Yara updates for matching tool output

nccgroup · Nov 29, 2024 · d4cbdf5 · d4cbdf5
1 parent 793b55a
commit d4cbdf5
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 0 deletions.
diff --git a/event_tracker/mitre_attack_suggester/yara-rules/README.md b/event_tracker/mitre_attack_suggester/yara-rules/README.md
@@ -0,0 +1,8 @@
+Yara rules for matching the raw input/out of command line or C2 tooling. Each rule should include the following metadata:
+
+* `mitre_att_tactic` *required* MITRE ATT&CK Tactic ID, e.g. "TA0006"
+* `mitre_att_technique` *required*  MITRE ATT&CK (Sub)technique ID, e.g. "T1046" or "T1003.006"
+* `tool_owner` *optional* the company (if any) resposible for the tool, e.g. "Fortra"
+* `tool_name` *optional* the common name for the tool, e.g. "Cobalt Strike"
+* `tool_url` *optional* URL to obtain the tool, e.g. "https://www.cobaltstrike.com/"
+* `tool_component` *optional* The specific component of the tool if applicable, e.g. "secretsdump"
diff --git a/event_tracker/mitre_attack_suggester/yara-rules/command_and_control.yar b/event_tracker/mitre_attack_suggester/yara-rules/command_and_control.yar
@@ -2,6 +2,9 @@ rule link_smb {
     meta:
         mitre_att_tactic = "TA0011"
         mitre_att_technique = "T1071.002"
+        tool_owner = "Fortra"
+        tool_name = "Cobalt Strike"
+        tool_url = "https://www.cobaltstrike.com/"
     strings:
         $ = /^link /
     condition:

diff --git a/event_tracker/mitre_attack_suggester/yara-rules/credential_access.yar b/event_tracker/mitre_attack_suggester/yara-rules/credential_access.yar
@@ -12,6 +12,9 @@ rule sprayad {
     meta:
         mitre_att_tactic = "TA0006"
         mitre_att_technique = "T1110.003"
+        tool_owner = "Outflank"
+        tool_name = "Spray-AD"
+        tool_url = "https://github.com/outflanknl/Spray-AD"
     strings:
         $ = "SprayAD"
     condition:
@@ -22,9 +25,25 @@ rule dcsync_secretsdump {
     meta:
         mitre_att_tactic = "TA0006"
         mitre_att_technique = "T1003.006"
+        tool_name = "Impacket"
+        tool_component = "secretsdump"
+        tool_url = "https://github.com/fortra/impacket"
     strings:
         $dsruapi = " DRSUAPI "  // The API used by DCSync, included in the secretsdump output
         $justdcuser = " -just-dc-user "
     condition:
         any of them
 }
+
+rule GMSAPasswordReader {
+    meta:
+        mitre_att_tactic = "TA0006"
+        mitre_att_technique = "T1555"
+        tool_name = "GMSAPasswordReader"
+        tool_url = "https://github.com/rvazarkar/GMSAPasswordReader"
+    strings:
+        $ = "Calculating hashes for Old Value"
+        $ = "Calculating hashes for Current Value"
+    condition:
+        all of them
+}
diff --git a/event_tracker/mitre_attack_suggester/yara-rules/discovery.yar b/event_tracker/mitre_attack_suggester/yara-rules/discovery.yar
@@ -12,6 +12,9 @@ rule portscan {
     meta:
         mitre_att_tactic = "TA0007"
         mitre_att_technique = "T1046"
+        tool_owner = "Fortra"
+        tool_name = "Cobalt Strike"
+        tool_url = "https://www.cobaltstrike.com/"
     strings:
         $ = "portscan" nocase
     condition:
@@ -22,6 +25,9 @@ rule netGroupListMembers {
     meta:
         mitre_att_tactic = "TA0007"
         mitre_att_technique = "T1069.002"
+        tool_owner = "TrustedSec"
+        tool_name = "Situational Awareness BOF"
+        tool_url = "https://github.com/trustedsec/CS-Situational-Awareness-BOF"
     strings:
         $ = "netGroupListMembers"
     condition: