wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
65 stars 32 forks source link

Adding new detection rules using Sysmon ID 1 events #3459

Closed 72nomada closed 2 years ago

72nomada commented 2 years ago
Target version Related issue Related PR
4.4.0 https://github.com/wazuh/wazuh-qa/issues/3396 https://github.com/wazuh/wazuh/pull/13595

Sysmon event id 1 rules for APT emulation detection

juliamagan commented 2 years ago

Tester review

Tester PR commit
@juliamagan https://github.com/wazuh/wazuh/pull/13595/commits/951fc4bcde224c3422d88d8d7b9075d98498111b

Testing environment

OS OS version Deployment Image/AMI Notes
CentOS CentOS 8 Vagrant qactl/centos_8

Tested packages

wazuh-manager
4.4.0

Status

Conclusion 🔴

juliamagan commented 2 years ago

Update - 19/10/2022

juliamagan commented 2 years ago

Update - 31/10/2022

juliamagan commented 2 years ago

Update - 02/11/2022

After discussing with @wazuh/threat-intel how the testing will be performed on this issue, the following checks have been decided:

juliamagan commented 2 years ago

Testing results

Changes reflected in PR description :red_circle:
No summary has been found with the applied changes that could be useful as a reference for the user.
runtests.py :green_circle:
|Component | Tested | Total | Coverage | | -------- | -------- | -------- | -------- | | Rules | 1245 | 4165 | 29.89% | | Decoders | 120 | 165 | 72.73% | | File | Passed | Failed | Status | | -------- | -------- | -------- | -------- | |./tests/sysmon.ini | 25 | 0 | ✅ | |./tests/proftpd.ini | 7 | 0 | ✅ | |./tests/fortimail.ini | 6 | 0 | ✅ | |./tests/dovecot.ini | 15 | 0 | ✅ | |./tests/test_expr_negation.ini| 56 | 0 | ✅ | |./tests/exim.ini | 7 | 0 | ✅ | |./tests/win_application.ini| 0 | 0 | ✅ | |./tests/gcp.ini | 31 | 0 | ✅ | |./tests/pix.ini | 22 | 0 | ✅ | |./tests/cpanel.ini | 7 | 0 | ✅ | |./tests/sophos.ini | 8 | 0 | ✅ | |./tests/syslog.ini | 6 | 0 | ✅ | |./tests/checkpoint_smart1.ini| 18 | 0 | ✅ | |./tests/nextcloud.ini | 8 | 0 | ✅ | |./tests/iptables.ini | 8 | 0 | ✅ | |./tests/samba.ini | 4 | 0 | ✅ | |./tests/cisco_asa.ini | 88 | 0 | ✅ | |./tests/dropbear.ini | 3 | 0 | ✅ | |./tests/systemd.ini | 2 | 0 | ✅ | |./tests/SonicWall.ini | 11 | 0 | ✅ | |./tests/vsftpd.ini | 4 | 0 | ✅ | |./tests/firewalld.ini | 2 | 0 | ✅ | |./tests/mailscanner.ini | 1 | 0 | ✅ | |./tests/owlh.ini | 4 | 0 | ✅ | |./tests/fortiauth.ini | 4 | 0 | ✅ | |./tests/cisco_ios.ini | 17 | 0 | ✅ | |./tests/vuln_detector.ini| 2 | 0 | ✅ | |./tests/openldap.ini | 9 | 0 | ✅ | |./tests/kernel_usb.ini | 6 | 0 | ✅ | |./tests/auditd.ini | 31 | 0 | ✅ | |./tests/glpi.ini | 3 | 0 | ✅ | |./tests/f5_big_ip.ini | 48 | 0 | ✅ | |./tests/mcafee_epo.ini | 1 | 0 | ✅ | |./tests/opensmtpd.ini | 7 | 0 | ✅ | |./tests/sudo.ini | 8 | 0 | ✅ | |./tests/unbound.ini | 0 | 0 | ✅ | |./tests/netscreen.ini | 4 | 0 | ✅ | |./tests/php.ini | 2 | 0 | ✅ | |./tests/doas.ini | 4 | 0 | ✅ | |./tests/pam.ini | 5 | 0 | ✅ | |./tests/arbor.ini | 2 | 0 | ✅ | |./tests/office365.ini | 128 | 0 | ✅ | |./tests/paloalto.ini | 16 | 0 | ✅ | |./tests/test_osregex_regex.ini| 28 | 0 | ✅ | |./tests/fortigate.ini | 45 | 0 | ✅ | |./tests/ossec.ini | 5 | 0 | ✅ | |./tests/web_rules.ini | 10 | 0 | ✅ | |./tests/oscap.ini | 32 | 0 | ✅ | |./tests/exchange.ini | 2 | 0 | ✅ | |./tests/squid_rules.ini | 2 | 0 | ✅ | |./tests/cisco_ftd.ini | 42 | 0 | ✅ | |./tests/sophos_fw.ini | 10 | 0 | ✅ | |./tests/sysmon_eid_1.ini | 59 | 0 | ✅ | |./tests/github.ini | 324 | 0 | ✅ | |./tests/postfix.ini | 2 | 0 | ✅ | |./tests/audit_scp.ini | 8 | 0 | ✅ | |./tests/api.ini | 21 | 0 | ✅ | |./tests/rsh.ini | 2 | 0 | ✅ | |./tests/apparmor.ini | 5 | 0 | ✅ | |./tests/nginx.ini | 12 | 0 | ✅ | |./tests/named.ini | 5 | 0 | ✅ | |./tests/test_pcre2_regex.ini| 33 | 0 | ✅ | |./tests/fortiddos.ini | 1 | 0 | ✅ | |./tests/openvpn_ldap.ini | 2 | 0 | ✅ | |./tests/cimserver.ini | 2 | 0 | ✅ | |./tests/test_osmatch_regex.ini| 6 | 0 | ✅ | |./tests/freepbx.ini | 6 | 0 | ✅ | |./tests/overwrite.ini | 10 | 0 | ✅ | |./tests/sshd.ini | 48 | 0 | ✅ | |./tests/junos.ini | 3 | 0 | ✅ | |./tests/modsecurity.ini | 6 | 0 | ✅ | |./tests/pfsense.ini | 2 | 0 | ✅ | |./tests/test_features.ini| 5 | 0 | ✅ | |./tests/cloudflare-waf.ini| 13 | 0 | ✅ | |./tests/web_appsec.ini | 31 | 0 | ✅ | |./tests/huawei_usg.ini | 3 | 0 | ✅ | |./tests/su.ini | 5 | 0 | ✅ | |./tests/apache.ini | 12 | 0 | ✅ | |./tests/gitlab.ini | 27 | 0 | ✅ | |./tests/aws_s3_access.ini| 10 | 0 | ✅ | |./tests/test_static_filters.ini| 28 | 0 | ✅ | |./tests/eset.ini | 8 | 0 | ✅ | |./tests/fireeye.ini | 3 | 0 | ✅ | |./tests/panda_paps.ini | 8 | 0 | ✅ |
Rule 92025 :green_circle:
The child rule `92026`, will become the equivalent of the previous `92025`. Now, `92025` is a more general rule that groups several events. - Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - Description: :green_circle:
Rule 92026 :yellow_circle:
This rule corresponds to the previous rule `92025`. It keeps the expected values. - Fields: - `originalFileName` :yellow_circle: : This rule has `92025`, it shouldn't be necessary to check this field again. - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92027 :green_circle:
- Fields: - `image` :green_circle: : File path of the process being spawned/created. Considered also the child or source process - `parentImage` :green_circle: : File path that spawned/created the main process - Description: :green_circle:
Rule 92028 :green_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - Description: :green_circle:
Rule 92029 :red_circle:
- Fields: - `commandLine` :red_circle: : This rule has `92028` that checks if `.ps1` script is executed, but in this rule we try to check more type of scripts `(bat|cmd|lnk|pif|vbs|vbe|js|wsh|ps1)` - Description: :green_circle:
Rule 92030 :green_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92031 :yellow_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - Description: :yellow_circle: Extra period
Rule 92032 :green_circle:
- Fields: - `parentImage` :green_circle: : File path that spawned/created the main process - `parentCommandLine`: :green_circle: : Arguments which were passed to the executable associated with the parent process - Description: :green_circle:
Rule 92033 :green_circle:
- Fields: - `parentImage` :green_circle: : File path that spawned/created the main process - Description: :green_circle:
Rule 92034 :green_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92035 :green_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92036 :yellow_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - Description: :yellow_circle: Extra period
Rule 92037 :yellow_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :yellow_circle: Extra period
Rule 92038 :yellow_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :yellow_circle: Extra period
Rule 92039 :yellow_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :yellow_circle: Extra period
Rule 92040 :yellow_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :yellow_circle: Extra period
Rule 92041 :green_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92042 :green_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - Description: :green_circle:
Rule 92043 :green_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92044 :green_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92045 :green_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92046 :green_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - `parentImage` :green_circle: : File path that spawned/created the main process - Description: :green_circle:
Rule 92047 :green_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - `parentImage` :green_circle: : File path that spawned/created the main process - Description: :green_circle:
Rule 92048 :green_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92049 :green_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92050 :green_circle:
- Fields: - `parentImage` :green_circle: : File path that spawned/created the main process - Description: :green_circle:
Rule 92051 :green_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - `image` :green_circle: : File path of the process being spawned/created. Considered also the child or source process - Description: :green_circle:
Rule 92052 :green_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - `parentImage` :green_circle: : File path that spawned/created the main process - Description: :green_circle:
Rule 92053 :green_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92054 :green_circle:
- Fields: - `parentCommandLine`: :green_circle: : Arguments which were passed to the executable associated with the parent process - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92055 :green_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - Description: :green_circle:
Rule 92056 :green_circle:
- Fields: - `parentCommandLine`: :green_circle: : Arguments which were passed to the executable associated with the parent process - Description: :green_circle:
Rule 92057 :yellow_circle:
- Fields: - `parentImage` :green_circle: : File path that spawned/created the main process - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :yellow_circle: Extra period
Rule 92058 :yellow_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - Description: :yellow_circle: Extra period
Rule 92059 :green_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92060 :green_circle:
- Fields: - `parentImage` :green_circle: : File path that spawned/created the main process - Description: :green_circle:
Rule 92061 :yellow_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - `parentImage` :green_circle: : File path that spawned/created the main process - `integrityLevel` :green_circle: : Integrity label assigned to a process - Description: :yellow_circle: Extra period
Rule 92062 :yellow_circle:
- Fields: - `parentImage` :green_circle: : File path that spawned/created the main process - `integrityLevel` :green_circle: : Integrity label assigned to a process - `image` :green_circle: : File path of the process being spawned/created. Considered also the child or source process - Description: :yellow_circle: Extra period
Rule 92063 :green_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - Description: :green_circle:
Rule 92064 :green_circle:
- Fields: - `image` :green_circle: : File path of the process being spawned/created. Considered also the child or source process - Description: :green_circle:
Rule 92065 :yellow_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - `parentImage` :green_circle: : File path that spawned/created the main process - Description: :yellow_circle: Extra period
Rule 92066 :yellow_circle:
- Fields: - `parentImage` :green_circle: : File path that spawned/created the main process - `image` :green_circle: : File path of the process being spawned/created. Considered also the child or source process - Description: :yellow_circle: Extra period
Rule 92067 :yellow_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :yellow_circle: Extra period
Rule 92068 :green_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92069 :green_circle:
- Fields: - `parentImage` :green_circle: : File path that spawned/created the main process - Description: :green_circle:
Rule 92070 :green_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - Description: :green_circle:
Rule 92071 :green_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92072 :green_circle:
- Fields: - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92073 :green_circle:
- Fields: - `parentCommandLine`: :green_circle: : Arguments which were passed to the executable associated with the parent process - Description: :green_circle:
Rule 92074 :green_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92075 :green_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
Rule 92076 :green_circle:
- Fields: - `originalFileName` :green_circle: : OriginalFileName from the PE header, added on compilation - `commandLine` :green_circle: : Arguments which were passed to the executable associated with the main process. - Description: :green_circle:
fabamatic commented 2 years ago

Implemented requested changes in rules and issue

juliamagan commented 2 years ago

Testing after requested changes


Results

Changes reflected in PR description :green_circle:
![Image](https://user-images.githubusercontent.com/80041853/199941543-dbefa16a-291f-499a-a795-8b2af3c51733.png)
Rule 92026 :green_circle:
`originalFileName` has been deleted
Rule 92028 :green_circle:
Different types of scripts added to `commandLine`
Rule 92029 :green_circle:
Different types of scripts added to `commandLine` in rule `92028`
Rule 92031 :green_circle:
- Description: :green_circle:
Rule 92036 :green_circle:
- Description: :green_circle:
Rule 92037 :green_circle:
- Description: :green_circle:
Rule 92038 :green_circle:
- Description: :green_circle:
Rule 92039 :green_circle:
- Description: :green_circle:
Rule 92040 :green_circle:
- Description: :green_circle:
Rule 92057 :green_circle:
- Description: :green_circle:
Rule 92058 :green_circle:
- Description: :green_circle:
Rule 92061 :green_circle:
- Description: :green_circle:
Rule 92062 :green_circle:
- Description: :green_circle:
Rule 92065 :green_circle:
- Description: :green_circle:
Rule 92066 :green_circle:
- Description: :green_circle:
Rule 92067 :green_circle:
- Description: :green_circle:

Conclusion :green_circle:

Everything has been fixed

jmv74211 commented 2 years ago

Closing conclusion 👍🏼

🟢 Solved

The development has been approved taking into account the following considerations:

1. No summary has been found with the applied changes that could be useful as a reference for the user. 🟢

Fixed in the current development https://github.com/wazuh/wazuh/pull/13595/commits/7bd7baf0bbf1c239ebf185b84a76082027eb405f

2. Rule 92029: This rule expects different types of scripts, but its parent rule only expects ps1 and checks twice originalFileName 🟢

Fixed in the current development https://github.com/wazuh/wazuh/pull/13595/commits/7bd7baf0bbf1c239ebf185b84a76082027eb405f

3. Some rules end their description with . while others don't. 🟢

Fixed in the current development https://github.com/wazuh/wazuh/pull/13595/commits/7bd7baf0bbf1c239ebf185b84a76082027eb405f