Advent of cyber-2022 day 18
Need of proactive approaches to analyzing different logs, malware and network traffic.
Threat detection involves proactively pursuing and analyzing abnormal activity within an ecosystem to identify malicious signs of compromise or intrusion within a network.
Run your sigma rule(to detect malicious IOC), Write your sigma rule, Create a sigma rule for malicious IOC, View the log details of mal IOC.
Sigma- open source generic signature language to desc log events in a structured format. Easier content matching. The format involves using YAML(designed syntax for quick sharing of detection methods by security analysts).
Sigma is vendor agnostic- rules can be converted to target SIEM.
— To make detection methods and signatures shareable alongside IOCs and Yara rules
— To write SIEM searches that avoid vendor lock-in
— To write custom detection rules for malicious behavior based on specific conditions.
YAML- case sensitive, .yml files , spaces for indentation, #-comments, key:value , array elements denoted using “-” char.
Let’s write the yml file to detect creation of local accounts:
Title,ID,Status(Stable/Test/Experimental/Deprecated/Unsupported),Desc
Logsource: Describes the log data to be used for the detection. It consists of other optional attributes:
- Product: Selects all log outputs of a certain product. Examples are Windows, Apache
- Category: Selects the log files written by the selected product. Examples are firewalls, web, and antivirus.
- Service: Selects only a subset of the logs. Examples are sshd on Linux or Security on Windows.
- Definition: Describes the log source and its applied configurations.
Detection : selection field describes parameters of the malicious activity we need an alert for. The parameters divided into:
- The search identifiers are the fields and values the detection should search for.
- The condition expression — sets the action to be taken on the detection, such as selection or filtering. The critical thing to look out for account creation on Windows is the Event ID associated with user accounts. In this case, Event ID: 4720 was provided for us on the IOC list, which will be our search identifier.
FalsePositives: A list of known false positives that may occur based on log data.
Level: Describes the severity with which the security team should take the activity under the written rule. The attribute comprises five levels: Informational -> Low -> Medium -> High -> Critical
Tags: Adds information that can be used to categorise the rule. Common tags are associated with tactics and techniques from the MITRE ATT&CK framework. Sigma developers have defined a list of predefined tags.
title: Suspicous Local Account Creation
id: 0f06a3a5-6a09-413f-8743-e6cf35561297
status: experimental
description: Detects the creation of local user account on a computer.
logsource:
product: windows
service: security
detection:
selection:
EventID: #This shows the search identifier value
- 4720 #this shows the search list value
condition: selection
falsepositives :
- unkonwn
level : low
tags :
- attack.persistence #points to MITRE TACTIC
- attack.T1136.001 #Point to the MITRE technique
The search identifiers can be enhanced using different modifiers appended to the field name with the pipe character |. The main type of modifiers are known as Transformation modifiers and comprise the values: contains, endswith, startswith, and all. Some of these modifiers will be vital in writing rules against the other IOCs.
detection:
selection:
Image|endswith:
- '\svchost.exe'
CommandLine|contains|all:
- bash.exe
-'-c '
condition: selection
#Software Discovery: Category, EventID, Image, CommandLine.title:
id: # UUID
status: # experimental, test, stable, deprecated, unsupported.
description:
author:
date:
modified:
logsource:
product: windows
service: sysmon
category: process_creation
detection:
selection:
EventID:
- 1
Image|endswith:
- reg.exe
CommandLine|contains|all:
- reg
- query
- /v
- svcVersion
condition: selection # Action to be taken. Can use condition operators such as OR, AND, NOT when using multiple search identifiers.
falsepositives: # Legitimate services or use.
level: # informational, low, medium, high or critical.
tags: # Associated TTPs from MITRE ATT&CK
- {attack.tactic} # MITRE Tactic
- {attack.technique} # MITRE Technique
#Scheduled Jobs: Category, EventID, Image, CommandLine.title:
id: # UUID
status: # experimental, test, stable, deprecated, unsupported.
description:
author:
date:
modified:
logsource:
product: windows
service: sysmon
category: process_creation
detection:
selection:
EventID:
- 1
Image|endswith:
- schtasks.exe
CommandLine|contains|all:
- schtasks
- /create
condition: selection # Action to be taken. Can use condition operators such as OR, AND, NOT when using multiple search identifiers.
falsepositives: # Legitimate services or use.
level: # informational, low, medium, high or critical.
tags: # Associated TTPs from MITRE ATT&CK
- {attack.tactic} # MITRE Tactic
- {attack.technique} # MITRE Technique
That was great! keep hackin <(|8-)
