issue2

源代码阅读注释2
7 months ago · bf5a070658
parent 8bc3507637 7424167841
commit bf5a070658
5 changed files with 83 additions and 33 deletions
--- a/lly.txt
+++ b/lly.txt
@ -0,0 +1 @@
 aaaa
--- a/src/Custom-Sigma-Convertor.sh
+++ b/src/Custom-Sigma-Convertor.sh
@ -1,15 +1,24 @@
 #!/bin/bash
-
+# 检查脚本是否只有一个参数输入
 if [ "$#" -ne 1 ]; then
  echo "Please enter rules path as argument "
  exit 1
 fi
-
+# 输出正在克隆Sigma转换工具的信息
 echo "Getting Sigma Converter Toot"
 # 使用git克隆SigmaHQ的legacy-sigmatools仓库到当前目录
 git clone https://github.com/SigmaHQ/legacy-sigmatools.git
 # 输出正在转换sigma规则的信息
 echo "Converting sigma rules "
-
+# 执行Sigma转换工具，将sigma规则文件转换为json格式
 # --recurse: 递归处理指定目录下的所有规则文件
 # --target sqlite: 指定转换的目标格式为sqlite
 # --backend-option table=Events: 指定输出的表名为Events
 # -d $1: 指定sigma规则文件的目录为脚本的第一个参数
 # -c lib/config/sigma-converter-rules-config.yml: 指定配置文件路径
 # -o rules.json: 指定输出文件名为rules.json
 # --output-fields: 指定输出的字段内容
 legacy-sigmatools/tools/sigmac --recurse --target sqlite  --backend-option table=Events --output-format json -d $1 -c lib/config/sigma-converter-rules-config.yml -o rules.json --output-fields title,id,description,author,tags,level,falsepositives,filename,status
-
+# 输出转换完成的信息，包括生成的文件名
 echo "Rules created with file name : rules.json "
--- a/src/Get_Latest_Sigma_Rules.sh
+++ b/src/Get_Latest_Sigma_Rules.sh
@ -1,11 +1,23 @@
 #!/bin/bash
 # 输出转换完成的信息，包括生成的文件名
 echo "Getting Sigma Converter Toot"
 # 使用git克隆SigmaHQ的legacy-sigmatools仓库到当前目录
 git clone https://github.com/SigmaHQ/legacy-sigmatools.git
 # 使用git克隆SigmaHQ的legacy-sigmatools仓库到当前目录
 echo "Getting Sigma Rules"
 # 使用git克隆SigmaHQ的legacy-sigmatools仓库到当前目录
 git clone https://github.com/SigmaHQ/sigma.git
 # 输出正在转换sigma规则的信息
 echo "Converting sigma rules "
-
+# 执行Sigma转换工具，将sigma规则文件转换为json格式
 # --recurse: 递归处理指定目录下的所有规则文件
 # --target sqlite: 指定转换的目标格式为sqlite
 # --backend-option table=Events: 指定输出的表名为Events
 # -d sigma/rules/windows/: 指定sigma规则文件的目录为sigma仓库中的windows规则目录
 # -c lib/config/sigma-converter-rules-config.yml: 指定配置文件路径
 # -o rules.json: 指定输出文件名为rules.json
 # --output-fields: 指定输出的字段内容
 legacy-sigmatools/tools/sigmac --recurse --target sqlite  --backend-option table=Events --output-format json -d sigma/rules/windows/ -c lib/config/sigma-converter-rules-config.yml -o rules.json --output-fields title,id,description,author,tags,level,falsepositives,filename,status
-
+# 输出转换完成的信息，包括生成的文件名
 echo "Rules created with file name : rules.json "
--- a/src/O365_detection_rules.json
+++ b/src/O365_detection_rules.json
@ -2,98 +2,115 @@
    {
        "name": "Suspicious User Agent",
        "severity": "High",
-        "query": "SELECT * FROM events WHERE UserAgent LIKE '%python%' OR UserAgent LIKE '%ruler%' OR UserAgent LIKE '%curl%' OR UserAgent LIKE '%Wget%' OR UserAgent LIKE '%python-requests%' OR UserAgent LIKE '%AADInternals%' OR UserAgent LIKE '%azurehound%' OR UserAgent LIKE '%axios%' OR UserAgent LIKE '%BAV2ROPC%' "
+        "query": "SELECT * FROM events WHERE UserAgent LIKE '%python%' OR UserAgent LIKE '%ruler%' OR UserAgent LIKE '%curl%' OR UserAgent LIKE '%Wget%' OR UserAgent LIKE '%python-requests%' OR UserAgent LIKE '%AADInternals%' OR UserAgent LIKE '%azurehound%' OR UserAgent LIKE '%axios%' OR UserAgent LIKE '%BAV2ROPC%'",
        // 检测UserAgent字段中包含可疑字符串的事件，这些字符串可能是自动化脚本或工具的标识
    },
    {
        "name": "User adding or removing Inbox Rule",
        "severity": "Medium",
-        "query": "SELECT * FROM events WHERE Operation LIKE '%InboxRule%' OR Operation LIKE 'Set-Mailbox' OR Operation LIKE '%DeliverToMailboxAndForward%' OR Operation LIKE '%ForwardingAddress%' OR Operation LIKE '%ForwardingAddress%'  "
+        "query": "SELECT * FROM events WHERE Operation LIKE '%InboxRule%' OR Operation LIKE 'Set-Mailbox' OR Operation LIKE '%DeliverToMailboxAndForward%' OR Operation LIKE '%ForwardingAddress%' OR Operation LIKE '%ForwardingAddress%'",
        // 检测与用户邮箱规则设置相关的操作，包括添加、删除邮箱规则等
    },
    {
        "name": "After Hours Activity",
        "severity": "Medium",
-        "query": "SELECT * FROM events WHERE (CASE WHEN CAST(substr(CreationTime, 12, 2) AS INTEGER) < 0 THEN 24 + (CAST(substr(CreationTime, 12, 2) AS INTEGER)) ELSE CAST(substr(CreationTime, 12, 2) AS INTEGER) END >= 20 OR CASE WHEN CAST(substr(CreationTime, 12, 2) AS INTEGER) < 0 THEN 24 + (CAST(substr(CreationTime, 12, 2) AS INTEGER)) ELSE CAST(substr(CreationTime, 12, 2) AS INTEGER) END < 6) AND NOT (Operation LIKE 'File%' OR Operation LIKE 'List%' OR Operation LIKE 'Page%' OR Operation LIKE '%UserLogin%');"
+        "query": "SELECT * FROM events WHERE (CASE WHEN CAST(substr(CreationTime, 12, 2) AS INTEGER) < 0 THEN 24 + (CAST(substr(CreationTime, 12, 2) AS INTEGER)) ELSE CAST(substr(CreationTime, 12, 2) AS INTEGER) END >= 20 OR CASE WHEN CAST(substr(CreationTime, 12, 2) AS INTEGER) < 0 THEN 24 + (CAST(substr(CreationTime, 12, 2) AS INTEGER)) ELSE CAST(substr(CreationTime, 12, 2) AS INTEGER) END < 6) AND NOT (Operation LIKE 'File%' OR Operation LIKE 'List%' OR Operation LIKE 'Page%' OR Operation LIKE '%UserLogin%');",
        // 检测在非工作时间（晚上8点到早上6点之间）发生的活动，排除与文件、列表、页面或用户登录相关的操作
    },
    {
        "name": "Possible file exfiltration",
        "severity": "Low",
-        "query": "SELECT * FROM events WHERE Operation LIKE '%FileUploaded%' "
+        "query": "SELECT * FROM events WHERE Operation LIKE '%FileUploaded%'",
        //检测可能的文件外泄活动，即包含文件上传操作的事件
    },
    {
        "name": "Admin searching in emails of other users",
        "severity": "Low",
-        "query": "SELECT * FROM events WHERE Operation LIKE '%SearchStarted%' OR  Operation LIKE '%SearchExportDownloaded%' OR  Operation LIKE '%ViewedSearchExported%' "
+        "query": "SELECT * FROM events WHERE Operation LIKE '%SearchStarted%' OR  Operation LIKE '%SearchExportDownloaded%' OR  Operation LIKE '%ViewedSearchExported%'",
        // 检测管理员搜索或导出其他用户邮箱内容的操作
    },
    {
        "name": "Strong Authentication Disabled",
        "severity": "medium",
-        "query": "SELECT * FROM events WHERE Operation LIKE '%disable strong authentication%'"
+        "query": "SELECT * FROM events WHERE Operation LIKE '%disable strong authentication%'",
        // 检测禁用强身份验证的操作
    },
    {
        "name": "User added to admin group",
        "severity": "High",
-        "query": "SELECT * FROM events WHERE ( Operation LIKE '%add member to group%' AND ModifiedProperties Like '%admin%') OR ( Operation LIKE '%AddedToGroup%' AND TargetUserOrGroupName Like '%admin%')  "
+        "query": "SELECT * FROM events WHERE ( Operation LIKE '%add member to group%' AND ModifiedProperties Like '%admin%') OR ( Operation LIKE '%AddedToGroup%' AND TargetUserOrGroupName Like '%admin%')",
        // 检测用户被添加到管理员组的操作
    },
    {
        "name": "New Policy created",
        "severity": "Medium",
-        "query": "SELECT * FROM events WHERE ( Operation LIKE '%add policy%' ) "
+        "query": "SELECT * FROM events WHERE ( Operation LIKE '%add policy%' )",
        // 检测创建新策略的操作
    },
    {
        "name": "Security Alert triggered",
        "severity": "Medium",
-        "query": "SELECT * FROM events WHERE ( Operation LIKE '%AlertTriggered%' AND NOT Severity Like '%Low%') "
+        "query": "SELECT * FROM events WHERE ( Operation LIKE '%AlertTriggered%' AND NOT Severity Like '%Low%')",
        // 检测触发的安全警报，排除低严重性的警报
    },
    {
        "name": "Transport rules ( mail flow rules ) modified",
        "severity": "High",
-        "query": "SELECT * FROM events WHERE ( Operation LIKE '%TransportRule%') "
+        "query": "SELECT * FROM events WHERE ( Operation LIKE '%TransportRule%' )",
        // 检测修改传输规则（邮件流规则）的操作
    },
    {
        "name": "An application was registered in Azure AD",
        "severity": "Medium",
-        "query": "SELECT * FROM events WHERE ( Operation LIKE '%Add service principal.%') "
+        "query": "SELECT * FROM events WHERE ( Operation LIKE '%Add service principal.%')",
        // 检测在Azure AD中注册新应用（服务主体）的操作
    },
    {
        "name": "Add app role assignment grant to user",
        "severity": "Medium",
-        "query": "SELECT * FROM events WHERE ( Operation LIKE '%Add app role assignment grant to user.%') "
+        "query": "SELECT * FROM events WHERE ( Operation LIKE '%Add app role assignment grant to user.%')",
        // 检测向用户授予应用角色分配的操作
    },
    {
        "name": "eDiscovery Abuse",
        "severity": "High",
-        "query": "SELECT * FROM events WHERE ( Operation LIKE '%New-ComplianceSearch%') "
+        "query": "SELECT * FROM events WHERE ( Operation LIKE '%New-ComplianceSearch%')",
        // 检测新建合规搜索（eDiscovery）的操作
    },
    {
        "name": "Operations affecting OAuth Applications",
        "severity": "Medium",
-        "query": "SELECT * FROM events WHERE ( Operation = 'Add application.' OR Operation = 'Update application' OR Operation = 'Add service principal.' OR Operation = 'Update application Certificates and secrets management' OR Operation = 'Update applicationUpdate service principal.' OR Operation = 'Add app role assignment grant to user.' OR Operation = 'Add delegated permission grant.' OR Operation = 'Add owner to application.' OR Operation = 'Add owner to service principal.') "
+        "query": "SELECT * FROM events WHERE ( Operation = 'Add application.' OR Operation = 'Update application' OR Operation = 'Add service principal.' OR Operation = 'Update application Certificates and secrets management' OR Operation = 'Update applicationUpdate service principal.' OR Operation = 'Add app role assignment grant to user.' OR Operation = 'Add delegated permission grant.' OR Operation = 'Add owner to application.' OR Operation = 'Add owner to service principal.')",
        // 检测影响OAuth应用的操作，包括添加、更新应用、证书和密钥管理、添加角色分配、权限授予等
    },
    {
-        "name": "Suspicious Operations affecting Mailbox ",
+        "name": "Suspicious Operations affecting Mailbox",
        "severity": "Medium",
-        "query": "SELECT * FROM events WHERE ( Operation = 'Set-MailboxJunkEmailConfiguration' OR Operation = 'SoftDelete' OR Operation = 'SendAs' OR Operation = 'HardDelete' OR Operation = 'MoveToDeletedItems' ) "
+        "query": "SELECT * FROM events WHERE ( Operation = 'Set-MailboxJunkEmailConfiguration' OR Operation = 'SoftDelete' OR Operation = 'SendAs' OR Operation = 'HardDelete' OR Operation = 'MoveToDeletedItems' )",
        // 检测对邮箱进行可疑操作的事件，包括设置垃圾邮件配置、软删除、发送邮件、硬删除、移动到删除项等
    },
    {
-        "name": "Suspicious Operations affecting SharePoint ",
+        "name": "Suspicious Operations affecting SharePoint",
        "severity": "Medium",
-        "query": "SELECT * FROM events WHERE ( Operation = 'AddedToSecureLink' OR Operation = 'SearchQueryPerformed' OR Operation = 'SecureLinkCreated' OR Operation = 'SecureLinkUpdated' OR Operation = 'SharingInvitationCreated' ) "
+        "query": "SELECT * FROM events WHERE ( Operation = 'AddedToSecureLink' OR Operation = 'SearchQueryPerformed' OR Operation = 'SecureLinkCreated' OR Operation = 'SecureLinkUpdated' OR Operation = 'SharingInvitationCreated' )",
        // 检测对SharePoint进行可疑操作的事件，包括添加到安全链接、执行搜索查询、创建安全链接、更新安全链接、创建共享邀请等
    },
    {
-        "name": "User Modifying RetentionPolicy ",
+        "name": "User Modifying RetentionPolicy",
        "severity": "High",
-        "query": "SELECT * FROM events WHERE ( Operation LIKE '%UnifiedAuditLogRetentionPolicy%' ) "
+        "query": "SELECT * FROM events WHERE ( Operation LIKE '%UnifiedAuditLogRetentionPolicy%' )",
        // 检测用户修改统一审核日志保留策略的操作
    },
    {
-        "name": "User Modifying Audit Logging ",
+        "name": "User Modifying Audit Logging",
        "severity": "High",
-        "query": "SELECT * FROM events WHERE ( Operation LIKE '%AdminAuditLogConfig%' ) "
+        "query": "SELECT * FROM events WHERE ( Operation LIKE '%AdminAuditLogConfig%' )",
        // 检测用户修改管理员审核日志配置的操作
    },
    {
-        "name": "String Authentication Disabled ",
+        "name": "String Authentication Disabled",
        "severity": "High",
-        "query": "SELECT * FROM events WHERE ( Operation LIKE '%Disable Strong Authentication.%' ) "
+        "query": "SELECT * FROM events WHERE ( Operation LIKE '%Disable Strong Authentication.%' )",
        // 检测禁用强身份验证的操作
    }
-
+]
 ]
--- a/src/rules.json
+++ b/src/rules.json
@ -305,6 +305,7 @@
        ],
        "level": "critical",
        "rule": [
            // 检测特定模式的命名管道，这些模式常被CobaltStrike使用
            "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\'))"
        ],
        "filename": "pipe_created_mal_cobaltstrike.yml"
@ -327,6 +328,7 @@
        ],
        "level": "critical",
        "rule": [
            // 检测特定命名管道，这些管道常被用于凭据转储工具
            "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\'))"
        ],
        "filename": "pipe_created_cred_dump_tools_named_pipes.yml"
@ -347,10 +349,16 @@
        ],
        "level": "low",
        "rule": [
            // 检测PsExec默认命名管道的创建
            "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\')"
        ],
        "filename": "pipe_created_psexec_default_pipe.yml"
    },
     // 检测CobaltStrike、凭据转储工具和PsExec使用的默认命名管道
    // 这些规则通过监控特定事件ID中的命名管道活动来识别潜在的恶意行为
    // CobaltStrike的命名管道模式包括特定的前缀和后缀，用于隐藏其活动
    // 凭据转储工具的命名管道模式如lsadump、cachedump和wceservicepipe，用于执行凭据转储操作
    // PsExec的默认命名管道PSEXESVC用于服务安装和执行，常被用于横向移动和提权
    {
        "title": "PAExec Default Named Pipe",
        "id": "f6451de4-df0a-41fa-8d72-b39f54a08db5",
@ -39208,3 +39216,6 @@
        "filename": "raw_access_thread_disk_access_using_illegitimate_tools.yml"
    }
 ]
    // 检测PsExec默认命名管道的创建，这可能是PsExec服务安装和执行的迹象
    // 该规则监控特定事件ID中的命名管道活动，特别关注名为PSEXESVC的管道
    // 由于PsExec常被用于横向移动和命令执行，因此该检测可以帮助识别潜在的恶意活动