sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Add rule for Redcannary T1562.004

Open frack113 opened this issue 1 year ago • 0 comments

Summary of the Pull Request

Commandline: New-NetFirewallRule -DisplayName "New rule" -Direction "Inbound" -LocalPort "21" -Protocol "TCP" -Action Allow

Changelog

new: Add New Windows Firewall Rule via WmiPrvSE new: Add New Windows Firewall Rule via New-NetFirewallRule new: Add New Windows Firewall Rule via PowerShell

Example Log Event

Process Create:
RuleName: technique_id=T1083,technique_name=File and Directory Discovery
UtcTime: 2024-05-03 14:30:59.592
ProcessGuid: {095b1fc8-f523-6634-d604-000000002300}
ProcessId: 9640
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.22621.3085 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "powershell.exe" & {New-NetFirewallRule -DisplayName \""New rule\"" -Direction \""Inbound\"" -LocalPort \""21\"" -Protocol \""TCP\"" -Action \""allow\""}
CurrentDirectory: C:\Users\admin\AppData\Local\Temp\
User: LAB\admin
LogonGuid: {095b1fc8-d45a-6634-de9e-1c0000000000}
LogonId: 0x1C9EDE
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=7C04EC2377E32B3C7742F581F6C5437464DD2CF2,MD5=9D8E30DAF21108092D5980C931876B7E,SHA256=3247BCFD60F6DD25F34CB74B5889AB10EF1B3EC72B4D4B3D95B5B25B534560B8,IMPHASH=AFACF6DC9041114B198160AAB4D0AE77
ParentProcessGuid: {095b1fc8-d45b-6634-c500-000000002300}
ParentProcessId: 8164
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 
ParentUser: LAB\admin

 <Channel>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</Channel> 
 
  <Data Name="RuleId">{13f085fc-a4d2-4c2e-b074-53df8442dd3d}</Data> 
  <Data Name="RuleName">New rule</Data> 
  <Data Name="Origin">1</Data> 
  <Data Name="ApplicationPath" /> 
  <Data Name="ServiceName" /> 
  <Data Name="Direction">1</Data> 
  <Data Name="Protocol">6</Data> 
  <Data Name="LocalPorts">21</Data> 
  <Data Name="RemotePorts">*</Data> 
  <Data Name="Action">3</Data> 
  <Data Name="Profiles">2147483647</Data> 
  <Data Name="LocalAddresses">*</Data> 
  <Data Name="RemoteAddresses">*</Data> 
  <Data Name="RemoteMachineAuthorizationList" /> 
  <Data Name="RemoteUserAuthorizationList" /> 
  <Data Name="EmbeddedContext" /> 
  <Data Name="Flags">1</Data> 
  <Data Name="Active">1</Data> 
  <Data Name="EdgeTraversal">0</Data> 
  <Data Name="LooseSourceMapped">0</Data> 
  <Data Name="SecurityOptions">0</Data> 
  <Data Name="ModifyingUser">S-1-5-21-888117185-644776935-3477416708-1104</Data> 
  <Data Name="ModifyingApplication">C:\Windows\System32\wbem\WmiPrvSE.exe</Data> 
  <Data Name="SchemaVersion">544</Data> 
  <Data Name="RuleStatus">65536</Data> 
  <Data Name="LocalOnlyMapped">0</Data> 
  <Data Name="PolicyAppId" /> 
  <Data Name="ErrorCode">0</Data> 

<EventData>
  <Data Name="MessageNumber">1</Data> 
  <Data Name="MessageTotal">1</Data> 
  <Data Name="ScriptBlockText">powershell.exe {New-NetFirewallRule -DisplayName "New rule" -Direction "Inbound" -LocalPort "21" -Protocol "TCP" -Action "allow"}</Data> 
  <Data Name="ScriptBlockId">c8b03754-0bdb-408e-8348-cced61c91cd8</Data> 
  <Data Name="Path" /> 
  </EventData>

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

frack113 avatar May 03 '24 14:05 frack113