From c32c950dc4466c52e82541ab5be02de8f6112e1b Mon Sep 17 00:00:00 2001 From: lly <2331981153@qq.com> Date: Mon, 16 Dec 2024 21:31:15 +0800 Subject: [PATCH 1/2] lly first time --- lly.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 lly.txt diff --git a/lly.txt b/lly.txt new file mode 100644 index 0000000..5d308e1 --- /dev/null +++ b/lly.txt @@ -0,0 +1 @@ +aaaa -- 2.34.1 From 7424167841c0a8ac18cd6e14cbecad659b0010ee Mon Sep 17 00:00:00 2001 From: lly <2331981153@qq.com> Date: Tue, 24 Dec 2024 22:11:25 +0800 Subject: [PATCH 2/2] finish --- src/Custom-Sigma-Convertor.sh | 17 +++++++-- src/Get_Latest_Sigma_Rules.sh | 16 +++++++- src/O365_detection_rules.json | 71 ++++++++++++++++++++++------------- src/rules.json | 11 ++++++ 4 files changed, 82 insertions(+), 33 deletions(-) diff --git a/src/Custom-Sigma-Convertor.sh b/src/Custom-Sigma-Convertor.sh index 3eec041..a26da3e 100644 --- a/src/Custom-Sigma-Convertor.sh +++ b/src/Custom-Sigma-Convertor.sh @@ -1,15 +1,24 @@ #!/bin/bash - +# 检查脚本是否只有一个参数输入 if [ "$#" -ne 1 ]; then echo "Please enter rules path as argument " exit 1 fi - +# 输出正在克隆Sigma转换工具的信息 echo "Getting Sigma Converter Toot" +# 使用git克隆SigmaHQ的legacy-sigmatools仓库到当前目录 git clone https://github.com/SigmaHQ/legacy-sigmatools.git +# 输出正在转换sigma规则的信息 echo "Converting sigma rules " - +# 执行Sigma转换工具,将sigma规则文件转换为json格式 +# --recurse: 递归处理指定目录下的所有规则文件 +# --target sqlite: 指定转换的目标格式为sqlite +# --backend-option table=Events: 指定输出的表名为Events +# -d $1: 指定sigma规则文件的目录为脚本的第一个参数 +# -c lib/config/sigma-converter-rules-config.yml: 指定配置文件路径 +# -o rules.json: 指定输出文件名为rules.json +# --output-fields: 指定输出的字段内容 legacy-sigmatools/tools/sigmac --recurse --target sqlite --backend-option table=Events --output-format json -d $1 -c lib/config/sigma-converter-rules-config.yml -o rules.json --output-fields title,id,description,author,tags,level,falsepositives,filename,status - +# 输出转换完成的信息,包括生成的文件名 echo "Rules created with file name : rules.json " diff --git a/src/Get_Latest_Sigma_Rules.sh b/src/Get_Latest_Sigma_Rules.sh index 950bb0d..5ab6730 100644 --- a/src/Get_Latest_Sigma_Rules.sh +++ b/src/Get_Latest_Sigma_Rules.sh @@ -1,11 +1,23 @@ #!/bin/bash +# 输出转换完成的信息,包括生成的文件名 echo "Getting Sigma Converter Toot" +# 使用git克隆SigmaHQ的legacy-sigmatools仓库到当前目录 git clone https://github.com/SigmaHQ/legacy-sigmatools.git +# 使用git克隆SigmaHQ的legacy-sigmatools仓库到当前目录 echo "Getting Sigma Rules" +# 使用git克隆SigmaHQ的legacy-sigmatools仓库到当前目录 git clone https://github.com/SigmaHQ/sigma.git +# 输出正在转换sigma规则的信息 echo "Converting sigma rules " - +# 执行Sigma转换工具,将sigma规则文件转换为json格式 +# --recurse: 递归处理指定目录下的所有规则文件 +# --target sqlite: 指定转换的目标格式为sqlite +# --backend-option table=Events: 指定输出的表名为Events +# -d sigma/rules/windows/: 指定sigma规则文件的目录为sigma仓库中的windows规则目录 +# -c lib/config/sigma-converter-rules-config.yml: 指定配置文件路径 +# -o rules.json: 指定输出文件名为rules.json +# --output-fields: 指定输出的字段内容 legacy-sigmatools/tools/sigmac --recurse --target sqlite --backend-option table=Events --output-format json -d sigma/rules/windows/ -c lib/config/sigma-converter-rules-config.yml -o rules.json --output-fields title,id,description,author,tags,level,falsepositives,filename,status - +# 输出转换完成的信息,包括生成的文件名 echo "Rules created with file name : rules.json " diff --git a/src/O365_detection_rules.json b/src/O365_detection_rules.json index 265fd70..ff55e81 100644 --- a/src/O365_detection_rules.json +++ b/src/O365_detection_rules.json @@ -2,98 +2,115 @@ { "name": "Suspicious User Agent", "severity": "High", - "query": "SELECT * FROM events WHERE UserAgent LIKE '%python%' OR UserAgent LIKE '%ruler%' OR UserAgent LIKE '%curl%' OR UserAgent LIKE '%Wget%' OR UserAgent LIKE '%python-requests%' OR UserAgent LIKE '%AADInternals%' OR UserAgent LIKE '%azurehound%' OR UserAgent LIKE '%axios%' OR UserAgent LIKE '%BAV2ROPC%' " + "query": "SELECT * FROM events WHERE UserAgent LIKE '%python%' OR UserAgent LIKE '%ruler%' OR UserAgent LIKE '%curl%' OR UserAgent LIKE '%Wget%' OR UserAgent LIKE '%python-requests%' OR UserAgent LIKE '%AADInternals%' OR UserAgent LIKE '%azurehound%' OR UserAgent LIKE '%axios%' OR UserAgent LIKE '%BAV2ROPC%'", + // 检测UserAgent字段中包含可疑字符串的事件,这些字符串可能是自动化脚本或工具的标识 }, { "name": "User adding or removing Inbox Rule", "severity": "Medium", - "query": "SELECT * FROM events WHERE Operation LIKE '%InboxRule%' OR Operation LIKE 'Set-Mailbox' OR Operation LIKE '%DeliverToMailboxAndForward%' OR Operation LIKE '%ForwardingAddress%' OR Operation LIKE '%ForwardingAddress%' " + "query": "SELECT * FROM events WHERE Operation LIKE '%InboxRule%' OR Operation LIKE 'Set-Mailbox' OR Operation LIKE '%DeliverToMailboxAndForward%' OR Operation LIKE '%ForwardingAddress%' OR Operation LIKE '%ForwardingAddress%'", + // 检测与用户邮箱规则设置相关的操作,包括添加、删除邮箱规则等 }, { "name": "After Hours Activity", "severity": "Medium", - "query": "SELECT * FROM events WHERE (CASE WHEN CAST(substr(CreationTime, 12, 2) AS INTEGER) < 0 THEN 24 + (CAST(substr(CreationTime, 12, 2) AS INTEGER)) ELSE CAST(substr(CreationTime, 12, 2) AS INTEGER) END >= 20 OR CASE WHEN CAST(substr(CreationTime, 12, 2) AS INTEGER) < 0 THEN 24 + (CAST(substr(CreationTime, 12, 2) AS INTEGER)) ELSE CAST(substr(CreationTime, 12, 2) AS INTEGER) END < 6) AND NOT (Operation LIKE 'File%' OR Operation LIKE 'List%' OR Operation LIKE 'Page%' OR Operation LIKE '%UserLogin%');" + "query": "SELECT * FROM events WHERE (CASE WHEN CAST(substr(CreationTime, 12, 2) AS INTEGER) < 0 THEN 24 + (CAST(substr(CreationTime, 12, 2) AS INTEGER)) ELSE CAST(substr(CreationTime, 12, 2) AS INTEGER) END >= 20 OR CASE WHEN CAST(substr(CreationTime, 12, 2) AS INTEGER) < 0 THEN 24 + (CAST(substr(CreationTime, 12, 2) AS INTEGER)) ELSE CAST(substr(CreationTime, 12, 2) AS INTEGER) END < 6) AND NOT (Operation LIKE 'File%' OR Operation LIKE 'List%' OR Operation LIKE 'Page%' OR Operation LIKE '%UserLogin%');", + // 检测在非工作时间(晚上8点到早上6点之间)发生的活动,排除与文件、列表、页面或用户登录相关的操作 }, { "name": "Possible file exfiltration", "severity": "Low", - "query": "SELECT * FROM events WHERE Operation LIKE '%FileUploaded%' " + "query": "SELECT * FROM events WHERE Operation LIKE '%FileUploaded%'", + //检测可能的文件外泄活动,即包含文件上传操作的事件 }, { "name": "Admin searching in emails of other users", "severity": "Low", - "query": "SELECT * FROM events WHERE Operation LIKE '%SearchStarted%' OR Operation LIKE '%SearchExportDownloaded%' OR Operation LIKE '%ViewedSearchExported%' " + "query": "SELECT * FROM events WHERE Operation LIKE '%SearchStarted%' OR Operation LIKE '%SearchExportDownloaded%' OR Operation LIKE '%ViewedSearchExported%'", + // 检测管理员搜索或导出其他用户邮箱内容的操作 }, { "name": "Strong Authentication Disabled", "severity": "medium", - "query": "SELECT * FROM events WHERE Operation LIKE '%disable strong authentication%'" + "query": "SELECT * FROM events WHERE Operation LIKE '%disable strong authentication%'", + // 检测禁用强身份验证的操作 }, { "name": "User added to admin group", "severity": "High", - "query": "SELECT * FROM events WHERE ( Operation LIKE '%add member to group%' AND ModifiedProperties Like '%admin%') OR ( Operation LIKE '%AddedToGroup%' AND TargetUserOrGroupName Like '%admin%') " + "query": "SELECT * FROM events WHERE ( Operation LIKE '%add member to group%' AND ModifiedProperties Like '%admin%') OR ( Operation LIKE '%AddedToGroup%' AND TargetUserOrGroupName Like '%admin%')", + // 检测用户被添加到管理员组的操作 }, { "name": "New Policy created", "severity": "Medium", - "query": "SELECT * FROM events WHERE ( Operation LIKE '%add policy%' ) " + "query": "SELECT * FROM events WHERE ( Operation LIKE '%add policy%' )", + // 检测创建新策略的操作 }, { "name": "Security Alert triggered", "severity": "Medium", - "query": "SELECT * FROM events WHERE ( Operation LIKE '%AlertTriggered%' AND NOT Severity Like '%Low%') " + "query": "SELECT * FROM events WHERE ( Operation LIKE '%AlertTriggered%' AND NOT Severity Like '%Low%')", + // 检测触发的安全警报,排除低严重性的警报 }, { "name": "Transport rules ( mail flow rules ) modified", "severity": "High", - "query": "SELECT * FROM events WHERE ( Operation LIKE '%TransportRule%') " + "query": "SELECT * FROM events WHERE ( Operation LIKE '%TransportRule%' )", + // 检测修改传输规则(邮件流规则)的操作 }, { "name": "An application was registered in Azure AD", "severity": "Medium", - "query": "SELECT * FROM events WHERE ( Operation LIKE '%Add service principal.%') " + "query": "SELECT * FROM events WHERE ( Operation LIKE '%Add service principal.%')", + // 检测在Azure AD中注册新应用(服务主体)的操作 }, { "name": "Add app role assignment grant to user", "severity": "Medium", - "query": "SELECT * FROM events WHERE ( Operation LIKE '%Add app role assignment grant to user.%') " + "query": "SELECT * FROM events WHERE ( Operation LIKE '%Add app role assignment grant to user.%')", + // 检测向用户授予应用角色分配的操作 }, { "name": "eDiscovery Abuse", "severity": "High", - "query": "SELECT * FROM events WHERE ( Operation LIKE '%New-ComplianceSearch%') " + "query": "SELECT * FROM events WHERE ( Operation LIKE '%New-ComplianceSearch%')", + // 检测新建合规搜索(eDiscovery)的操作 }, { "name": "Operations affecting OAuth Applications", "severity": "Medium", - "query": "SELECT * FROM events WHERE ( Operation = 'Add application.' OR Operation = 'Update application' OR Operation = 'Add service principal.' OR Operation = 'Update application Certificates and secrets management' OR Operation = 'Update applicationUpdate service principal.' OR Operation = 'Add app role assignment grant to user.' OR Operation = 'Add delegated permission grant.' OR Operation = 'Add owner to application.' OR Operation = 'Add owner to service principal.') " + "query": "SELECT * FROM events WHERE ( Operation = 'Add application.' OR Operation = 'Update application' OR Operation = 'Add service principal.' OR Operation = 'Update application Certificates and secrets management' OR Operation = 'Update applicationUpdate service principal.' OR Operation = 'Add app role assignment grant to user.' OR Operation = 'Add delegated permission grant.' OR Operation = 'Add owner to application.' OR Operation = 'Add owner to service principal.')", + // 检测影响OAuth应用的操作,包括添加、更新应用、证书和密钥管理、添加角色分配、权限授予等 }, { - "name": "Suspicious Operations affecting Mailbox ", + "name": "Suspicious Operations affecting Mailbox", "severity": "Medium", - "query": "SELECT * FROM events WHERE ( Operation = 'Set-MailboxJunkEmailConfiguration' OR Operation = 'SoftDelete' OR Operation = 'SendAs' OR Operation = 'HardDelete' OR Operation = 'MoveToDeletedItems' ) " + "query": "SELECT * FROM events WHERE ( Operation = 'Set-MailboxJunkEmailConfiguration' OR Operation = 'SoftDelete' OR Operation = 'SendAs' OR Operation = 'HardDelete' OR Operation = 'MoveToDeletedItems' )", + // 检测对邮箱进行可疑操作的事件,包括设置垃圾邮件配置、软删除、发送邮件、硬删除、移动到删除项等 }, { - "name": "Suspicious Operations affecting SharePoint ", + "name": "Suspicious Operations affecting SharePoint", "severity": "Medium", - "query": "SELECT * FROM events WHERE ( Operation = 'AddedToSecureLink' OR Operation = 'SearchQueryPerformed' OR Operation = 'SecureLinkCreated' OR Operation = 'SecureLinkUpdated' OR Operation = 'SharingInvitationCreated' ) " + "query": "SELECT * FROM events WHERE ( Operation = 'AddedToSecureLink' OR Operation = 'SearchQueryPerformed' OR Operation = 'SecureLinkCreated' OR Operation = 'SecureLinkUpdated' OR Operation = 'SharingInvitationCreated' )", + // 检测对SharePoint进行可疑操作的事件,包括添加到安全链接、执行搜索查询、创建安全链接、更新安全链接、创建共享邀请等 }, { - "name": "User Modifying RetentionPolicy ", + "name": "User Modifying RetentionPolicy", "severity": "High", - "query": "SELECT * FROM events WHERE ( Operation LIKE '%UnifiedAuditLogRetentionPolicy%' ) " + "query": "SELECT * FROM events WHERE ( Operation LIKE '%UnifiedAuditLogRetentionPolicy%' )", + // 检测用户修改统一审核日志保留策略的操作 }, { - "name": "User Modifying Audit Logging ", + "name": "User Modifying Audit Logging", "severity": "High", - "query": "SELECT * FROM events WHERE ( Operation LIKE '%AdminAuditLogConfig%' ) " + "query": "SELECT * FROM events WHERE ( Operation LIKE '%AdminAuditLogConfig%' )", + // 检测用户修改管理员审核日志配置的操作 }, { - "name": "String Authentication Disabled ", + "name": "String Authentication Disabled", "severity": "High", - "query": "SELECT * FROM events WHERE ( Operation LIKE '%Disable Strong Authentication.%' ) " + "query": "SELECT * FROM events WHERE ( Operation LIKE '%Disable Strong Authentication.%' )", + // 检测禁用强身份验证的操作 } - - -] \ No newline at end of file +] diff --git a/src/rules.json b/src/rules.json index 3fe0e32..d3979d6 100644 --- a/src/rules.json +++ b/src/rules.json @@ -305,6 +305,7 @@ ], "level": "critical", "rule": [ + // 检测特定模式的命名管道,这些模式常被CobaltStrike使用 "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\'))" ], "filename": "pipe_created_mal_cobaltstrike.yml" @@ -327,6 +328,7 @@ ], "level": "critical", "rule": [ + // 检测特定命名管道,这些管道常被用于凭据转储工具 "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\'))" ], "filename": "pipe_created_cred_dump_tools_named_pipes.yml" @@ -347,10 +349,16 @@ ], "level": "low", "rule": [ + // 检测PsExec默认命名管道的创建 "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\')" ], "filename": "pipe_created_psexec_default_pipe.yml" }, + // 检测CobaltStrike、凭据转储工具和PsExec使用的默认命名管道 + // 这些规则通过监控特定事件ID中的命名管道活动来识别潜在的恶意行为 + // CobaltStrike的命名管道模式包括特定的前缀和后缀,用于隐藏其活动 + // 凭据转储工具的命名管道模式如lsadump、cachedump和wceservicepipe,用于执行凭据转储操作 + // PsExec的默认命名管道PSEXESVC用于服务安装和执行,常被用于横向移动和提权 { "title": "PAExec Default Named Pipe", "id": "f6451de4-df0a-41fa-8d72-b39f54a08db5", @@ -39208,3 +39216,6 @@ "filename": "raw_access_thread_disk_access_using_illegitimate_tools.yml" } ] + // 检测PsExec默认命名管道的创建,这可能是PsExec服务安装和执行的迹象 + // 该规则监控特定事件ID中的命名管道活动,特别关注名为PSEXESVC的管道 + // 由于PsExec常被用于横向移动和命令执行,因此该检测可以帮助识别潜在的恶意活动 \ No newline at end of file -- 2.34.1