Поддерживаемые примеры конвертации правил Sigma

Название таблицы

Правило Sigma	Сопоставление с объектами KUMA	Условие
title: Generic-DCSync Execution id: 9107f781-c984-436a-8093-1aaa64c70c49 description: Detects access to DC with "DS-Replication-Get-Changes" or "DS-Replication-Get-Changes-All" rights author: Kaspersky status: stable modified: 2023-08-02 tags: - attack.credential_access - attack.t1003.006 logsource: product: windows service: security detection: selection1: EventID: 4662 Properties\|contains: - 'DS-Replication-Get-Changes' - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' selection2: EventID: 4624 LogonType: 3 filter: EventID: 4624 LogonType: 3 SourceIP: - '<ip address of DC servers>' timeframe: 1m condition: selection1 or (selection2 and not filter) \| count(EventID) by Computer,LogonID = 2 fields: - SourceIP - Computer - LogonID - Username - Properties falsepositives: - Unknown level: high	Нормализатор "Microsoft products" tags → description logsource DeviceVendor = Microsoft DeviceProduct = Windows selection1: DeviceEventClassID=4662 FilePermission contains '' OR FilePermission contains '' OR FilePermission contains '' selection2 DeviceEventClassID=4624 DeviceCustomNumber1 = 3 filter DeviceEventClassID=4624 DeviceCustomNumber1 = 3 SourceAddress = <IP> condition: DeviceVendor = Microsoft AND DeviceProduct = Windows AND (( DeviceEventClassID=4662 FilePermission contains '' OR FilePermission contains '' OR FilePermission contains '' ) OR ( ( DeviceEventClassID=4624 AND DeviceCustomNumber1 = 3 ) NOT ( DeviceEventClassID=4624 AND DeviceCustomNumber1 = 3 AND SourceAddress = <IP> ) ) ) все что внутри Count() EventID положить в Unique fields, все что после 'by' Computer → DestinationHostName LogonID → FlexString1 положить в Aggregation fields, все что после '=' или '>' 2 положить в threshold. timeframe положить в time window	Это корреляционное правило с корреляциями, т.е. не simple правило KUMA. В данный моментподдерживается частично: если убрать пайп из правила Sigma в condition, можно получить условие селектора для корреляционного правила или SQL-запрос для Поиска угроз.
title: Lsass Dump via LOLBin id: 2fe9cd33-d7f1-4d52-ab11-e40cb359ad02 description: detects lsass dump via lolbins such as procdump.exe, dotnet-dump.exe, dumpminitool.exe references: - https://twitter.com/bohops/status/1635288066909966338 - https://twitter.com/mrd0x/status/1511415432888131586 modified: 2023-07-18 author: Kaspersky status: stable tags: - attack.credential_access - attack.t1003.001 logsource: product: windows category: process_creation detection: selection_procdump: Image\|endswith: - '\procdump.exe' - '\procdump64.exe' CommandLine\|contains: 'lsass' selection_dotnet: Image\|endswith: '\dotnet-dump.exe' CommandLine: ' collect ' selection_dumpminitool: Image\|endswith: '\dumpminitool.exe' condition: 1 of selection* falsepositives: - Unknown level: high	конвертируется так же, как и правило в строке 3 таблицы. Отличие: условие в condition 1 of selection* - одно из именованых коллекций.	DeviceVendor='Microsoft' AND DeviceProduct='Windows' AND DeviceEventClassID='4688' AND ( ( (DestinationProcessName endsWith '\\procdump.exe' OR DestinationProcessName endsWith '\\procdump64.exe') AND DeviceCustomString contains 'lsass' ) OR (DestinationProcessName endsWith '\\dotnet-dump.exe' AND DeviceCustomString=' collect ' ) OR DestinationProcessName endsWith '\\dumpminitool.exe' )
title: Generic-Clearing Windows Event Logs via Command Line id: a903492e-da40-4ab4-a92d-306a4799d973 description: Detects Clear Windows Event Logs via Command Line author: Kaspersky status: stable modified: 2023-07-18 tags: - attack.defense_evasion - attack.t1070.001 logsource: product: windows category: process_creation detection: selection1: Image\|endswith: '\wevtutil.exe' CommandLine\|contains: - ' cl ' - 'clear' selection2: Image\|endswith: - '\powershell.exe' - '\powershell_ise.exe' - '\pwsh.exe' CommandLine\|contains: - 'Clear-EventLog' - 'Remove-EventLog' selection3: Image\|endswith: '\wmic.exe' CommandLine\|contains: - 'ClearEventLog' condition: 1 of them falsepositives: - Legitimate System Administrator actions level: high	Нормализатор "Microsoft products" tags → description logsource DeviceVendor = Microsoft DeviceProduct = Windows DeviceEventClassID=4688 selection1: DestinationProcessName endswith '' DeviceCustomString4 contains "" OR DeviceCustomString4 contains "" Selection2 DestinationProcessName endswith '' DeviceCustomString4 contains "" OR DeviceCustomString4 contains "" selection3 DestinationProcessName endswith '' DeviceCustomString4 contains "" OR DeviceCustomString4 contains "" condition DeviceVendor = Microsoft AND DeviceProduct = Windows AND DeviceEventClassID=4688 AND ( ( DestinationProcessName endswith '' AND (DeviceCustomString4 contains "" OR DeviceCustomString4 contains "")) OR ( DestinationProcessName endswith '' AND (DeviceCustomString4 contains "" OR DeviceCustomString4 contains "")) OR ( DestinationProcessName endswith '' AND (DeviceCustomString4 contains "" OR DeviceCustomString4 contains "")) ) identical fields - указывать поля из условия за исключением полей Name, deviceProduct, deviceVendor	DeviceVendor='Microsoft' AND DeviceProduct='Windows' AND DeviceEventClassID='4688' AND ( (DestinationProcessName endsWith '\\wevtutil.exe' AND (DeviceCustomString contains ' cl ' OR DeviceCustomString contains 'clear') ) OR ( (DestinationProcessName endsWith '\\powershell.exe' OR DestinationProcessName endsWith '\\powershell\_ise.exe' OR DestinationProcessName endsWith '\\pwsh.exe') AND (DeviceCustomString contains 'Clear-EventLog' OR DeviceCustomString contains 'Remove-EventLog') ) OR (DestinationProcessName endsWith '\\wmic.exe' AND DeviceCustomString contains 'ClearEventLog') )
title: 0021-0002.1204.003 Execution - PowerExchangeDropper description: Detect the dropping of PowerExchange components. status: experimental logsource: product: windows service: Sysmon detection: selection1: EventID: 11 selection2: TargetFilename\|contains: - 'c:\users\public\microsoftedge\autosave.exe' - 'c:\users\public\microsoftedge\wsdl.ps1' selection3: Image\|endswith: "brochure.exe" condition: selection1 and selection2 and selection3 falsepositives: - Unknown level: high	Основание: Нормализатор 11 события Sysmon. title → name author → description description→ description status → description logsource DeviceVendor = Microsoft DeviceProduct = Sysmon selection1 DeviceEventClassID=11 selection2 FilePath contains 'c:\users\public\microsoftedge\autosave.exe' OR FilePath contains '' если есть * пути к файлу форматировать в regexp selection3 OldFilePath endswith "" condition: DeviceVendor = Microsoft AND DeviceProduct = Sysmon AND (DeviceEventClassID=11) AND (FilePath contains 'c:\users\public\microsoftedge\autosave.exe' OR FilePath contains '') AND (OldFilePath endswith "") identical fields - указывать поля из условия за исключением полей Name, deviceProduct, deviceVendor level →severity falsepositive → Description	DeviceVendor='Microsoft' AND DeviceProduct='Sysmon' AND DeviceEventClassID=11 AND ( FilePath contains 'c:\\users\\public\\microsoftedge\\autosave.exe' OR FilePath contains 'c:\\users\\public\\microsoftedge\\wsdl.ps1' ) AND OldFilePath endsWith 'brochure.exe'
title: Domain joined host discovery description: Detect an attacker enumerating domain-joined machines using PowerShell. status: stable logsource: product: windows service: security detection: selection: EventID: 4104 ScriptBlockText\|contains\|all: - 'System.DirectoryServices.DirectorySearcher' - 'Properties.operatingsystem' condition: selection falsepositives: - "Administrative scripts or tools like Vulnerability Scanners" level: medium	ScriptBlockText → Message
title: 0022-0002.1053.005 Execution - PowerExchange Task description: Detect the creation of a scheduled task by PowerExchange. status: experimental logsource: product: windows service: security detection: selection: EventID: - '4698' TaskName\|contains: - 'MicrosoftEdgeUpdateService' condition: selection falsepositives: - Unknown level: medium	TaskName → SourceProcessName
title: Created Windows Shell from Critical Windows Process description: Anomaly behavior critical windows process status: stable modified: 2023-07-18 tags: - attack.defense_evasion - attack.t1036 logsource: product: windows category: process_creation detection: selection: ParentImage\|endswith: - '\searchindexer.exe' - '\lsaiso.exe' - '\lsm.exe' - '\spoolsv.exe' - '\wininit.exe' - '\smss.exe' - '\csrss.exe' - '\lsass.exe' - '\services.exe' - '\winlogon.exe' Image\|endswith: - '\powershell_ise.exe' - '\cmstp.exe' - '\appvlp.exe' - '\mftrace.exe' - '\scriptrunner.exe' - '\forfiles.exe' - '\msiexec.exe' - '\rundll32.exe' - '\mshta.exe' - '\hh.exe' - '\wmic.exe' - '\regsvr32.exe' - '\scrcons.exe' - '\bash.exe' - '\sh.exe' - '\cscript.exe' - '\wscript.exe' - '\powershell.exe' - '\cmd.exe' condition: selection falsepositives: - Unknown level: high	ParentImage → SourceProcessName

Правило Sigma

Сопоставление с объектами KUMA

Условие

title: Generic-DCSync Execution

id: 9107f781-c984-436a-8093-1aaa64c70c49

description: Detects access to DC with "DS-Replication-Get-Changes" or "DS-Replication-Get-Changes-All" rights

author: Kaspersky

status: stable

modified: 2023-08-02

tags:

- attack.credential_access

- attack.t1003.006

logsource:

product: windows

service: security

detection:

selection1:

EventID: 4662

Properties|contains:

- 'DS-Replication-Get-Changes'

- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'

- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'

selection2:

EventID: 4624

LogonType: 3

filter:

EventID: 4624

LogonType: 3

SourceIP:

- '<ip address of DC servers>'

timeframe: 1m

condition: selection1 or (selection2 and not filter) | count(EventID) by Computer,LogonID = 2

fields:

- SourceIP

- Computer

- LogonID

- Username

- Properties

falsepositives:

- Unknown

level: high

Нормализатор "Microsoft products"

tags → description

logsource

DeviceVendor = Microsoft

DeviceProduct = Windows

selection1:

DeviceEventClassID=4662

FilePermission contains '' OR FilePermission contains '' OR FilePermission contains ''

selection2

DeviceEventClassID=4624

DeviceCustomNumber1 = 3

filter

DeviceEventClassID=4624

DeviceCustomNumber1 = 3

SourceAddress = <IP>

condition:

DeviceVendor = Microsoft AND

DeviceProduct = Windows AND

((

DeviceEventClassID=4662

FilePermission contains '' OR FilePermission contains '' OR FilePermission contains ''

) OR

(

DeviceEventClassID=4624 AND

DeviceCustomNumber1 = 3

) NOT

(

DeviceEventClassID=4624 AND

DeviceCustomNumber1 = 3 AND

SourceAddress = <IP>

)

все что внутри Count()

EventID положить в Unique fields,

все что после 'by'

Computer → DestinationHostName

LogonID → FlexString1

положить в Aggregation fields,

все что после '=' или '>'

2 положить в threshold.

timeframe

положить в time window

Это корреляционное правило с корреляциями, т.е. не simple правило KUMA. В данный моментподдерживается частично: если убрать пайп из правила Sigma в condition, можно получить условие селектора для корреляционного правила или SQL-запрос для Поиска угроз.

title: Lsass Dump via LOLBin

id: 2fe9cd33-d7f1-4d52-ab11-e40cb359ad02

description: detects lsass dump via lolbins such as procdump.exe, dotnet-dump.exe, dumpminitool.exe

references:

- https://twitter.com/bohops/status/1635288066909966338

- https://twitter.com/mrd0x/status/1511415432888131586

modified: 2023-07-18

author: Kaspersky

status: stable

tags:

- attack.credential_access

- attack.t1003.001

logsource:

product: windows

category: process_creation

detection:

selection_procdump:

Image|endswith:

- '\procdump.exe'

- '\procdump64.exe'

CommandLine|contains: 'lsass'

selection_dotnet:

Image|endswith: '\dotnet-dump.exe'

CommandLine: ' collect '

selection_dumpminitool:

Image|endswith: '\dumpminitool.exe'

condition: 1 of selection*

falsepositives:

- Unknown

level: high

конвертируется так же, как и правило в строке 3 таблицы.

Отличие: условие в condition 1 of selection* - одно из именованых коллекций.

DeviceVendor='Microsoft' AND

DeviceProduct='Windows' AND

DeviceEventClassID='4688' AND

(

(DestinationProcessName endsWith '\\procdump.exe' OR

DestinationProcessName endsWith '\\procdump64.exe') AND

DeviceCustomString contains 'lsass'

) OR

(DestinationProcessName endsWith '\\dotnet-dump.exe' AND

DeviceCustomString=' collect '

) OR

DestinationProcessName endsWith '\\dumpminitool.exe'

)

title: Generic-Clearing Windows Event Logs via Command Line

id: a903492e-da40-4ab4-a92d-306a4799d973

description: Detects Clear Windows Event Logs via Command Line

author: Kaspersky

status: stable

modified: 2023-07-18

tags:

- attack.defense_evasion

- attack.t1070.001

logsource:

product: windows

category: process_creation

detection:

selection1:

Image|endswith: '\wevtutil.exe'

CommandLine|contains:

- ' cl '

- 'clear'

selection2:

Image|endswith:

- '\powershell.exe'

- '\powershell_ise.exe'

- '\pwsh.exe'

CommandLine|contains:

- 'Clear-EventLog'

- 'Remove-EventLog'

selection3:

Image|endswith: '\wmic.exe'

CommandLine|contains:

- 'ClearEventLog'

condition: 1 of them

falsepositives:

- Legitimate System Administrator actions

level: high

Нормализатор "Microsoft products"

tags → description

logsource

DeviceVendor = Microsoft

DeviceProduct = Windows

DeviceEventClassID=4688

selection1:

DestinationProcessName endswith ''

DeviceCustomString4 contains "" OR DeviceCustomString4 contains ""

Selection2

DestinationProcessName endswith ''

DeviceCustomString4 contains "" OR DeviceCustomString4 contains ""

selection3

DestinationProcessName endswith ''

DeviceCustomString4 contains "" OR DeviceCustomString4 contains ""

condition

DeviceVendor = Microsoft AND

DeviceProduct = Windows AND

DeviceEventClassID=4688 AND

(

( DestinationProcessName endswith '' AND (DeviceCustomString4 contains "" OR DeviceCustomString4 contains "")) OR

( DestinationProcessName endswith '' AND (DeviceCustomString4 contains "" OR DeviceCustomString4 contains ""))

)

identical fields - указывать поля из условия за исключением полей Name, deviceProduct, deviceVendor

DeviceVendor='Microsoft' AND

DeviceProduct='Windows' AND

DeviceEventClassID='4688' AND

(

(DestinationProcessName endsWith '\\wevtutil.exe' AND

(DeviceCustomString contains ' cl ' OR DeviceCustomString contains 'clear')

) OR

(

(DestinationProcessName endsWith '\\powershell.exe' OR

DestinationProcessName endsWith '\\powershell\_ise.exe' OR

DestinationProcessName endsWith '\\pwsh.exe') AND

(DeviceCustomString contains 'Clear-EventLog' OR

DeviceCustomString contains 'Remove-EventLog')

) OR

(DestinationProcessName endsWith '\\wmic.exe' AND

DeviceCustomString contains 'ClearEventLog')

)

title: 0021-0002.1204.003 Execution - PowerExchangeDropper

description: Detect the dropping of PowerExchange components.

status: experimental

logsource:

product: windows

service: Sysmon

detection:

selection1:

EventID: 11

selection2:

TargetFilename|contains:

- 'c:\users\public\microsoftedge\autosave.exe'

- 'c:\users\public\microsoftedge\wsdl.ps1'

selection3:

Image|endswith: "brochure.exe"

condition: selection1 and selection2 and selection3

falsepositives:

- Unknown

level: high

Основание: Нормализатор 11 события Sysmon.

title → name

author → description

description→ description

status → description

logsource

DeviceVendor = Microsoft

DeviceProduct = Sysmon

selection1

DeviceEventClassID=11

selection2

FilePath contains

'c:\users\public\microsoftedge\autosave.exe' OR FilePath contains ''

если есть * пути к файлу

форматировать в regexp

selection3

OldFilePath endswith ""

condition:

DeviceVendor = Microsoft AND

DeviceProduct = Sysmon AND

(DeviceEventClassID=11) AND

(FilePath contains 'c:\users\public\microsoftedge\autosave.exe' OR FilePath contains '') AND

(OldFilePath endswith "")

identical fields - указывать поля из условия за исключением полей Name, deviceProduct, deviceVendor

level →severity

falsepositive → Description

DeviceVendor='Microsoft' AND

DeviceProduct='Sysmon' AND

DeviceEventClassID=11 AND

(

FilePath contains 'c:\\users\\public\\microsoftedge\\autosave.exe' OR

FilePath contains 'c:\\users\\public\\microsoftedge\\wsdl.ps1'

) AND

OldFilePath endsWith 'brochure.exe'

title: Domain joined host discovery

description: Detect an attacker enumerating domain-joined machines using PowerShell.

status: stable

logsource:

product: windows

service: security

detection:

selection:

EventID: 4104

ScriptBlockText|contains|all:

- 'System.DirectoryServices.DirectorySearcher'

- 'Properties.operatingsystem'

condition: selection

falsepositives:

- "Administrative scripts or tools like Vulnerability Scanners"

level: medium

ScriptBlockText → Message

title: 0022-0002.1053.005 Execution - PowerExchange Task

description: Detect the creation of a scheduled task by PowerExchange.

status: experimental

logsource:

product: windows

service: security

detection:

selection:

EventID:

- '4698'

TaskName|contains:

- 'MicrosoftEdgeUpdateService'

condition: selection

falsepositives:

- Unknown

level: medium

TaskName → SourceProcessName

title: Created Windows Shell from Critical Windows Process

description: Anomaly behavior critical windows process

status: stable

modified: 2023-07-18

tags:

- attack.defense_evasion

- attack.t1036

logsource:

product: windows

category: process_creation

detection:

selection:

ParentImage|endswith:

- '\searchindexer.exe'

- '\lsaiso.exe'

- '\lsm.exe'

- '\spoolsv.exe'

- '\wininit.exe'

- '\smss.exe'

- '\csrss.exe'

- '\lsass.exe'

- '\services.exe'

- '\winlogon.exe'

Image|endswith:

- '\powershell_ise.exe'

- '\cmstp.exe'

- '\appvlp.exe'

- '\mftrace.exe'

- '\scriptrunner.exe'

- '\forfiles.exe'

- '\msiexec.exe'

- '\rundll32.exe'

- '\mshta.exe'

- '\hh.exe'

- '\wmic.exe'

- '\regsvr32.exe'

- '\scrcons.exe'

- '\bash.exe'

- '\sh.exe'

- '\cscript.exe'

- '\wscript.exe'

- '\powershell.exe'

- '\cmd.exe'

condition: selection

falsepositives:

- Unknown

level: high

ParentImage → SourceProcessName

В начало