A reactJS web app that can take a ruleset and translate it into any SIEM search query, using Sigma
1. git
2. npm
3. python
1. Docker
.
βββ README.md
βββ backend
β βββ Dockerfile
β βββ README.md
β βββ __pycache__
β βββ env
β βββ main.py
β βββ requirements.txt
βββ docker-compose.yml
βββ folder_structure.txt
βββ frontend
βββ Dockerfile
βββ README.md
βββ components.json
βββ index.html
βββ node_modules
βββ package-lock.json
βββ package.json
βββ postcss.config.js
βββ public
βββ src
βββ tailwind.config.js
βββ tsconfig.json
βββ tsconfig.node.json
βββ vite.config.ts
1. clone the repository
2. cd into the repository
3. cd into there frontend folder and follow the Installation instructions there
4. cd into the backend folder and follow the Installation instructions there
5. Go to http://localhost:5173 and start using the application
1. docker-compose up
2. wait for the Installation to complete
3. Go to http://localhost:5173 and start using the application
Click on the below image to view the video
I have provided a sample rule.yml file in the root directory of the project. You can use that to test the application. or you can use the following ruleset.
title: Suspicious SYSTEM User Process Creation
id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
status: test
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
- Internal Research
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (rule), David ANDRE (additional keywords)
date: 2021/12/20
modified: 2022/04/27
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel: System
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_special:
- Image|endswith:
- '\calc.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\hh.exe'
- '\mshta.exe'
- '\forfiles.exe'
- '\ping.exe'
- CommandLine|contains:
# - 'sc stop ' # stops a system service # causes FPs
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' -decode ' # Used with certutil
- ' /decode ' # Used with certutil
- ' /urlcache ' # Used with certutil
- ' -urlcache ' # Used with certutil
- ' -e* JAB' # PowerShell encoded commands
- ' -e* SUVYI' # PowerShell encoded commands
- ' -e* SQBFAFgA' # PowerShell encoded commands
- ' -e* aWV4I' # PowerShell encoded commands
- ' -e* IAB' # PowerShell ncoded commands
- ' -e* PAA' # PowerShell encoded commands
- ' -e* aQBlAHgA' # PowerShell encoded commands
- 'vssadmin delete shadows' # Ransomware
- 'reg SAVE HKLM' # save registry SAM - syskey extraction
- ' -ma ' # ProcDump
- 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
- '.downloadstring(' # PowerShell download command
- '.downloadfile(' # PowerShell download command
- ' /ticket:' # Rubeus
- 'dpapi::' #Mimikatz
- 'event::clear' #Mimikatz
- 'event::drop' #Mimikatz
- 'id::modify' #Mimikatz
- 'kerberos::' #Mimikatz
- 'lsadump::' #Mimikatz
- 'misc::' #Mimikatz
- 'privilege::' #Mimikatz
- 'rpc::' #Mimikatz
- 'sekurlsa::' #Mimikatz
- 'sid::' #Mimikatz
- 'token::' #Mimikatz
- 'vault::cred' #Mimikatz
- 'vault::list' #Mimikatz
- ' p::d ' # Mimikatz
- ';iex(' # PowerShell IEX
- 'MiniDump' # Process dumping method apart from procdump
- 'net user '
condition: all of selection*
falsepositives:
- Administrative activity
- Scripts and administrative tools used in the monitored environment
- Monitoring activity
level: high
- React.js
- Fastapi
- Shadcdn
- Pysigma