Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update sysmon events #6

Merged
merged 5 commits into from
Aug 10, 2024
Merged

update sysmon events #6

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
645304a
update sysmon events
nasbench Aug 10, 2024
326e4e0
Update test_processing_pipelines_sysmon.py
nasbench Aug 10, 2024
4ffc4b0
Update README.md
nasbench Aug 10, 2024
7127877
Update pyproject.toml
nasbench Aug 10, 2024
1b4f43a
Update README.md
nasbench Aug 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions sigma/pipelines/sysmon/sysmon.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@
"process_creation": 1,
"file_change": 2,
"network_connection": 3,
"process_termination": 5,
"sysmon_status": [4, 16],
"process_termination": 5,
"driver_load": 6,
"image_load": 7,
"create_remote_thread": 8,
Expand All @@ -28,9 +28,13 @@
"pipe_created": [17, 18],
"wmi_event": [19, 20, 21],
"dns_query": 22,
"file_delete": [23, 26],
"file_delete": 23,
"clipboard_capture": 24,
"process_tampering": 25,
"file_delete_detected": 26,
"file_block_executable": 27,
"file_block_shredding": 28,
"file_executable_detected": 29,
"sysmon_error": 255,
}
)
Expand Down
98 changes: 97 additions & 1 deletion tests/test_processing_pipelines_sysmon.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -415,6 +415,74 @@ def sysmon_file_delete_sigma_rule():
)


@pytest.fixture
def sysmon_file_delete_detected_rule():
return SigmaCollection.from_yaml(
"""
title: Sysmon File Delete Detected Test
status: test
logsource:
category: file_delete_detected
product: windows
detection:
sel:
TargetFilename: a file name is here
condition: sel
"""
)


@pytest.fixture
def sysmon_file_block_executable_rule():
return SigmaCollection.from_yaml(
"""
title: Sysmon File Block Executable Test
status: test
logsource:
category: file_block_executable
product: windows
detection:
sel:
TargetFilename: a file name is here
condition: sel
"""
)


@pytest.fixture
def sysmon_file_block_shredding_rule():
return SigmaCollection.from_yaml(
"""
title: Sysmon File Block Shredding Test
status: test
logsource:
category: file_block_shredding
product: windows
detection:
sel:
TargetFilename: a file name is here
condition: sel
"""
)


@pytest.fixture
def sysmon_file_executable_detected_rule():
return SigmaCollection.from_yaml(
"""
title: Sysmon File Executable Detected Test
status: test
logsource:
category: file_executable_detected
product: windows
detection:
sel:
TargetFilename: a file name is here
condition: sel
"""
)


def test_sysmon_process_creation(process_creation_sigma_rule):
backend = TextQueryTestBackend(sysmon_pipeline())
assert backend.convert(process_creation_sigma_rule) == [
Expand Down Expand Up @@ -579,5 +647,33 @@ def test_sysmon_wmi_event(sysmon_wmi_event_sigma_rule):
def test_sysmon_file_delete(sysmon_file_delete_sigma_rule):
backend = TextQueryTestBackend(sysmon_pipeline())
assert backend.convert(sysmon_file_delete_sigma_rule) == [
'(EventID in (23, 26)) and TargetFilename="a file name is here"'
'EventID=23 and TargetFilename="a file name is here"'
]


def test_sysmon_file_delete_detected(sysmon_file_delete_detected_rule):
backend = TextQueryTestBackend(sysmon_pipeline())
assert backend.convert(sysmon_file_delete_detected_rule) == [
'EventID=26 and TargetFilename="a file name is here"'
]


def test_sysmon_file_block_executable(sysmon_file_block_executable_rule):
backend = TextQueryTestBackend(sysmon_pipeline())
assert backend.convert(sysmon_file_block_executable_rule) == [
'EventID=27 and TargetFilename="a file name is here"'
]


def test_sysmon_file_block_shredding(sysmon_file_block_shredding_rule):
backend = TextQueryTestBackend(sysmon_pipeline())
assert backend.convert(sysmon_file_block_shredding_rule) == [
'EventID=28 and TargetFilename="a file name is here"'
]


def test_sysmon_file_executable_detected(sysmon_file_executable_detected_rule):
backend = TextQueryTestBackend(sysmon_pipeline())
assert backend.convert(sysmon_file_executable_detected_rule) == [
'EventID=29 and TargetFilename="a file name is here"'
]
Loading