From e18b5901d500a31a6e12655db7a181a5eedc0e24 Mon Sep 17 00:00:00 2001 From: Cyb3rSn0rlax <18106793+H1L021@users.noreply.github.com> Date: Sun, 13 Mar 2022 00:25:22 +0100 Subject: [PATCH 1/5] Update generate_uuid.py Support for current year --- scripts/generate_uuid.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/generate_uuid.py b/scripts/generate_uuid.py index d197bc5..8d684ae 100644 --- a/scripts/generate_uuid.py +++ b/scripts/generate_uuid.py @@ -1,6 +1,7 @@ import glob import os import re +from datetime import date current_directory = os.path.dirname(__file__) relationships_directory = os.path.join(current_directory, '../relationships') @@ -21,4 +22,5 @@ if n > max_id: max_id = n # Generate relationship_id count = max_id+1 -print('relationship_id: REL-2022-' + '0'*(4 - len(str(count))) + str(count)) \ No newline at end of file +current_date = date.today() +print('relationship_id: REL-' + str(current_date.year) + '-' + '0'*(4 - len(str(count))) + str(count)) \ No newline at end of file From cbb4640417c22ff16800b99b693857b72a3d85c4 Mon Sep 17 00:00:00 2001 From: Cyb3rSn0rlax <18106793+H1L021@users.noreply.github.com> Date: Sun, 13 Mar 2022 18:12:54 +0100 Subject: [PATCH 2/5] Adding IP called an RPC method via via zeek and EID 5712 --- relationships/ip_called_rpc_method.yml | 30 ++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 relationships/ip_called_rpc_method.yml diff --git a/relationships/ip_called_rpc_method.yml b/relationships/ip_called_rpc_method.yml new file mode 100644 index 0000000..32bab4e --- /dev/null +++ b/relationships/ip_called_rpc_method.yml @@ -0,0 +1,30 @@ +relationship_id: REL-2022-0188 +name: IP called RPC Method +contributors: +- Hamza OUADIÂ @Cyb3rSn0rlax +attack: + data_source: Network Traffic + data_component: network connection creation +behavior: + source: ip + relationship: called + target: rpc method +security_events: +- event_id: dce_rpc_request + name: DCE-RPC Operation. + platform: Zeek + audit_category: null + audit_sub_category: null + log_channel: null + log_provider: null +- event_id: 5712 + name: A Remote Procedure Call (RPC) was attempted. + platform: Windows + audit_category: Process Tracking + audit_sub_category: RPC events + log_channel: null + log_provider: null +refenrences: +- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5712 +note: +- It appears that the event id 5712 event never occurs. \ No newline at end of file From 85a7dc0f827311427f9189c2af731f75fd997486 Mon Sep 17 00:00:00 2001 From: Jose Rodriguez Date: Mon, 14 Mar 2022 17:57:32 -0400 Subject: [PATCH 3/5] Update generate_uuid.py made num_id a dictionary instead of a list. Keys of dictionary: Years Values of dictionary: List of numbers for each year --- scripts/generate_uuid.py | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/scripts/generate_uuid.py b/scripts/generate_uuid.py index 8d684ae..4768250 100644 --- a/scripts/generate_uuid.py +++ b/scripts/generate_uuid.py @@ -6,21 +6,21 @@ current_directory = os.path.dirname(__file__) relationships_directory = os.path.join(current_directory, '../relationships') max_id=0 -num_id = [] +num_id = dict() # a dictionary with year as key and list of numbers as values relationships_files = glob.glob(os.path.join(relationships_directory, "[!_]*.yml")) for relationship_file in relationships_files: file = open(relationship_file,'r+') first_line = file.readlines()[0].rstrip() # read first line - if re.search("^relationship_id\:\sREL\-202[\d]{1}\-\d{4}", first_line): # If file already has an ID - search = re.search("^relationship_id\:\sREL\-202[\d]{1}\-(.*?)$", first_line) # Grab it - num_id.append(search.group(1)) -# Convert strings to integers -for i in range(0, len(num_id)): - num_id[i] = int(num_id[i]) -# Get max ID in list -for n in num_id: - if n > max_id: max_id = n -# Generate relationship_id -count = max_id+1 + if re.search("^relationship_id\:\sREL\-[\d]{4}\-\d{4}", first_line): # If file already has an ID + search = re.search("^relationship_id\:\sREL\-([\d]{4})\-([\d]{4})$", first_line) # Grab it + if search.group(1) not in num_id.keys(): # adding year as key of the dict + num_id[search.group(1)] = [] + num_id[search.group(1)].append(int(search.group(2))) # adding number to corresponding key + current_date = date.today() -print('relationship_id: REL-' + str(current_date.year) + '-' + '0'*(4 - len(str(count))) + str(count)) \ No newline at end of file +year = str(current_date.year) +if year not in num_id.keys(): + print('relationship_id: REL-' + year + '-' + '0001') # First relationship of the year +else: + number = max(num_id[year])+1 + print('relationship_id: REL-' + year + '-' + '0'*(4 - len(str(number))) + str(number)) From aa344fc7689ed72e9845536a882d0215bfac955e Mon Sep 17 00:00:00 2001 From: Jose Rodriguez Date: Mon, 14 Mar 2022 18:09:57 -0400 Subject: [PATCH 4/5] Update ip_called_rpc_method.yml Deleted relationship ID. No need to add relationship since ossemDM.py script will add relationship id after the PR is merged :D --- relationships/ip_called_rpc_method.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/relationships/ip_called_rpc_method.yml b/relationships/ip_called_rpc_method.yml index 32bab4e..d669459 100644 --- a/relationships/ip_called_rpc_method.yml +++ b/relationships/ip_called_rpc_method.yml @@ -1,4 +1,3 @@ -relationship_id: REL-2022-0188 name: IP called RPC Method contributors: - Hamza OUADIÂ @Cyb3rSn0rlax @@ -27,4 +26,4 @@ security_events: refenrences: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5712 note: -- It appears that the event id 5712 event never occurs. \ No newline at end of file +- It appears that the event id 5712 event never occurs. From 96c31480148cc5062829f6e0d4dfa42297623b8d Mon Sep 17 00:00:00 2001 From: Jose Rodriguez Date: Mon, 27 Jun 2022 23:59:26 -0400 Subject: [PATCH 5/5] Update ip_called_rpc_method.yml - updated schema for both events - I need to validate if user and process context of event 5712 could be used to generate new relationships: user called RPC method, process called rpc method - I need to validate schema for dce_rpc event and potential change in behavior to: rpc method called from ip or port - I need to validate attack mapping section --- relationships/ip_called_rpc_method.yml | 27 +++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/relationships/ip_called_rpc_method.yml b/relationships/ip_called_rpc_method.yml index d669459..c44c5b7 100644 --- a/relationships/ip_called_rpc_method.yml +++ b/relationships/ip_called_rpc_method.yml @@ -9,21 +9,22 @@ behavior: relationship: called target: rpc method security_events: -- event_id: dce_rpc_request - name: DCE-RPC Operation. - platform: Zeek - audit_category: null - audit_sub_category: null - log_channel: null - log_provider: null +- event_id: dce_rpc + name: DCE-RPC Log + platform: zeek + log_source: network-protocols + filter_in: + - operation: request + event_version: ['0'] - event_id: 5712 name: A Remote Procedure Call (RPC) was attempted. - platform: Windows - audit_category: Process Tracking - audit_sub_category: RPC events - log_channel: null - log_provider: null + platform: windows + audit_category: Detailed Tracking + audit_sub_category: RPC Events + log_source: Microsoft-Windows-Security-Auditing + event_version: ['0'] refenrences: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5712 -note: +- https://www.windows-security.org/windows-event-id/5712-a-remote-procedure-call-rpc-was-attempted +notes: - It appears that the event id 5712 event never occurs.