Merge branch 'master' of https://github.com/frack113/sigma_redcanaryco

.vscode/launch.json

@@ -0,0 +1,16 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Python: Current File",
+            "type": "python",
+            "request": "launch",
+            "program": "${file}",
+            "console": "integratedTerminal",
+            "justMyCode": true
+        }
+    ]
+}

Full_tests.csv

@@ -807,9 +807,9 @@ execution;T1059.004;bash;['linux'];Change login shell;c7ac59cb-13cc-4622-81dc-6d
 execution;T1059.004;bash;['linux'];Environment variable scripts;bdaebd56-368b-4970-a523-f905ff4a8a51;False;11
 execution;T1059.004;bash;['linux'];Detecting pipe-to-shell;fca246a8-a585-4f28-a2df-6495973976a1;False;12
 execution;T1559;command_prompt;['windows'];Cobalt Strike Artifact Kit pipe;bd13b9fc-b758-496a-b81a-397462f82c72;True;1
-execution;T1559;command_prompt;['windows'];Cobalt Strike Lateral Movement (psexec_psh) pipe;830c8b6c-7a70-4f40-b975-8bbe74558acd;False;2
-execution;T1559;command_prompt;['windows'];Cobalt Strike SSH (postex_ssh) pipe;d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6;False;3
-execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (4.2 and later);7a48f482-246f-4aeb-9837-21c271ebf244;False;4
+execution;T1559;command_prompt;['windows'];Cobalt Strike Lateral Movement (psexec_psh) pipe;830c8b6c-7a70-4f40-b975-8bbe74558acd;True;2
+execution;T1559;command_prompt;['windows'];Cobalt Strike SSH (postex_ssh) pipe;d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6;True;3
+execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (4.2 and later);7a48f482-246f-4aeb-9837-21c271ebf244;True;4
 execution;T1559;command_prompt;['windows'];Cobalt Strike post-exploitation pipe (before 4.2);8dbfc15c-527b-4ab0-a272-019f469d367f;False;5
 execution;T1204.003;powershell;['windows'];Malicious Execution from Mounted ISO Image;e9795c8d-42aa-4ed4-ad80-551ed793d006;True;1
 execution;T1059.006;sh;['linux'];Execute shell script via python's command mode arguement;3a95cdb2-c6ea-4761-b24e-02b71889b8bb;False;1
@@ -1274,7 +1274,7 @@ credential-access;T1552.004;powershell;['windows'];ADFS token signing and encryp
 credential-access;T1552.004;powershell;['windows'];CertUtil ExportPFX;336b25bf-4514-4684-8924-474974f28137;True;8
 credential-access;T1552.004;powershell;['windows'];Export Root Certificate with Export-PFXCertificate;7617f689-bbd8-44bc-adcd-6f8968897848;True;9
 credential-access;T1552.004;powershell;['windows'];Export Root Certificate with Export-Certificate;78b274f8-acb0-428b-b1f7-7b0d0e73330a;True;10
-credential-access;T1552.004;command_prompt;['windows'];Export Certificates with Mimikatz;290df60e-4b5d-4a5e-b0c7-dc5348ea0c86;False;11
+credential-access;T1552.004;command_prompt;['windows'];Export Certificates with Mimikatz;290df60e-4b5d-4a5e-b0c7-dc5348ea0c86;True;11
 credential-access;T1557.001;powershell;['windows'];LLMNR Poisoning with Inveigh (PowerShell);deecd55f-afe0-4a62-9fba-4d1ba2deb321;True;1
 credential-access;T1003.001;command_prompt;['windows'];Dump LSASS.exe Memory using ProcDump;0be2230c-9ab3-4ac2-8826-3199b9a0ebf8;True;1
 credential-access;T1003.001;powershell;['windows'];Dump LSASS.exe Memory using comsvcs.dll;2536dee2-12fb-459a-8c37-971844fa73be;True;2

powershell/runtest.ps1

@@ -0,0 +1,60 @@
+write-host "  _________________________  " -ForegroundColor red
+write-host "((                         ))" -ForegroundColor red
+write-host " )) Frack113 tests script (( " -ForegroundColor red
+write-host "((                         ))" -ForegroundColor red
+write-host "  -------------------------  " -ForegroundColor red
+write-host " for the best of my knowledge "
+
+write-host "Import module"
+Import-Module .\Export-WinEvents
+Import-Module C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psm1
+
+write-host " Open csv"
+$csv = Import-Csv -Path .\Full_tests.csv -Delimiter ';'
+
+$list_channel = ('Application','Security','System','Microsoft-Windows-Sysmon/Operational','Microsoft-Windows-PowerShell/Operational')
+
+foreach ($info in $csv)
+{
+	$technique = $info.technique
+	$nmr = $info.nmr_test
+	$valid = $info.sigma
+	$name =  $info.name
+	if ($info.os -like '*windows*'){
+        if ($info.executor -ne 'manual'){ 
+		    if ($valid -eq 'False') {
+			    write-host "Test $name - $technique test : $nmr" 
+			    write-host "Disable Realtime Monitoring" 
+			    Set-MpPreference -DisableRealtimeMonitoring 1
+			    write-host "Make environnement" 
+			    Invoke-AtomicTest $technique -TestNumbers $nmr -Cleanup -NoExecutionLog 
+			    Invoke-AtomicTest $technique -TestNumbers $nmr -GetPrereqs -TimeoutSeconds 120 -NoExecutionLog
+			    $list_channel | Clear-WinEvents -Verbose
+			    Start-Sleep -s 10
+
+			    write-host "Start Aurora" 
+			    Start-Process C:\aurora\aurora-agent-64.exe -WorkingDirectory C:\aurora -ArgumentList "-c agent-config-standard.yml","--minimum-level low","--json","-l c:\Tests\$($technique)_test_$($nmr)_aurora.json"
+			    Start-Sleep -s 30
+
+			    write-host "Start test" 
+			    Invoke-AtomicTest $technique -TestNumbers $nmr -TimeoutSeconds 120 -NoExecutionLog
+			    Start-Sleep -s 10
+
+			    write-host "Stop Aurora" 
+			    Stop-Process -name aurora-agent-64
+
+			    Start-Sleep -s 10
+			    foreach ($channel in $list_channel){
+                        $name = $channel.replace("/","_")
+				Export-WinEvents -TimeBucket 'Last 5 Minutes' -OutputPath "c:\Tests\$($technique)_test_$($nmr)_channel_$name.json" -Channel $channel
+ 			    }
+
+			    write-host "Cleanup" 
+			    Invoke-AtomicTest $technique -TestNumbers $nmr -Cleanup -NoExecutionLog
+			    Start-Sleep -s 10
+
+		    } Else { write-host "$name / $technique test: $nmr / OK" -ForegroundColor green }
+		} Else { write-host "$name / $technique test: $nmr / manual test :)" -ForegroundColor DarkRed }
+	} Else { write-host "$name / $technique test: $nmr / not windows :)" -ForegroundColor DarkRed }
+}
+write-host "Good Hunt..." -ForegroundColor green

yml/290df60e-4b5d-4a5e-b0c7-dc5348ea0c86.yml

@@ -20,5 +20,7 @@ description: |
   The following Atomic test will utilize Mimikatz to extract the certificates from the local system My store. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
   A successful attempt will stdout the certificates and write multiple .pfx and .der files to disk.
 executor: command_prompt
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: a642964e-bead-4bed-8910-1bb4d63e3b4d
+    name: proc_creation_win_hktl_mimikatz_command_line.yml

yml/7a48f482-246f-4aeb-9837-21c271ebf244.yml

@@ -19,5 +19,7 @@ description: |
 
   The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
 executor: command_prompt
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
+    name: pipe_created_mal_cobaltstrike.yml

yml/830c8b6c-7a70-4f40-b975-8bbe74558acd.yml

@@ -19,5 +19,7 @@ description: |
 
   The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
 executor: command_prompt
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
+    name: pipe_created_mal_cobaltstrike.yml

yml/d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6.yml

@@ -19,5 +19,7 @@ description: |
 
   The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
 executor: command_prompt
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
+    name: pipe_created_mal_cobaltstrike.yml