Open himynamesdave opened 1 month ago
explain how they have to be aged out
It's similar to the aging out of any relationship, just specifically for is_ref
I'll use test 23 to demo
If we import
embedded-ref-object.json
with create embedded relationships enabled
{
"type": "bundle",
"id": "bundle--189fdbbf-ea4a-52f1-acfc-9c04416bfd41",
"objects": [
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--49150a4c-d831-51fa-9f61-aede5570a969",
"created_by_ref": "identity--efccc0ba-d237-5c9a-ad41-4f8bb6791be4",
"created": "2021-12-07T00:00:00.000Z",
"modified": "2023-02-14T00:00:00.000Z",
"name": "Suspicious Firewall Configuration Discovery Via Netsh.EXE",
"description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. The following false positives can result from this detection; Administrative activity",
"indicator_types": [
"malicious-activity",
"anomalous-activity"
],
"pattern": "{'title': 'Suspicious Firewall Configuration Discovery Via Netsh.EXE', 'id': '0e4164da-94bc-450d-a7be-a4b176179f1f', 'status': 'experimental', 'description': 'Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems', 'references': ['https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules', 'https://ss64.com/nt/netsh.html'], 'author': \"frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'\", 'date': '2021/12/07', 'modified': '2023/02/14', 'tags': ['attack.discovery', 'attack.t1016'], 'logsource': {'category': 'process_creation', 'product': 'windows'}, 'detection': {'selection_img': [{'Image|endswith': '\\\\netsh.exe'}, {'OriginalFileName': 'netsh.exe'}], 'selection_cli': {'CommandLine|contains|all': ['netsh ', 'show ', 'firewall '], 'CommandLine|contains': ['config ', 'state ', 'rule ', 'name=all']}, 'condition': 'all of selection_*'}, 'falsepositives': ['Administrative activity'], 'level': 'low'}",
"pattern_type": "sigma",
"valid_from": "2021-12-07T00:00:00Z",
"labels": [
"level: low",
"status: experimental",
"author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'",
"license: None",
"attack.discovery",
"attack.t1016"
],
"external_references": [
{
"source_name": "rule",
"url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml"
},
{
"source_name": "id",
"url": "0e4164da-94bc-450d-a7be-a4b176179f1f"
},
{
"source_name": "reference",
"url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules"
},
{
"source_name": "reference",
"url": "https://ss64.com/nt/netsh.html"
}
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"marking-definition--efccc0ba-d237-5c9a-ad41-4f8bb6791be4"
]
}
]
}
The first file above has 1 object with 3 refs (2 for object_markings, 1 for created_by). In the second update, all these ref properties are removed from the object, so it should have 0 ref relationships.
For the second update we then import embedded-ref-object-removed.json which removes all the refs
{
"type": "bundle",
"id": "bundle--4523035c-8871-45ff-8d6f-2f03d9041728",
"objects": [
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--49150a4c-d831-51fa-9f61-aede5570a969",
"created": "2021-12-07T00:00:00.000Z",
"modified": "2024-01-01T00:00:00.000Z",
"name": "Embedded refs removed -- Suspicious Firewall Configuration Discovery Via Netsh.EXE",
"description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. The following false positives can result from this detection; Administrative activity",
"indicator_types": [
"malicious-activity",
"anomalous-activity"
],
"pattern": "{'title': 'Suspicious Firewall Configuration Discovery Via Netsh.EXE', 'id': '0e4164da-94bc-450d-a7be-a4b176179f1f', 'status': 'experimental', 'description': 'Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems', 'references': ['https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules', 'https://ss64.com/nt/netsh.html'], 'author': \"frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'\", 'date': '2021/12/07', 'modified': '2023/02/14', 'tags': ['attack.discovery', 'attack.t1016'], 'logsource': {'category': 'process_creation', 'product': 'windows'}, 'detection': {'selection_img': [{'Image|endswith': '\\\\netsh.exe'}, {'OriginalFileName': 'netsh.exe'}], 'selection_cli': {'CommandLine|contains|all': ['netsh ', 'show ', 'firewall '], 'CommandLine|contains': ['config ', 'state ', 'rule ', 'name=all']}, 'condition': 'all of selection_*'}, 'falsepositives': ['Administrative activity'], 'level': 'low'}",
"pattern_type": "sigma",
"valid_from": "2021-12-07T00:00:00Z",
"labels": [
"level: low",
"status: experimental",
"author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'",
"license: None",
"attack.discovery",
"attack.t1016"
],
"external_references": [
{
"source_name": "rule",
"url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml"
},
{
"source_name": "id",
"url": "0e4164da-94bc-450d-a7be-a4b176179f1f"
},
{
"source_name": "reference",
"url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules"
},
{
"source_name": "reference",
"url": "https://ss64.com/nt/netsh.html"
}
]
}
]
}
So essentially to do this, for each object we need to check if it has any relationship objects that are _is_latest=true
and _is_ref=true
. If this is the case, and --ignore-embedded-relationship = false
, then the script should first age out all the _is_latest=true
and _is_ref=true
= true objects linked to this one, and then recreate the latest ones (if they exist -- in this case 0 exist, so no embedded SROS would be is latest = true)
@fqrious
Discovered in https://github.com/muchdogesec/arango_cti_processor/issues/20
Now covered in test 23
python3 -m unittest tests/test_23-embedded-sro-removed.py