[pull] master from rabbitstack:master #3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix the wrong indentation in the rule labels and provide the feedback to user after creating the rule file.
If we fail to obtain the process start time use the one from the event timestamp.
Foreach adds iteration capabilities to the rule language. The decision to keep the function implementation outside the functions package is deliberate. The function mostly operates with raw expressions, and if the function lived in the functions package, that would create a cyclic import, but also likely to unleash more painful side effects. For the sake of simplicity it is better to keep the function close to the parser and AST evaluation. Foreach accepts three required and multiple optional arguments. The first argument is the iterable value typically yielded by the pseudo field. The function recognizes process internal state collections such as modules, threads, memory mappings, or thread stack frames. Obviously, it is also possible to iterate over a simple string slice. The second argument represents the bound variable which is an item associated with every element in the slice. The bound variable is accessed in the third argument, the predicate. It is usually followed by the segment that denotes the accessed value. Unsurprisingly, the predicate is commonly a binary expression which can be formed of not/paren expressions, other functions, and so on. The predicate is executed on every item in the slice. If the predicate evaluates to true, the function also returns the true value. Lastly, foreach function can receive an optional list of fields from the outer context, i.e. outside predicate loop. Therefore, for the predicate to access the field not defined within the scope of the iterable, it must capture the field first. Note that the side effect of introducing the foreach function is observed in the form of deprecation of previous segment/paths fields. This trend will follow in subsequent pull requests, untangling and overly simplifying the accessor codebase.
To improve rules efficacy against false positives, we ensure the process has a valid state by checking the process executable path. In `Hidden registry key creation` rule, add the exception for the `lsass.exe` process.
The parser got the ability to produce field literals with optional arguments. New bare bound variable and segment bound variable literals are added for a cleaner and more accurate representation of bare bounded variables, bound segments and bound fields respectively.
Most functions now support bare and segment bound argument types.
Rework the value accessors to operate with the new field type that encapsulates the field argument. Additionally, bound segments are propagated to all accessors and currently used in the PE accessor to determine if the section entropy needs to be calculated.
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.21.0 to 0.33.0. - [Commits](golang/net@v0.21.0...v0.33.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 2 to 6. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](dawidd6/action-download-artifact@v2...v6) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
When the single address is symbolized and its backing module is not found in the current process modules, query the parent process modules.
Incorporate the new thread.start_address.symbol and thread.start_address.module fields to extract the symbol corresponding to the thread start address and its module respectively.
The new filter fields allow accessing the attributes of the last user/kernel space frame. Additionally, symbols/module filter fields are modified to accept the frame index and only retrieve the symbol/module name of the accessed frame. The callstack segments are added to access signature info of the iterated frame.
Keep the stack walk events indexed by stack id. The stack id is a tuple of pid,tid associated with the thread executing the code. For every unique stack id, the queue of pending events is maintained. When the corresponding stack walk event arrives, the oldest event is pulled from the queue and enriched with stack addresses.
Keep all resolved symbols in the map and always consult when symbolizing the frame.
The symbols are now heavily cached making the fast mode obsolete.
Make the rules validation first-class citizen of the pull request and master workflows.
Make the substr function accept the third argument as optional. If the third argument is not given, the string is sliced from the start index to its length.
If the suspicious section of view mapping already produced a rule match for the process, we don't keep running the scans for that process.
After exhaustive triaging, it was spotted that the system registry provider can miss stackwalk samples. This can have disastrous consequences such as wrongly attributing stack return addresses or accumulated events. To elegantly mitigate the problem, we enable the registry flags on the system logger and receive all events within the same session.
Refactor the rule engine code by moving it into a separate package and segregating the main building blocks into distinct source files. Along the way, shift the state machine states from expression names to simple integer indices representing sequence ids.
The match all rule engine strategy permits a single event to trigger multiple rules.
Identifies the execution of a suspicious Netsh Helper DLL. Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe is a command-line scripting utility used to interact with the network configuration of a system. It supports the addition of custom DLLs to extend its functionality that attackers can weaponize.
Adversaries may employ the undocumented EtwpCreateEtwThread function to execute shellcode within the local process address space.
Change the heuristics for obtaining the final user code stack frame by looking for the presence of modules not referencing Win32 or Native (ntdll) layers that are intermediary modules for transitioning into kernel land.
…cess Identifies a suspicious process execution via Windows Management Instrumentation (WMI) originated from the Microsoft Office process loading an unusual WMI DLL. This technique can indicate code execution evading traditional parent/child processes spawned from Microsoft Office products.
Identifies the creation of an LSASS clone process via RtlCreateProcessReflection API function. Adversaries can use this technique to dump credentials material from the LSASS fork and evade defenses.
Identifies the creation of a process with stack frames originating from floating memory area while invoking commonly used Windows API functions like WinExec. This behavior is a typical indicator of code injection employing offensive shellcode maneuvering.
Identifies a suspicious execution of XSL script via Windows Management Instrumentation command line tool or XSL transformation utility. Adversaries may bypass application control and obscure the execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
Identifies the execution of scripts via Microsoft HTML Application Host interpreter. Adversaries can proxy the execution of arbitrary script code through a trusted, signed utility to evade defenses.
Identifies when the print spooler service loads unsigned or untrusted DLL and the callstack pattern indicates the print processor is loaded. Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided by the Credential Vault Client Library to enumerate or harvest saved credentials.
Identifies attempts to load unsigned executables from Microsoft Office add-ins directories, which adversaries may exploit to maintain persistence.
… registry modification Identifies port monitor or print process registry modifications that would allow adversaries to run malicious DLLs during system boot.
Identifies the execution via Windows Management Instrumentation (WMI) of the binary file written by the Microsoft Office process. Attackers can exploit WMI to silently execute malicious code.
The not operator has two variants. If used in front of the operator it negates the value of the operator eval. If used in front of the binary expression, it negates the entire expression. If not used adequately, this can introduce issues. So, it is better to standardize the usage of the not operator and if meant to solely negate the result of the operator use the lhs not operator rhs pattern.
If the module is loaded for the process executable, and we don't have the full executable path, override with the one from the image path if it corresponds to the process executable.
Make the rule more resistant to evasion by checking the original process executable name and also performing case-insensitive match on the command line.
Identifies the execution via Windows script interpreter of the executable file written by the Microsoft Office process.
…tion Identifies the modification of the Windows Defender process, path, or IP address registry key exclusions by suspicious processes. Adversaries may alter the Windows Defender exclusions to bypass defenses.
Detects suspicious processes modifying Windows Defender configuration settings via registry to disable protection features.
Identifies Microsoft Office process creating a DLL or other variant of an executable object which is later loaded by a trusted binary. Adversaries may exploit this behavior by delivering malicious modules via Microsoft Office documents.
The condition on whether the Microsoft Office process is spawned by the script interpreter should be evaluated on the ps.name field.
Reduce false positives in various rules by adding exceptions for process executables or file paths.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.1)
Can you help keep this open source service alive? 💖 Please sponsor : )