print("Detection Summary :\n############################################\nNumber of incidents by Severity:\n"+allresults["Severity"].value_counts().to_string()+"\n############################################\nNumber of incidents by Detection Rule:\n"+allresults["message"].value_counts().to_string()+"\n\n")
parser.add_argument("-rules","--rules",help="path to sigma rules in json format")
#parser.add_argument("-evtfreq","--evtfreq", help="Produce event ID frequency analysis report",action='store_true')
parser.add_argument("-cores","--cores",help="cpu cores to be used in multiprocessing , default is half the number of availble CPU cores")
# 解析命令行参数
args=parser.parse_args()
# 如果指定了输出文件名,则创建输出目录
ifargs.outisnotNone:
Output=create_out_dir(args.out)
# 如果没有指定日志路径,则打印错误信息并退出
if(args.pathisNone):# and args.security is None and args.system is None and args.scheduledtask is None and args.defender is None and args.powershell is None and args.powershellop is None and args.terminal is None and args.winrm is None and args.sysmon is None):
print("You didn't specify a path for the logs \nuse --help to print help message")
exit()
@ -945,7 +787,6 @@ def main():
allreport=args.allreport
CPU_Core=0
#print(f"all reports value : {allreport}\nlogons value {logons}")
print("Error parsing time , please use ISO format with timestart and timeend Ex: (2022-04-03T20:56+04:00 or 2022-04-03T20:56 or 2022-04-03 20:56 or 2022-04-03)")
exit()
# 根据命令行参数设置时区
ifargs.timezoneisnotNone:
ifargs.timezone.lower()=="local":
input_timezone=tz.tzlocal()
else:
input_timezone=timezone(args.timezone)
# 根据命令行参数设置CPU核心数,如果格式不正确,则打印错误信息并退出
ifargs.coresisnotNone:
try:
CPU_Core=int(args.cores)
except:
print(f"Error using supplied CPU cores {args.cores}")
"query":"SELECT * FROM events WHERE UserAgent LIKE '%python%' OR UserAgent LIKE '%ruler%' OR UserAgent LIKE '%curl%' OR UserAgent LIKE '%Wget%' OR UserAgent LIKE '%python-requests%' OR UserAgent LIKE '%AADInternals%' OR UserAgent LIKE '%azurehound%' OR UserAgent LIKE '%axios%' OR UserAgent LIKE '%BAV2ROPC%'",
//检测UserAgent字段中包含可疑字符串的事件,这些字符串可能是自动化脚本或工具的标识
"query":"SELECT * FROM events WHERE UserAgent LIKE '%python%' OR UserAgent LIKE '%ruler%' OR UserAgent LIKE '%curl%' OR UserAgent LIKE '%Wget%' OR UserAgent LIKE '%python-requests%' OR UserAgent LIKE '%AADInternals%' OR UserAgent LIKE '%azurehound%' OR UserAgent LIKE '%axios%' OR UserAgent LIKE '%BAV2ROPC%' "
},
{
"name":"User adding or removing Inbox Rule",
"severity":"Medium",
"query":"SELECT * FROM events WHERE Operation LIKE '%InboxRule%' OR Operation LIKE 'Set-Mailbox' OR Operation LIKE '%DeliverToMailboxAndForward%' OR Operation LIKE '%ForwardingAddress%' OR Operation LIKE '%ForwardingAddress%'",
//检测与用户邮箱规则设置相关的操作,包括添加、删除邮箱规则等
"query":"SELECT * FROM events WHERE Operation LIKE '%InboxRule%' OR Operation LIKE 'Set-Mailbox' OR Operation LIKE '%DeliverToMailboxAndForward%' OR Operation LIKE '%ForwardingAddress%' OR Operation LIKE '%ForwardingAddress%' "
},
{
"name":"After Hours Activity",
"severity":"Medium",
"query":"SELECT * FROM events WHERE (CASE WHEN CAST(substr(CreationTime, 12, 2) AS INTEGER) < 0 THEN 24 + (CAST(substr(CreationTime, 12, 2) AS INTEGER)) ELSE CAST(substr(CreationTime, 12, 2) AS INTEGER) END >= 20 OR CASE WHEN CAST(substr(CreationTime, 12, 2) AS INTEGER) < 0 THEN 24 + (CAST(substr(CreationTime, 12, 2) AS INTEGER)) ELSE CAST(substr(CreationTime, 12, 2) AS INTEGER) END < 6) AND NOT (Operation LIKE 'File%' OR Operation LIKE 'List%' OR Operation LIKE 'Page%' OR Operation LIKE '%UserLogin%');",
"query":"SELECT * FROM events WHERE (CASE WHEN CAST(substr(CreationTime, 12, 2) AS INTEGER) < 0 THEN 24 + (CAST(substr(CreationTime, 12, 2) AS INTEGER)) ELSE CAST(substr(CreationTime, 12, 2) AS INTEGER) END >= 20 OR CASE WHEN CAST(substr(CreationTime, 12, 2) AS INTEGER) < 0 THEN 24 + (CAST(substr(CreationTime, 12, 2) AS INTEGER)) ELSE CAST(substr(CreationTime, 12, 2) AS INTEGER) END < 6) AND NOT (Operation LIKE 'File%' OR Operation LIKE 'List%' OR Operation LIKE 'Page%' OR Operation LIKE '%UserLogin%');"
},
{
"name":"Possible file exfiltration",
"severity":"Low",
"query":"SELECT * FROM events WHERE Operation LIKE '%FileUploaded%'",
//检测可能的文件外泄活动,即包含文件上传操作的事件
"query":"SELECT * FROM events WHERE Operation LIKE '%FileUploaded%' "
},
{
"name":"Admin searching in emails of other users",
"severity":"Low",
"query":"SELECT * FROM events WHERE Operation LIKE '%SearchStarted%' OR Operation LIKE '%SearchExportDownloaded%' OR Operation LIKE '%ViewedSearchExported%'",
//检测管理员搜索或导出其他用户邮箱内容的操作
"query":"SELECT * FROM events WHERE Operation LIKE '%SearchStarted%' OR Operation LIKE '%SearchExportDownloaded%' OR Operation LIKE '%ViewedSearchExported%' "
},
{
"name":"Strong Authentication Disabled",
"severity":"medium",
"query":"SELECT * FROM events WHERE Operation LIKE '%disable strong authentication%'",
//检测禁用强身份验证的操作
"query":"SELECT * FROM events WHERE Operation LIKE '%disable strong authentication%'"
},
{
"name":"User added to admin group",
"severity":"High",
"query":"SELECT * FROM events WHERE ( Operation LIKE '%add member to group%' AND ModifiedProperties Like '%admin%') OR ( Operation LIKE '%AddedToGroup%' AND TargetUserOrGroupName Like '%admin%')",
//检测用户被添加到管理员组的操作
"query":"SELECT * FROM events WHERE ( Operation LIKE '%add member to group%' AND ModifiedProperties Like '%admin%') OR ( Operation LIKE '%AddedToGroup%' AND TargetUserOrGroupName Like '%admin%') "
},
{
"name":"New Policy created",
"severity":"Medium",
"query":"SELECT * FROM events WHERE ( Operation LIKE '%add policy%' )",
//检测创建新策略的操作
"query":"SELECT * FROM events WHERE ( Operation LIKE '%add policy%' ) "
},
{
"name":"Security Alert triggered",
"severity":"Medium",
"query":"SELECT * FROM events WHERE ( Operation LIKE '%AlertTriggered%' AND NOT Severity Like '%Low%')",
//检测触发的安全警报,排除低严重性的警报
"query":"SELECT * FROM events WHERE ( Operation LIKE '%AlertTriggered%' AND NOT Severity Like '%Low%') "
},
{
"name":"Transport rules ( mail flow rules ) modified",
"severity":"High",
"query":"SELECT * FROM events WHERE ( Operation LIKE '%TransportRule%' )",
//检测修改传输规则(邮件流规则)的操作
"query":"SELECT * FROM events WHERE ( Operation LIKE '%TransportRule%') "
},
{
"name":"An application was registered in Azure AD",
"severity":"Medium",
"query":"SELECT * FROM events WHERE ( Operation LIKE '%Add service principal.%')",
//检测在AzureAD中注册新应用(服务主体)的操作
"query":"SELECT * FROM events WHERE ( Operation LIKE '%Add service principal.%') "
},
{
"name":"Add app role assignment grant to user",
"severity":"Medium",
"query":"SELECT * FROM events WHERE ( Operation LIKE '%Add app role assignment grant to user.%')",
//检测向用户授予应用角色分配的操作
"query":"SELECT * FROM events WHERE ( Operation LIKE '%Add app role assignment grant to user.%') "
},
{
"name":"eDiscovery Abuse",
"severity":"High",
"query":"SELECT * FROM events WHERE ( Operation LIKE '%New-ComplianceSearch%')",
//检测新建合规搜索(eDiscovery)的操作
"query":"SELECT * FROM events WHERE ( Operation LIKE '%New-ComplianceSearch%') "
},
{
"name":"Operations affecting OAuth Applications",
"severity":"Medium",
"query":"SELECT * FROM events WHERE ( Operation = 'Add application.' OR Operation = 'Update application' OR Operation = 'Add service principal.' OR Operation = 'Update application Certificates and secrets management' OR Operation = 'Update applicationUpdate service principal.' OR Operation = 'Add app role assignment grant to user.' OR Operation = 'Add delegated permission grant.' OR Operation = 'Add owner to application.' OR Operation = 'Add owner to service principal.')",
//检测影响OAuth应用的操作,包括添加、更新应用、证书和密钥管理、添加角色分配、权限授予等
"query":"SELECT * FROM events WHERE ( Operation = 'Add application.' OR Operation = 'Update application' OR Operation = 'Add service principal.' OR Operation = 'Update application Certificates and secrets management' OR Operation = 'Update applicationUpdate service principal.' OR Operation = 'Add app role assignment grant to user.' OR Operation = 'Add delegated permission grant.' OR Operation = 'Add owner to application.' OR Operation = 'Add owner to service principal.') "
},
{
"name":"Suspicious Operations affecting Mailbox",
"name":"Suspicious Operations affecting Mailbox",
"severity":"Medium",
"query":"SELECT * FROM events WHERE ( Operation = 'Set-MailboxJunkEmailConfiguration' OR Operation = 'SoftDelete' OR Operation = 'SendAs' OR Operation = 'HardDelete' OR Operation = 'MoveToDeletedItems' )",
//检测对邮箱进行可疑操作的事件,包括设置垃圾邮件配置、软删除、发送邮件、硬删除、移动到删除项等
"query":"SELECT * FROM events WHERE ( Operation = 'Set-MailboxJunkEmailConfiguration' OR Operation = 'SoftDelete' OR Operation = 'SendAs' OR Operation = 'HardDelete' OR Operation = 'MoveToDeletedItems' ) "
"query":"SELECT * FROM events WHERE ( Operation = 'AddedToSecureLink' OR Operation = 'SearchQueryPerformed' OR Operation = 'SecureLinkCreated' OR Operation = 'SecureLinkUpdated' OR Operation = 'SharingInvitationCreated' )",
"query":"SELECT * FROM events WHERE ( Operation = 'AddedToSecureLink' OR Operation = 'SearchQueryPerformed' OR Operation = 'SecureLinkCreated' OR Operation = 'SecureLinkUpdated' OR Operation = 'SharingInvitationCreated' ) "
},
{
"name":"User Modifying RetentionPolicy",
"name":"User Modifying RetentionPolicy",
"severity":"High",
"query":"SELECT * FROM events WHERE ( Operation LIKE '%UnifiedAuditLogRetentionPolicy%' )",
//检测用户修改统一审核日志保留策略的操作
"query":"SELECT * FROM events WHERE ( Operation LIKE '%UnifiedAuditLogRetentionPolicy%' ) "
},
{
"name":"User Modifying Audit Logging",
"name":"User Modifying Audit Logging",
"severity":"High",
"query":"SELECT * FROM events WHERE ( Operation LIKE '%AdminAuditLogConfig%' )",
//检测用户修改管理员审核日志配置的操作
"query":"SELECT * FROM events WHERE ( Operation LIKE '%AdminAuditLogConfig%' ) "
},
{
"name":"String Authentication Disabled",
"name":"String Authentication Disabled",
"severity":"High",
"query":"SELECT * FROM events WHERE ( Operation LIKE '%Disable Strong Authentication.%' )",
//检测禁用强身份验证的操作
"query":"SELECT * FROM events WHERE ( Operation LIKE '%Disable Strong Authentication.%' ) "
"SELECT * FROM Events WHERE (EventID IN ('17', '18') AND ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\'))"
],
"filename":"pipe_created_mal_cobaltstrike.yml"
@ -328,7 +327,6 @@
],
"level":"critical",
"rule":[
//检测特定命名管道,这些管道常被用于凭据转储工具
"SELECT * FROM Events WHERE (EventID IN ('17', '18') AND (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\'))"