sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Added a new rule for wlrmdr whitelisting bypass

Open manasmbellani opened this issue 3 years ago • 1 comments

Added a new rule for detecting winlogon reminder app whitelisting bypass

manasmbellani avatar Feb 20 '22 02:02 manasmbellani

Before push you can test localy

PS D:\rootme\sigma> python .\tests\test_rules.py
MITRE ATT&CK LIST LENGTHS: 864 707 14 133 546
.Rule rules\sysmon_wlrmdr_lolbas_app_whitelist_bypass.yml has a invalid condition 'selection_one OR selection_two' : 'or','and','not','of' are lowercase
FRule rules\sysmon_wlrmdr_lolbas_app_whitelist_bypass.yml has the following incorrect tag attack.defence_evasion
F..F.........................Rule rules\sysmon_wlrmdr_lolbas_app_whitelist_bypass.yml has a title that has not title capitalization. Words: 'whitelist, bypass'
F
======================================================================
FAIL: test_condition_operator_casesensitive (__main__.TestRules)
----------------------------------------------------------------------
- ['rules\\sysmon_wlrmdr_lolbas_app_whitelist_bypass.yml']
+ [] : There are rules using condition whitout lowercase operator

======================================================================
FAIL: test_confirm_correct_mitre_tags (__main__.TestRules)
----------------------------------------------------------------------
- ['rules\\sysmon_wlrmdr_lolbas_app_whitelist_bypass.yml']
+ [] : There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/

======================================================================
FAIL: test_event_id_instead_of_process_creation (__main__.TestRules)
----------------------------------------------------------------------
- ['rules\\sysmon_wlrmdr_lolbas_app_whitelist_bypass.yml']
+ [] : There are rules still using Sysmon 1 or Event ID 4688. Please migrate to the process_creation category.

======================================================================
FAIL: test_title (__main__.TestRules)
----------------------------------------------------------------------
- ['rules\\sysmon_wlrmdr_lolbas_app_whitelist_bypass.yml']
+ [] : There are rules with non-conform 'title' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title

----------------------------------------------------------------------
Ran 32 tests in 186.648s

FAILED (failures=4)
PS D:\rootme\sigma>

For selection selection_two calc is not launch with only this 3 args, there is allready one win_pc_lolbin_wlrmdr.yml

frack113 avatar Feb 20 '22 08:02 frack113

As @frack113 mentioned the 2nd selection in your rule is already covered by the rule 9cfc00b6-bfb7-49ce-9781-ef78503154bb and due to inactivity for this PR. I added the "Parent" execution to the rule in #3759

Will close this PR.

nasbench avatar Dec 06 '22 00:12 nasbench