From 645304affdca8bf2f00db34de022c1b70e3643e7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 10 Aug 2024 19:46:17 +0200 Subject: [PATCH 1/5] update sysmon events --- sigma/pipelines/sysmon/sysmon.py | 8 +- tests/test_processing_pipelines_sysmon.py | 96 +++++++++++++++++++++++ 2 files changed, 102 insertions(+), 2 deletions(-) diff --git a/sigma/pipelines/sysmon/sysmon.py b/sigma/pipelines/sysmon/sysmon.py index 36e18ed..b580126 100644 --- a/sigma/pipelines/sysmon/sysmon.py +++ b/sigma/pipelines/sysmon/sysmon.py @@ -11,8 +11,8 @@ "process_creation": 1, "file_change": 2, "network_connection": 3, - "process_termination": 5, "sysmon_status": [4, 16], + "process_termination": 5, "driver_load": 6, "image_load": 7, "create_remote_thread": 8, @@ -28,9 +28,13 @@ "pipe_created": [17, 18], "wmi_event": [19, 20, 21], "dns_query": 22, - "file_delete": [23, 26], + "file_delete": 23, "clipboard_capture": 24, "process_tampering": 25, + "file_delete_detected": 26, + "file_block_executable": 27, + "file_block_shredding": 28, + "file_executable_detected": 29, "sysmon_error": 255, } ) diff --git a/tests/test_processing_pipelines_sysmon.py b/tests/test_processing_pipelines_sysmon.py index 889383d..c56f6d0 100644 --- a/tests/test_processing_pipelines_sysmon.py +++ b/tests/test_processing_pipelines_sysmon.py @@ -415,6 +415,74 @@ def sysmon_file_delete_sigma_rule(): ) +@pytest.fixture +def sysmon_file_delete_detected_rule(): + return SigmaCollection.from_yaml( + """ + title: Sysmon File Delete Detected Test + status: test + logsource: + category: file_delete_detected + product: windows + detection: + sel: + TargetFilename: a file name is here + condition: sel + """ + ) + + +@pytest.fixture +def sysmon_file_block_executable_rule(): + return SigmaCollection.from_yaml( + """ + title: Sysmon File Block Executable Test + status: test + logsource: + category: file_block_executable + product: windows + detection: + sel: + TargetFilename: a file name is here + condition: sel + """ + ) + + +@pytest.fixture +def sysmon_file_block_shredding_rule(): + return SigmaCollection.from_yaml( + """ + title: Sysmon File Block Shredding Test + status: test + logsource: + category: file_block_shredding + product: windows + detection: + sel: + TargetFilename: a file name is here + condition: sel + """ + ) + + +@pytest.fixture +def sysmon_file_executable_detected_rule(): + return SigmaCollection.from_yaml( + """ + title: Sysmon File Executable Detected Test + status: test + logsource: + category: file_executable_detected + product: windows + detection: + sel: + TargetFilename: a file name is here + condition: sel + """ + ) + + def test_sysmon_process_creation(process_creation_sigma_rule): backend = TextQueryTestBackend(sysmon_pipeline()) assert backend.convert(process_creation_sigma_rule) == [ @@ -581,3 +649,31 @@ def test_sysmon_file_delete(sysmon_file_delete_sigma_rule): assert backend.convert(sysmon_file_delete_sigma_rule) == [ '(EventID in (23, 26)) and TargetFilename="a file name is here"' ] + + +def test_sysmon_file_delete_detected(sysmon_file_delete_detected_rule): + backend = TextQueryTestBackend(sysmon_pipeline()) + assert backend.convert(sysmon_file_delete_detected_rule) == [ + 'EventID=26 and TargetFilename="a file name is here"' + ] + + +def test_sysmon_file_block_executable(sysmon_file_block_executable_rule): + backend = TextQueryTestBackend(sysmon_pipeline()) + assert backend.convert(sysmon_file_block_executable_rule) == [ + 'EventID=27 and TargetFilename="a file name is here"' + ] + + +def test_sysmon_file_block_shredding(sysmon_file_block_shredding_rule): + backend = TextQueryTestBackend(sysmon_pipeline()) + assert backend.convert(sysmon_file_block_shredding_rule) == [ + 'EventID=28 and TargetFilename="a file name is here"' + ] + + +def test_sysmon_file_executable_detected(sysmon_file_executable_detected_rule): + backend = TextQueryTestBackend(sysmon_pipeline()) + assert backend.convert(sysmon_file_executable_detected_rule) == [ + 'EventID=29 and TargetFilename="a file name is here"' + ] From 326e4e0e6bdf604f97cd9b838d65613beca50ebd Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 10 Aug 2024 19:55:39 +0200 Subject: [PATCH 2/5] Update test_processing_pipelines_sysmon.py --- tests/test_processing_pipelines_sysmon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_processing_pipelines_sysmon.py b/tests/test_processing_pipelines_sysmon.py index c56f6d0..30311ea 100644 --- a/tests/test_processing_pipelines_sysmon.py +++ b/tests/test_processing_pipelines_sysmon.py @@ -647,7 +647,7 @@ def test_sysmon_wmi_event(sysmon_wmi_event_sigma_rule): def test_sysmon_file_delete(sysmon_file_delete_sigma_rule): backend = TextQueryTestBackend(sysmon_pipeline()) assert backend.convert(sysmon_file_delete_sigma_rule) == [ - '(EventID in (23, 26)) and TargetFilename="a file name is here"' + 'EventID=23 and TargetFilename="a file name is here"' ] From 4ffc4b094e31546f3bc7640acff1e067e82adb99 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 10 Aug 2024 19:59:52 +0200 Subject: [PATCH 3/5] Update README.md --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d8a2f79..c7a4081 100644 --- a/README.md +++ b/README.md @@ -28,10 +28,14 @@ Currently the pipeline adds support for the following event types (Sigma logsour * pipe_created: 17,18 * wmi_event: 19,20,21 * dns_query: 22 -* file_delete: 23,26 +* file_delete: 23 * clipboard_capture: 24 * process_tampering: 25 * sysmon_error: 255 +* file_delete_detected: 26, +* file_block_executable: 27, +* file_block_shredding: 28, +* file_executable_detected: 29 This backend is currently maintained by: From 7127877a27aa28777de80c3185cfc14d8d660da8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 10 Aug 2024 20:00:26 +0200 Subject: [PATCH 4/5] Update pyproject.toml --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index f432d37..67407ab 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "pysigma-pipeline-sysmon" -version = "1.0.4" +version = "1.0.5" description = "pySigma Sysmon processing pipelines" readme = "README.md" authors = ["Thomas Patzke "] From 1b4f43a03bf5c673cbab8cfd2ad83d398b92ecfe Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 10 Aug 2024 20:00:58 +0200 Subject: [PATCH 5/5] Update README.md --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c7a4081..831b988 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ # pySigma Sysmon Processing Pipeline -This is the Sysmon processing pipeline for pySigma. It provides the package `sigma.pipeline.sysmon` with the `sysmon_pipeline` function that returns a ProcessingPipeline object. +This is the [Sysmon](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon) processing pipeline for pySigma. It provides the package `sigma.pipeline.sysmon` with the `sysmon_pipeline` function that returns a ProcessingPipeline object. Currently the pipeline adds support for the following event types (Sigma logsource category to EventID mapping): @@ -32,9 +32,9 @@ Currently the pipeline adds support for the following event types (Sigma logsour * clipboard_capture: 24 * process_tampering: 25 * sysmon_error: 255 -* file_delete_detected: 26, -* file_block_executable: 27, -* file_block_shredding: 28, +* file_delete_detected: 26 +* file_block_executable: 27 +* file_block_shredding: 28 * file_executable_detected: 29 This backend is currently maintained by: