credential Manager Enumerated

hayabusa's detected event log(json)

{
    "Timestamp": "2024-03-30 13:19:38.036 +09:00",
    "RuleTitle": "Credential Manager Enumerated",
    "Level": "low",
    "Computer": "mouse",
    "Channel": "Sec",
    "EventID": 5379,
    "RecordID": 291313,
    "Details": {
        "PID": 14476,
        "SrcUser": "fukus",
        "Tgt": "MicrosoftAccount:user=xxxxxx",
        "CredsReturned": 1,
        "ReturnCode": 0,
        "LID": "0xba35ae3",
        "SrcSID": "S-1-5-21-2349003748-4255172932-178375392-1002"
    },
    "ExtraFieldInfo": {
        "ProcessCreationTime": "2024-03-30T04:19:36.747978Z",
        "ReadOperation": "%%8100",
        "SubjectDomainName": "MOUSE"
    }
}
fukusuket commented 7 months ago

No.5 Device Conn

hayabusa's detected event log(json)

{
    "Timestamp": "2024-04-27 10:35:17.692 +09:00",
    "RuleTitle": "Device Conn",
    "Level": "info",
    "Computer": "mouse",
    "Channel": "MS-Win-Partition/Diagnostic",
    "EventID": 1006,
    "RecordID": 80,
    "Details": {
        "Manufacturer": "NVMe",
        "Model": "KINGSTON OM8PDP3512B-A01",
        "Revision": "EDFK0S03",
        "SerialNumber": "0026_B768_5D25_0F85."
    },
    "ExtraFieldInfo": {
        "Adapter": 0,
        "AdapterAlignmentMask": 3,
        "AdapterId": "A9786D92-695A-11EE-BDC1-806E6F6E6963",
        "AdapterMaximumTransferBytes": 131072,
        "AdapterMaximumTransferPages": 33,
        "AdapterSerialNumber": "NULL",
        "Bus": 0,
        "BusType": 17,
        "BytesOffsetForSectorAlignment": 0,
        "BytesPerLogicalSector": 512,
        "BytesPerPhysicalSector": 512,
        "BytesPerSector": 512,
        "Capacity": 512110190592,
        "Characteristics": 256,
        "Device": 14,
        "DiskId": "F0E437B2-048F-3A1B-F313-EC03B765EEF9",
        "DiskNumber": 0,
        "DumpCount": 0,
        "FaultTolerance": 0,
        "FirmwareSlotCount": 0,
        "FirmwareSupportsUpgrade": false,
        "Flags": 538976528,
        "FlushCacheSupported": true,
        "Function": 0,
        "HibernationCount": 0,
        "HybridCacheBytes": 0,
        "HybridSupported": false,
        "IdFlags": 4,
        "IncursSeekPenalty": false,
        "InterleaveBytes": 0,
        "IoctlSupport": 59899,
        "IsPowerProtected": false,
        "IsSystemCritical": true,
        "IsThinProvisioned": false,
        "IsTrimSupported": true,
        "Location": "Integrated : Bus 0 : Device 14 : Function 0 : Adapter 0",
        "Lun": 0,
        "Mbr": "",
        "MbrBytes": 0,
        "NVCacheEnabled": false,
        "NumberOfColumns": 0,
        "NumberOfLogicalCopies": 0,
        "NumberOfPhysicalCopies": 0,
        "OptimalUnmapGranularity": 0,
        "PagingCount": 0,
        "ParentId": "PCI\\VEN_8086&DEV_467F&SUBSYS_00008086&REV_00\\3&11583659&1&70",
        "PartitionCount": 4,
        "PartitionStyle": 1,
        "PartitionTable": "0100000004000000C27D004ABF65964993881C82C54F5A51004400000000000000DA243C770000008000000000000000010000000000000000001000000000000000401000000000010000000000000028732AC11FF8D211BA4B00A0C93EC93BA243A9B085466D4896464BF59CD3A7FF00000000000000004500460049002000730079007300740065006D00200070006100720074006900740069006F006E000000000000000000000000000000000000000000000000000000000000000000010000000000000000005010000000000000000100000000020000000000000016E3C9E35C0BB84D817DF92DF00215AEFFE4DF5EC445EF42BBE1D1DD9EC0BF8A00000000000000004D006900630072006F0073006F0066007400200072006500730065007200760065006400200070006100720074006900740069006F006E0000000000000000000000000000000000010000000000000000005011000000000000D0AA760000000300000000000000A2A0D0EBE5B9334487C068B6B72699C7A7C45513316BA14380F4E35B98D9695F00000000000000004200610073006900630020006400610074006100200070006100720074006900740069006F006E0000000000000000000000000000000000000000000000000000000000000000000100000000000000000020BC7600000000000080000000000400000000000000A4BB94DED106404DA16ABFD50179D6AC932296802442A34D8ECA8ADCD4B8613501000000000000804200610073006900630020006400610074006100200070006100720074006900740069006F006E0000000000000000005FBC9D444C1F0000EA11B033FB7F00000900000000000000",
        "PartitionTableBytes": 624,
        "PoolId": "00000000-0000-0000-0000-000000000000",
        "Port": 2,
        "PortDriver": 1,
        "RegistryId": "A9786D9C-695A-11EE-BDC1-806E6F6E6963",
        "Slot": -1,
        "Socket": -1,
        "StorageId": "6575692E30303236423736383544323530463835",
        "StorageIdAssociation": 0,
        "StorageIdBytes": 20,
        "StorageIdCodeSet": 3,
        "StorageIdCount": 3,
        "StorageIdType": 8,
        "Target": 0,
        "UnmapAlignment": 0,
        "UserRemovalPolicy": false,
        "Vbr0": "",
        "Vbr0Bytes": 0,
        "Vbr1": "",
        "Vbr1Bytes": 0,
        "Vbr2": "",
        "Vbr2Bytes": 0,
        "Vbr3": "",
        "Vbr3Size": 0,
        "WriteCacheChangeable": 2,
        "WriteCacheEnabled": 2,
        "WriteCacheType": 2,
        "WriteThroughSupported": 1
    }
}
fukusuket commented 7 months ago

No.6 MSI Installation From Suspicious Locations

hayabusa's detected event log(json)

{
    "Timestamp": "2023-10-20 09:01:46.080 +09:00",
    "RuleTitle": "MSI Installation From Suspicious Locations",
    "Level": "med",
    "Computer": "mouse",
    "Channel": "App",
    "EventID": 1040,
    "RecordID": 548,
    "Details": {
    },
    "ExtraFieldInfo": {
        "Data": ["", "(NULL)", "7560", "C:\\Windows\\TEMP\\BF249C58-AD67-4719-B6F2-E231AAD60605\\UpdHealthTools.msi"]
    }
}
fukusuket commented 7 months ago

No.7 Microsoft Defender Blocked from Loading Unsigned DLL

hayabusa's detected event log(json)

{
    "Timestamp": "2023-10-20 09:08:12.723 +09:00",
    "RuleTitle": "Microsoft Defender Blocked from Loading Unsigned DLL",
    "Level": "high",
    "Computer": "mouse",
    "Channel": "SecMitig",
    "EventID": 12,
    "RecordID": 25,
    "Details": {
    },
    "ExtraFieldInfo": {
        "ImageName": "\\Program Files\\McAfee\\WPS\\1.8.256.1\\mc-sec-plugin-x64.dll",
        "ImageNameLength": 57,
        "ProcessCommandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.23090.2008-0\\MpCmdRun.exe\" -wdenable\"",
        "ProcessCommandLineLength": 93,
        "ProcessCreateTime": "2023-10-20T00:08:12.381259Z",
        "ProcessId": 2528,
        "ProcessPath": "\\Device\\HarddiskVolume3\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.23090.2008-0\\MpCmdRun.exe",
        "ProcessPathLength": 102,
        "ProcessProtection": 0,
        "ProcessSectionSignatureLevel": 8,
        "ProcessSignatureLevel": 8,
        "ProcessStartKey": 4785074604081357,
        "RequiredSignatureLevel": 8,
        "SignatureLevel": 7,
        "TargetThreadCreateTime": "2023-10-20T00:08:12.381262Z",
        "TargetThreadId": 4288
    }
}
fukusuket commented 7 months ago

No.8 Microsoft Defender Tamper Protection Trigger

hayabusa's detected event log(json)

{
    "Timestamp": "2023-11-04 17:02:33.122 +09:00",
    "RuleTitle": "Microsoft Defender Tamper Protection Trigger",
    "Level": "high",
    "Computer": "mouse",
    "Channel": "Defender",
    "EventID": 5013,
    "RecordID": 1389,
    "Details": {
    },
    "ExtraFieldInfo": {
        "Changed Type": "ブロックしました",
        "Product Name": "Microsoft Defender ウイルス対策",
        "Product Version": "4.18.23100.2009",
        "Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring = (現在)"
    }
}
fukusuket commented 7 months ago

No.9 Office App PopUp

hayabusa's detected event log(json)

{
    "Timestamp": "2024-03-27 19:55:13.822 +09:00",
    "RuleTitle": "Office App PopUp",
    "Level": "info",
    "Computer": "mouse",
    "Channel": "OAlerts",
    "EventID": 300,
    "RecordID": 1,
    "Details": {
        "App": "Compositor Type: 1",
        "Msg": "POWERPNT",
        "Ver": "n/a"
    },
    "ExtraFieldInfo": {
    }
}
fukusuket commented 7 months ago

No.10 RDP Attempt

hayabusa's detected event log(json)

{
    "Timestamp": "2024-03-30 02:20:34.079 +09:00",
    "RuleTitle": "RDP Attempt",
    "Level": "info",
    "Computer": "mouse",
    "Channel": "RDP-Cli",
    "EventID": 1102,
    "RecordID": 9,
    "Details": {
        "TgtIP": "54.95.140.168"
    },
    "ExtraFieldInfo": {
        "CustomLevel": "Info",
        "Name": "ServerAddress"
    }
}
fukusuket commented 7 months ago

No.11 RDP Conn Attempt

hayabusa's detected event log(json)

{
    "Timestamp": "2024-03-30 02:35:43.633 +09:00",
    "RuleTitle": "RDP Conn Attempt",
    "Level": "info",
    "Computer": "mouse",
    "Channel": "RDP-Cli",
    "EventID": 1024,
    "RecordID": 17,
    "Details": {
        "TgtIP": "ec2-13-230-133-72.ap-northeast-1.compute.amazonaws.com"
    },
    "ExtraFieldInfo": {
        "CustomLevel": "Info",
        "Name": "Server Name"
    }
}
scudette commented 7 months ago

Thanks for testing and reporting this!

These rules were rejected as you can see here https://github.com/Velocidex/velociraptor-sigma-rules/actions/runs/8852698892/job/24321831550#step:6:223 because I have not updated the field mapping for them yet.

I just synced the Hayabusa git repo but did not spend the time to understand the new schema changes. I will look into it now.

fukusuket commented 7 months ago

@scudette
Thank you so much for checking :) If there's anything we can do to help with testing or impl, please let us know. I'll be happy to test it.

scudette commented 7 months ago

Thanks for testing it and reporting!

I submitted a change which allows us:

  1. Automatically build field mapping in the trivial case where a rule uses fields which are known to be in a particular log source (These were mainly the changes since the last sync)
  2. Mark bad rules so they do not count towards failing the compile.

There are quite a number of bad rules in the Hayabusa set and this compiler tries to reject them and warn. Previously this was not an error just a warning that the rule was rejected but now with the ability to mark the rule as bad we can ignore it and be more particular on detecting new rules which fail.

This way we can work towards making it an error for a rule to fail so next time I do a sync it is obvious which rules need adjustment.

scudette commented 6 months ago

the latest change records the rejected rules and their reason so we can keep track of them with git. This should help flag new breakages as we sync the rules with upstream.

You can see the Hayabusa rules that were rejected here https://github.com/Velocidex/velociraptor-sigma-rules/blob/master/rejected/windows_hayabusa_rejects.json

the reasons vary from invalid yaml to undefined fields and invalid modifiers. We also do not currently support Timeframe and aggregate rules so we reject those too.

Thanks again for testing and reporting these issues!