atomic-red-team Develop atomic tests for Sigma rules

Develop atomic tests for Sigma rules

Open aw350m33d opened this issue 3 years ago • 0 comments

Note: This issue is an updated version of #1220. The changes take into account the tests that were created as part of the second sprint of the OSCD initiative

Technique ID: Multiple

Additional Details

Subject: Sigma project
Authors: @Neo23x0, @thomaspatzke
Requirements: Create one Pull Request per atomic test.

Please comment the issue with a task number and rule ID that you are going to work out so the others will not intersect with you.

Task #	ATT&CK Technique name/link	Date checked	Sigma Rule ID / Link	ART Test Link	Status	Comment
1	T1006: Direct Volume Access	30.05.2021	- [X] Raw Disk Access Using Illegitimate Tools (db809f10-56ce-4420-8c86-d6a7d793c79c)	Direct Volume Access	Done
2	T1036.004: Masquerade Task or Service	30.05.2021	- [X] Operation Wocao Activity (74ad4314-482e-4c3e-b237-3f7ed3b9ca8d)	Masquerading: Masquerade Task or Service	Done
3	T1036.005: Match Legitimate Name or Location	30.05.2021	- [ ] Suspicious MsiExec Directory (e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144) - [ ] Suspicious Svchost Process (01d2e2a1-5f09-44f7-9fc1-24faa7479b6d) - [ ] Lazarus Session Highjacker (3f7f5b0b-5b16-476c-a85f-ab477f6dd24b) - [ ] Exploit for CVE-2015-1641 (7993792c-5ce2-4475-a3db-a3a5539827ef) - [ ] Flash Player Update from Suspicious Location (4922a5dd-6743-4fc2-8e81-144374280997) - [ ] File Created with System Process Name (d5866ddf-ce8f-4aea-b28e-d96485a20d3d) - [ ] Windows Processes Suspicious Parent Directory (96036718-71cc-4027-a538-d1587e0006a7) - [ ] Greenbug Campaign Indicators (3711eee4-a808-4849-8a14-faf733da3612)	CONTRIBUTE TESTS	Waiting for tests
4	T1059.006: Python	30.05.2021	- [ ] Suspicious File Characteristics Due to Missing Fields (9637e8a5-7131-4f7f-bdc7-2b05d8670c43) - [ ] File Was Not Allowed To Run (401e5d00-b944-11ea-8f9a-00163ecd60ae)	CONTRIBUTE TESTS	Waiting for tests
5	T1059.007: JavaScript/JScript	30.05.2021	- [ ] WSF/JSE/JS/VBA/VBE File Execution (1e33157c-53b1-41ad-bbcc-780b80b58288) - [ ] Suspicious Parent of Csc.exe (b730a276-6b63-41b8-bcf8-55930c8fc6ee) - [ ] CACTUSTORCH Remote Thread Creation (2e4e488a-6164-4811-9ea1-f960c7359c40) - [ ] SquiblyTwo (8d63dadf-b91b-4187-87b6-34a1114577ea) - [ ] WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) - [ ] Koadic Execution (5cddf373-ef00-4112-ad72-960ac29bac34) - [ ] HTML Help Shell Spawn 52cad028-0ff0-4854-8f67-d25dfcbc78b4) - [ ] Adwind RAT / JRAT (1fac1481-2dbc-48b2-9096-753c49b4ec71) - [ ] File Was Not Allowed To Run (401e5d00-b944-11ea-8f9a-00163ecd60ae)	CONTRIBUTE TESTS	Waiting for tests
6	T1070.003: Clear Command History	30.05.2021	- [X] Clear Command History (fdc88d25-96fb-4b7c-9633-c0e417fdbd4e) - [ ] Cisco Clear Logs (ceb407f6-8277-439b-951f-e4210e3ed956) - [X] MacOS: Suspicious History File Operations (508a9374-ad52-4789-b568-fc358def2c65) - [ ] Clear PowerShell History (dfba4ce1-e0ea-495f-986e-97140f31af2d) - [X] Linux: Suspicious History File Operations (eae8ce9f-bde9-47a6-8e79-f20d18419910)	Indicator Removal on Host: Clear Command History	Partially done
7	T1113: Screen Capture	30.05.2021	- [X] Screen Capture - macOS (0877ed01-da46-4c49-8476-d49cdd80dfa7) - [X] Psr.exe Capture Screenshots (2158f96f-43c2-43cb-952a-ab4580f32382) - [ ] Suspicious System.Drawing Load (666ecfc7-229d-42b8-821e-1a8f8cb7057c)	Screen Capture	Partially done
8	T1134.001: Token Impersonation/Theft	30.05.2021	- [X] Meterpreter or Cobalt Strike Getsystem Service Installation 843544a7-56e0-4dcc-a44f-5cc266dd97d6) - [X] Meterpreter or Cobalt Strike Getsystem Service Start (15619216-e993-4721-b590-4c520615a67d)	Access Token Manipulation: Token Impersonation/Theft	Done
9	T1134.002: Create Process with Token	30.05.2021	- [ ] Detection of Possible Rotten Potato (6c5808ee-85a2-4e56-8137-72e5876a5096) - [X] Meterpreter or Cobalt Strike Getsystem Service Installation (843544a7-56e0-4dcc-a44f-5cc266dd97d6) - [X] Meterpreter or Cobalt Strike Getsystem Service Start (15619216-e993-4721-b590-4c520615a67d)	CONTRIBUTE TESTS	Waiting for tests
10	T1136.002: Domain Account	30.05.2021	- [ ] Suspicious Windows ANONYMOUS LOGON Local Account Created (1bbf25b9-8038-4154-a50b-118f2a32be27)	Create Account: Domain Account
11	T1137.006: Add-ins	30.05.2021	- [ ] Stealthy VSTO Persistence (9d15044a-7cfe-4d23-8085-6ebc11df7685) - [ ] Microsoft Office Add-In Loading (8e1cb247-6cf6-42fa-b440-3f27d57e9936)	CONTRIBUTE TESTS	Waiting for tests	This task could take a huge amount of time to solve
12	T1486: Data Encrypted for Impact	30.05.2021	- [ ] LockerGoga Ransomware (74db3488-fd28-480a-95aa-b7af626de068) - [ ] Suspicious Multiple File Rename Or Delete Occurred (97919310-06a7-482c-9639-92b67ed63cf8) - [ ] WannaCry Ransomware (41d40bff-377a-43e2-8e1b-2e543069e079)	CONTRIBUTE TESTS	Waiting for tests
13	T1547.008: LSASS Driver	30.05.2021	- [ ] DLL Load via LSASS (b3503044-60ce-4bf4-bbcb-e3db98788823)	CONTRIBUTE TESTS	Waiting for tests	This task could take a huge amount of time to solve
14	T1562.006: Indicator Blocking	30.05.2021	- [X] Auditing Configuration Changes on Linux Host (977ef627-4539-4875-adf4-ed8f780c4922) - [X] Logging Configuration Changes on Linux Host (c830f15d-6f6e-430f-8074-6f73d6807841) - [ ] Disable of ETW Trace<bra238b5d0-ce2d-4414-a676-7a531b3d13d6)	Impair Defenses: Indicator Blocking	Partially done
15	T1569.002: System Services	30.05.2021	- [X] PsExec Service Start (3ede524d-21cc-472d-a3ce-d21b568d8db7) - [ ] ProcessHacker Privilege Elevation (c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9) - [ ] CobaltStrike Service Installations (5a105d34-05fc-401e-8553-272b45c1522d) - [ ] PowerShell as a Service in Registry (4a5f5a5e-ac01-474b-9b4e-d61298c9df1d) - [X] Psexec Accepteula Condition (730fc21b-eaff-474b-ad23-90fd265d4988) - [ ] Rundll32 Without Parameters (5bb68627-3198-40ca-b458-49f973db8752) - [ ] PowerShell Scripts Installed as Services (a2e5019d-a658-4c6a-92bf-7197b54e2cae) - [ ] Service Execution (2a072a96-a086-49fa-bcb5-15cc5a619093) - [ ] smbexec.py Service Installation (52a85084-6989-40c3-8f32-091e12e13f09) - [ ] Malicious Service Installations (2cfe636e-317a-4bee-9f2c-1066d9f54d1a) - [ ] PSExec and WMI Process Creations Block (97b9ce1e-c5ab-11ea-87d0-0242ac130003) - [ ] Metasploit Or Impacket Service Installation Via SMB PsExec (1a17ce75-ff0d-4f02-9709-2b7bb5618cf0) - [ ] Credential Dumping Tools Service Execution (4976aa50-8f41-45c6-8b15-ab3fc10e79ed) - [ ] PsExec Tool Execution (42c575ea-e41e-41f1-b248-8093c3e82a28) - [ ] MITRE BZAR Indicators for Execution (b640c0b8-87f8-4daa-aef8-95a24261dd1d)	System Services: Service Execution	Partially done
16	T1572: Protocol Tunneling	30.05.2021	- [ ] Exfiltration and Tunneling Tools Execution (c75309a3-59f8-4a8d-9c2c-4c927ad50555) - [ ] RDP Over Reverse SSH Tunnel (5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4) - [ ] Suspicious Plink Remote Forwarding (48a61b29-389f-4032-b317-b30de6b95314) - [ ] Ngrok Usage (ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31) - [ ] Silence.EDA Detection (3ceb2083-a27f-449a-be33-14ec1b7cc973)	CONTRIBUTE TESTS	Waiting for tests

May 30 '21 23:05 aw350m33d

atomic-red-team atomic-red-team copied to clipboard

Develop atomic tests for Sigma rules

Technique ID: Multiple

Additional Details

atomic-red-team
atomic-red-team copied to clipboard