Merge PR #4538 from @frack113 - Add Sigma CLI Configuration File

chore: add sigma-cli configuration file fix: Suspicious Non-Browser Network Communication With Google API - Fix escaped wildcard issue and Update modifiers fix: Uncommon PowerShell Hosts - Fix escaped wildcard issue fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - Update logsource --------- Co-authored-by: nasbench <[email protected]>
SigmaHQ · Nov 3, 2023 · 271f972 · 271f972
1 parent 52b07b4
commit 271f972
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 26 deletions.
diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml
@@ -76,7 +76,7 @@ jobs:
         pip install sigma-cli
     - name: Test Sigma Rule Syntax
       run: |
-        sigma check rules*
+        sigma check rules* -c tests/sigma_cli_conf.yml
     - name: Test Sigma Rules
       run: |
         pip install PyYAML attackcti colorama

diff --git a/rules/windows/builtin/ldap/win_ldap_recon.yml b/rules/windows/builtin/ldap/win_ldap_recon.yml
@@ -10,15 +10,15 @@ references:
     - https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427
 author: Adeem Mawani
 date: 2021/06/22
-modified: 2022/12/28
+modified: 2023/11/03
 tags:
     - attack.discovery
     - attack.t1069.002
     - attack.t1087.002
     - attack.t1482
 logsource:
     product: windows
-    service: ldap_debug
+    service: ldap
     definition: 'Requirements: Microsoft-Windows-LDAP-Client/Debug ETW logging'
 detection:
     generic_search:

diff --git a/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml
@@ -10,6 +10,7 @@ references:
     - https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/
 author: Gavin Knapp
 date: 2023/05/01
+modified: 2023/11/03
 tags:
     - attack.command_and_control
     - attack.t1102
@@ -26,33 +27,32 @@ detection:
     filter_optional_brave:
         Image|endswith: '\brave.exe'
     filter_optional_chrome:
-        Image:
-            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
-            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
+        Image|endswith:
+            - ':\Program Files\Google\Chrome\Application\chrome.exe'
+            - ':\Program Files (x86)\Google\Chrome\Application\chrome.exe'
     filter_optional_google_drive:
-        Image|startswith:
-            - 'C:\Program Files\Google\Drive File Stream\'
-            - 'C:\Program Files\Google\Drive File Stream\*\GoogleDriveFS.exe'
+        Image|contains: ':\Program Files\Google\Drive File Stream\'
+        Image|endswith: '\GoogleDriveFS.exe'
     filter_optional_firefox:
-        Image:
-            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
-            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
+        Image|endswith:
+            - ':\Program Files\Mozilla Firefox\firefox.exe'
+            - ':\Program Files (x86)\Mozilla Firefox\firefox.exe'
     filter_optional_ie:
-        Image:
-            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
-            - 'C:\Program Files\Internet Explorer\iexplore.exe'
+        Image|endswith:
+            - ':\Program Files (x86)\Internet Explorer\iexplore.exe'
+            - ':\Program Files\Internet Explorer\iexplore.exe'
     filter_optional_maxthon:
         Image|endswith: '\maxthon.exe'
     filter_optional_edge_1:
-        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
-        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
-        - Image:
-              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
-              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
+        - Image|contains: ':\Program Files (x86)\Microsoft\EdgeWebView\Application\'
+        - Image|endswith:
+              - ':\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
+              - ':\Program Files\Microsoft\Edge\Application\msedge.exe'
+              - '\WindowsApps\MicrosoftEdge.exe'
     filter_optional_edge_2:
-        Image|startswith:
-            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
-            - 'C:\Program Files\Microsoft\EdgeCore\'
+        Image|contains:
+            - ':\Program Files (x86)\Microsoft\EdgeCore\'
+            - ':\Program Files\Microsoft\EdgeCore\'
         Image|endswith:
             - '\msedge.exe'
             - '\msedgewebview2.exe'

diff --git a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml
@@ -9,7 +9,7 @@ references:
     - https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html
 author: Roberto Rodriguez @Cyb3rWard0g
 date: 2019/08/11
-modified: 2023/10/27
+modified: 2023/11/03
 tags:
     - attack.execution
     - attack.t1059.001
@@ -29,7 +29,7 @@ detection:
             - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
             - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
     filter_optional_citrix:
-        Data|contains: 'Citrix\ConfigSync\ConfigSync.ps1*'
+        Data|contains: 'Citrix\ConfigSync\ConfigSync.ps1'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Programs using PowerShell directly without invocation of a dedicated interpreter

diff --git a/tests/logsource.json b/tests/logsource.json
@@ -54,7 +54,7 @@
                                             "RequestedPolicy", "ValidatedPolicy", "Status"],
                 "diagnosis-scripted": ["PackagePath", "PackageId"],
                 "firewall-as":["Action", "ApplicationPath", "ModifyingApplication"],
-                "ldap_debug":["ScopeOfSearch", "SearchFilter", "DistinguishedName", "AttributeList", "ProcessId"],
+                "ldap":["ScopeOfSearch", "SearchFilter", "DistinguishedName", "AttributeList", "ProcessId"],
                 "ntlm":["CallerPID", "ClientDomainName", "ClientLUID", "ClientUserName", "DomainName", "MechanismOID",
                         "ProcessName", "SChannelName", "SChannelType", "TargetName", "UserName", "WorkstationName"],
                 "openssh":["process", "payload"],

diff --git a/tests/sigma_cli_conf.yml b/tests/sigma_cli_conf.yml
@@ -0,0 +1,49 @@
+validators:
+    - all
+    - -tlptag
+    - -tlpv1_tag
+exclusions:
+    # escaped_wildcard
+    021310d9-30a6-480a-84b7-eaa69aeb92bb: escaped_wildcard
+    1114e048-b69c-4f41-bc20-657245ae6e3f: escaped_wildcard
+    204b17ae-4007-471b-917b-b917b315c5db: escaped_wildcard
+    214e8f95-100a-4e04-bb31-ef6cba8ce07e: escaped_wildcard
+    220457c1-1c9f-4c2e-afe6-9598926222c1: escaped_wildcard
+    252902e3-5830-4cf6-bf21-c22083dfd5cf: escaped_wildcard
+    2d3cdeec-c0db-45b4-aa86-082f7eb75701: escaped_wildcard
+    304810ed-8853-437f-9e36-c4975c3dfd7e: escaped_wildcard
+    31d68132-4038-47c7-8f8e-635a39a7c174: escaped_wildcard
+    32d56ea1-417f-44ff-822b-882873f5f43b: escaped_wildcard
+    4281cb20-2994-4580-aa63-c8b86d019934: escaped_wildcard
+    434c08ba-8406-4d15-8b24-782cb071a691: escaped_wildcard
+    435e10e4-992a-4281-96f3-38b11106adde: escaped_wildcard
+    52d8b0c6-53d6-439a-9e41-52ad442ad9ad: escaped_wildcard
+    586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3: escaped_wildcard
+    5c84856b-55a5-45f1-826f-13f37250cf4e: number_as_string
+    7857f021-007f-4928-8b2c-7aedbe64bb82: escaped_wildcard
+    7dc2dedd-7603-461a-bc13-15803d132355: escaped_wildcard
+    8fe1c584-ee61-444b-be21-e9054b229694: escaped_wildcard
+    904e8e61-8edf-4350-b59c-b905fc8e810c: escaped_wildcard
+    9637e8a5-7131-4f7f-bdc7-2b05d8670c43: escaped_wildcard
+    a36ce77e-30db-4ea0-8795-644d7af5dfb4: escaped_wildcard
+    a4824fca-976f-4964-b334-0621379e84c4: escaped_wildcard
+    a8f29a7b-b137-4446-80a0-b804272f3da2: escaped_wildcard
+    afe52666-401e-4a02-b4ff-5d128990b8cb: escaped_wildcard
+    c2993223-6da8-4b1a-88ee-668b8bf315e9: escaped_wildcard
+    c37510b8-2107-4b78-aa32-72f251e7a844: escaped_wildcard
+    c462f537-a1e3-41a6-b5fc-b2c2cef9bf82: escaped_wildcard
+    c73124a7-3e89-44a3-bdc1-25fe4df754b1: escaped_wildcard
+    c9b33401-cc6a-4cf6-83bb-57ddcb2407fc: escaped_wildcard
+    d84c0ded-edd7-4123-80ed-348bb3ccc4d5: escaped_wildcard
+    db885529-903f-4c5d-9864-28fe199e6370: escaped_wildcard
+    dd218fb6-4d02-42dc-85f0-a0a376072efd: escaped_wildcard
+    dde85b37-40cd-4a94-b00c-0b8794f956b5: escaped_wildcard
+    e06ac91d-b9e6-443d-8e5b-af749e7aa6b6: escaped_wildcard
+    f57f8d16-1f39-4dcb-a604-6c73d9b54b3d: escaped_wildcard
+    f6de6525-4509-495a-8a82-1f8b0ed73a00: escaped_wildcard
+    fb502828-2db0-438e-93e6-801c7548686d: escaped_wildcard
+    # specific_instead_of_generic_logsource
+    693a44e9-7f26-4cb6-b787-214867672d3a: specific_instead_of_generic_logsource
+    23b71bc5-953e-4971-be4c-c896cda73fc2: specific_instead_of_generic_logsource
+    8ac03a65-6c84-4116-acad-dc1558ff7a77: specific_instead_of_generic_logsource
+    c3e5c1b1-45e9-4632-b242-27939c170239: specific_instead_of_generic_logsource