Part.1
上一期说到Sigma的相关描述,由于目前的检测引擎都有Wazuh负责,所以需要将Sigma的相关检测规则转换成Wazuh可以识别的检测规则导入Wazuh中。由于涉及规则众多,并且Wazuh跟Sigma规则书写方式不一样,是个不太好搞定的事情。
由于GitHub社区中有大佬分享了该转换脚本可以直接使用,但由于脚本还处于比较早期阶段,还存在部分规则无法进行转换。
转换脚本GitHub地址为:https://github.com/theflakes/sigma_to_wazuh
Part.2
接下来主要介绍如何使用该脚本。
根据官网的介绍使用方法如下:
1、Clone repository.
2、Install Python3 packages: pip3 install lxml bs4 ruamel.yaml
3、Clone Sigma repository: https://github.com/SigmaHQ/sigma
4、Update "config.ini" variables where necessary.
5、directory: point it to the rules folder in the cloned Sigma repository
Run sigma_to_wazuh.py
You'll see output of rules that are skipped, rules that error out on loading, followed by a summary of the rules conversion.
跟随官网进行依次操作如下所示:
1、git clone https://github.com/theflakes/sigma_to_wazuh
2、pip3 install lxml bs4 ruamel.yaml
3、git clone https://github.com/SigmaHQ/sigma
修改sigma_to_wazuh文件夹下的config.ini配置文件,由于我下载的sigma规则在sigma_to_wazuh同级目录,于是下图圈起来参数如下图所示
配置完成之后运行python3 sigma_to_wazuh.py进行转换规则
python3 sigma_to_wazuh.py
转换率为80.12%,转换后的规则存储在sigma.xml文件中
Part.3
将sigma.xml文件导入Wazuh检测规则路径
cd /var/ossec/etc/rules/
登录Wazuh控制台查看刚导入规则
查看被转换规则前posh_ps_susp_smb_share_reco.yml检测规则
查看该规则被转换后在sigma.xml文件中写法
<rule id="900346" level="7">
<info type="link">https://github.com/SigmaHQ/sigma/tree/master/rules/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml</info>
<!--Sigma Rule Author: frack113-->
<!--Description: Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as
a precursor for Collection and to identify potential systems of interest for Lateral Movement.
Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
-->
<!--Date: 2021/12/15-->
<!--Status: test-->
<!--ID: 95f0643a-ed40-467c-806b-aac9542ec5ab-->
<mitre>
<id>attack.discovery</id>
<id>attack.t1069.001</id>
</mitre>
<description>Suspicious Get Information for SMB Share</description>
<options>no_full_log</options>
<group>windows,ps_script,</group>
<if_sid>18100, 60000, 60001, 60002, 60003, 60004, 60006, 60007, 60008, 60009, 60010, 60011, 60012</if_sid>
<field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)get\-smbshare</field>
</rule>
在终端中打开Powershell开启script block logging,所有Sigma中PS脚本检测规则生效的前提是开启script block logging。
function Enable-PSScriptBlockLogging
{
$basePath = 'HKLM:\Software\Policies\Microsoft\Windows' +
'\PowerShell\ScriptBlockLogging'
if(-not (Test-Path $basePath))
{
$null = New-Item $basePath -Force
}
Set-ItemProperty $basePath -Name EnableScriptBlockLogging -Value "1"
}
//参考链接:https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.3
完成后运行该命令后,看是否正常检出
powershell get-smbshare
查看Graylog中是否出现该命令相关日志
成功检出,代表规则已经生效。
再试一个其他规则
powershell get-process
Part.4
该合集更新到现在基本都在描述日志源、检测方面的内容,对于告警通知对重要的还是需要及时推送给相关责任人进行处理,下一期会介绍告警推送相关的内容。
欢迎订阅收看开源SOC实现(十二)-告警通知工具Praeco。