We have multiple SIEM vendors:
Usual workflow is:
But we have many different types of SIEM and incompatible schemas, query languages and type of data collected
"We can solve any problem by introducing an extra level of indirection." (David Wheeler)
Let's just define a new "Standard":
logsource:
category: process_creation
product: windows
detection:
process_creation:
EventID: 4688
Channel: Security
selection:
- CommandLine|contains|all:
- \AppData\Roaming\Oracle
- \java
- '.exe '
- CommandLine|contains|all:
- cscript.exe
- Retrive
- '.vbs '
condition: process_creation and selection
Logsource: What does process_creation
mean exactly?
What fields do we need?
Actually this rule can only ever work on Security.evtx
!
title: Remote Thread Creation By Uncommon Source Image
logsource:
product: windows
category: create_remote_thread
detection:
create_remote_thread:
EventID: 8
Channel: Microsoft-Windows-Sysmon/Operational
selection:
SourceImage|endswith:
- \bash.exe
- \cscript.exe
...
- \wmic.exe
- \wscript.exe
filter_main_winlogon_1:
SourceImage: C:\Windows\System32\winlogon.exe
TargetImage:
- C:\Windows\System32\services.exe
- C:\Windows\System32\wininit.exe
- C:\Windows\System32\csrss.exe
filter_main_winlogon_2:
SourceImage: C:\Windows\System32\winlogon.exe
TargetParentImage: System
TargetParentProcessId: 4
...
condition: create_remote_thread and (selection and not 1 of filter_main_* and
not 1 of filter_optional_*)
The sigma()
plugin in Velociraptor allows us to directly use rules
Can be used in the following contexts
Velociraptor sigma compiler transforms the rule into a VQL artifact.
Many Sigma rules have nonsense log sources, but really use Channel matches to refer to an event log.
'*/windows/sysmon':
query: |
SELECT * FROM parse_evtx(filename=ROOT + "/Microsoft-Windows-Sysmon%4Operational.evtx")
channel:
- Microsoft-Windows-Sysmon/Operational
SysmonVersion: "x=>x.EventData.SysmonVersion"
CommandLine: "x=>x.EventData.CommandLine"
Velociraptor's sigma compiler checks that fields are actually valid and rejects the rule if they are not.
Errored Rules which were rejected:
Missing field mapping 'TargetName' in */windows/ntlm:
hayabusa/sigma/builtin/ntlm/win_susp_ntlm_rdp.yml
Missing field mapping 'ParentIntegrityLevel' in */windows/security:
hayabusa/sigma/builtin/unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml