rabbitstack
diff --git a/‎configs/rules/default/default.yml‎
Lines changed: 41 additions & 51 deletions b/‎configs/rules/default/default.yml‎
Lines changed: 41 additions & 51 deletions
diff --git a/‎configs/rules/default/stateful.yml‎
Lines changed: 26 additions & 0 deletions b/‎configs/rules/default/stateful.yml‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 1 addition & 0 deletions b/‎go.mod‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎go.sum‎
Lines changed: 2 additions & 0 deletions b/‎go.sum‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎pkg/config/_fixtures/filters/default-new-attributes.yml‎
Lines changed: 18 additions & 0 deletions b/‎pkg/config/_fixtures/filters/default-new-attributes.yml‎
Lines changed: 18 additions & 0 deletions
@@ -22,17 +22,17 @@
   enabled: true
   policy: exclude
   relation: or
-  from-strings:
+  rules:
     - name: Windows error reporting/telemetry, WMI provider host
-      def: ps.comm istartswith
+      condition: ps.comm istartswith
           (
             ' \"C:\\Windows\\system32\\wermgr.exe\\" \"-queuereporting_svc\" ',
             'C:\\Windows\\system32\\DllHost.exe /Processid',
             'C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding',
             'C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding'
           )
     - name: Windows error reporting/telemetry, Search Indexer, Session Manager, Auto check utility
-      def: ps.comm iin
+      condition: ps.comm iin
           (
             'C:\\Windows\\system32\\wermgr.exe -upload',
             'C:\\Windows\\system32\\SearchIndexer.exe /Embedding',
@@ -42,7 +42,7 @@
             'C:\\Windows\\System32\\RuntimeBroker.exe -Embedding'
           )
     - name: Various Windows processes
-      def: ps.exe iin
+      condition: ps.exe iin
           (
             'C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\TabTip32.exe',
             'C:\\Windows\\System32\\TokenBrokerCookies.exe',
@@ -68,11 +68,11 @@
             'C:\\Windows\\System32\\usocoreworker.exe -Embedding'
           )
     - name: svchost
-      def: ps.comm iin {{ .Values.processes.comm.svchost | stringify }}
+      condition: ps.comm iin {{ .Values.processes.comm.svchost | stringify }}
     - name: Microsoft edge
-      def: ps.comm istartswith '\"C:\\Program Files (x86)\\Microsoft\\Edge Dev\\Application\\msedge.exe\" --type='
+      condition: ps.comm istartswith '\"C:\\Program Files (x86)\\Microsoft\\Edge Dev\\Application\\msedge.exe\" --type='
     - name: Microsoft dotNet
-      def: ps.comm istartswith
+      condition: ps.comm istartswith
           (
             'C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngen.exe',
             'C:\\WINDOWS\\Microsoft.NET\\Framework64\\v4.0.30319\\Ngen.exe'
@@ -85,7 +85,7 @@
             'C:\\Windows\\Microsoft.Net\\Framework64\\*\\WPF\\PresentationFontCache.exe'
           )
     - name: Microsoft Office
-      def: ps.exe iin
+      condition: ps.exe iin
           (
             'C:\\Program Files\\Microsoft Office\\Office16\\MSOSYNC.EXE',
             'C:\\Program Files (x86)\\Microsoft Office\\Office16\\MSOSYNC.EXE',
@@ -95,9 +95,9 @@
             'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeC2RClient.exe'
           )
     - name: Media Player
-      def: ps.exe = 'C:\\Program Files\\Windows Media Player\\wmpnscfg.exe'
+      condition: ps.exe = 'C:\\Program Files\\Windows Media Player\\wmpnscfg.exe'
     - name: Google
-      def: ps.comm istartswith
+      condition: ps.comm istartswith
           (
             '\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\\\" --type=',
             '\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type='
@@ -108,12 +108,10 @@
 - group: Suspicious process terminations
   selector:
     type: TerminateProcess
-  enabled: true
   policy: include
-  relation: or
-  from-strings:
+  rules:
     - name: User binaries
-      def: ps.name istartswith ('C:\\Users', '\\')
+      condition: ps.name istartswith ('C:\\Users', '\\')
 
 
 # ======================= Remote thread creation =====================================================
@@ -124,12 +122,10 @@
 - group: Suspicious remote thread creations
   selector:
     type: CreateThread
-  enabled: true
   policy: include
-  relation: or
-  from-strings:
+  rules:
     - name: Fishy remote threads
-      def: kevt.pid != thread.pid
+      condition: kevt.pid != thread.pid
              and
            ps.exe not iin
            (
@@ -143,10 +139,11 @@
               'C:\\Windows\\system32\\kernel32.dll',
               'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'
            )
-      action: |
-        {{ $title := cat "Identified remote thread creation in" .Kevt.Kparams.exe }}
-        {{ $text := cat "Injected by" .Kevt.PS.Exe }}
-        {{ emit $title $text }}
+      action: >
+        {{ emit
+            (printf "Detected remote thread creation in %s" .Kevt.Kparams.exe)
+            (printf "Possible code injection by %s" .Kevt.PS.Exe)
+        }}
 
 # ======================= Network connection initiated ===============================================
 #
@@ -156,12 +153,10 @@
 - group: Suspicious network-connecting binaries
   selector:
     type: Connect
-  enabled: true
   policy: include
-  relation: or
-  from-strings:
+  rules:
     - name: Suspicious sources for network-connecting binaries
-      def: ps.exe istartswith
+      condition: ps.exe istartswith
           (
             'C:\\Users',
             'C:\\Recycle',
@@ -174,7 +169,7 @@
             'C:\\Windows\\system32\\config'
           )
     - name: Suspicious Windows tools network-connecting binaries
-      def: ps.name in
+      condition: ps.name in
           (
             'at.exe',
             'certutil.exe',
@@ -184,7 +179,7 @@
             'driverquery.exe',
             'dsquery.exe',
             'hh.exe',
-            'infDefaultInstall.exe',
+            'infconditionaultInstall.exe',
             'java.exe',
             'javaw.exe',
             'javaws.exe',
@@ -213,7 +208,7 @@
             'wscript.exe'
           )
     - name: Relevant 3rd Party Tools
-      def: ps.name in
+      condition: ps.name in
           (
             'nc.exe',
             'ncat.exe',
@@ -228,7 +223,7 @@
             'psinfo.exe'
           )
     - name: Suspicious ports
-      def: net.dport in
+      condition: net.dport in
           (
             22,
             23,
@@ -249,12 +244,10 @@
 - group: Microsoft binaries and known addresses
   selector:
     type: Connect
-  enabled: true
   policy: exclude
-  relation: or
-  from-strings:
+  rules:
     - name: Microsoft binaries
-      def: ps.exe istartswith 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'
+      condition: ps.exe istartswith 'C:\\ProgramData\\Microsoft\\Windows conditionender\\Platform\\'
               or
            ps.exe endswith 'AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe'
               or
@@ -265,41 +258,39 @@
               'microsoft.com.nsatc.net'
            )
     - name: OCSP protocol known addresses
-      def: net.dip in (23.4.43.27, 72.21.91.29)
+      condition: net.dip in (23.4.43.27, 72.21.91.29)
     - name: Loopback addresses
-      def: net.dip = 127.0.0.1 or net.dip startswith 'fe80:0:0:0'
+      condition: net.dip = 127.0.0.1 or net.dip startswith 'fe80:0:0:0'
 
 # ======================= File created ===============================================================
 #
 - group: Suspicious file creation operations
   selector:
     type: CreateFile
-  enabled: true
   policy: include
-  relation: or
-  from-strings:
+  rules:
     - name: Startup links and shortcut modifications
-      def: file.operation = 'create'
+      condition: file.operation = 'create'
               and
            file.name icontains
            (
               '\\Start Menu',
               '\\Startup\\'
            )
     - name: Microsoft Outlook attachments
-      def: file.operation = 'create' and file.name icontains '\\Content.Outlook\\'
+      condition: file.operation = 'create' and file.name icontains '\\Content.Outlook\\'
     - name: Downloaded files
-      def: file.operation = 'create' and file.name icontains '\\Downloads\\'
+      condition: file.operation = 'create' and file.name icontains '\\Downloads\\'
     - name: Microsoft ClickOnce application
-      def: file.operation = 'create'
+      condition: file.operation = 'create'
               and
            file.extension in
            (
               '.application',
               '.appref-ms'
            )
     - name: Batch scripting
-      def: file.operation = 'create'
+      condition: file.operation = 'create'
               and
            file.extension in
            (
@@ -309,7 +300,7 @@
               '.cmdline'
            )
     - name: Fishy extensions
-      def: file.operation = 'create'
+      condition: file.operation = 'create'
               and
            file.extension in
            (
@@ -333,7 +324,7 @@
               '.xls'
            )
     - name: Powershell persistence
-      def: file.operation = 'create'
+      condition: file.operation = 'create'
               and
            file.name imatches 'C:\\Windows\\*\\WindowsPowerShell'
 
@@ -342,12 +333,11 @@
 - group: Suspicious registry key modifications
   selector:
     category: registry
-  enabled: true
   policy: include
-  relation: or
-  from-strings:
+  rules:
     - name: Core Windows keys
-      def: kevt.name in ('RegCreateKey', 'RegDeleteKey', 'RegSetValue', 'RegDeleteValue')
+      condition: >
+        kevt.name in ('RegCreateKey', 'RegDeleteKey', 'RegSetValue', 'RegDeleteValue')
               and
            registry.key.name icontains
               (
@@ -378,7 +368,7 @@
               )
 
     - name: Services
-      def: kevt.name in ('RegCreateKey', 'RegDeleteKey', 'RegSetValue', 'RegDeleteValue')
+      condition: kevt.name in ('RegCreateKey', 'RegDeleteKey', 'RegSetValue', 'RegDeleteValue')
               and
            registry.key.name iendswith
            (
 
@@ -0,0 +1,26 @@
+- group: remote connection and command shell execution
+  policy: sequence
+  rules:
+    - name: establish remote connection
+      condition: >
+        kevt.name = 'Connect'
+          and
+          not
+        cidr_contains(
+          net.dip,
+          '10.0.0.0/8',
+          '172.16.0.0/12',
+          '172.17.0.0/16',
+          '192.168.0.0/16')
+    - name: spawn command shell
+      max-span: 1m
+      condition: >
+        kevt.name = 'CreateProcess'
+          and
+        ps.pid = $1.ps.pid
+          and
+        ps.sibling.name in ('cmd.exe', 'powershell.exe')
+  action: >
+    {{ emit "Command shell spawned after remote connection"
+      (printf "%s process spawned a command shell after connecting to %s" .Kevts.k2.PS.Exe .Kevts.k1.Kparams.dip)
+    }}
@@ -15,6 +15,7 @@ require (
 	github.com/olivere/elastic/v7 v7.0.20
 	github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2
 	github.com/pkg/errors v0.9.1
+	github.com/qmuntal/stateless v1.6.0 // indirect
 	github.com/rifflock/lfshook v0.0.0-20180920164130-b9218ef580f5
 	github.com/sirupsen/logrus v1.4.1
 	github.com/spf13/cobra v0.0.3
 
@@ -142,6 +142,8 @@ github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/qmuntal/stateless v1.6.0 h1:gL34XLU4ZIGGEtlhbG1IBOty5Aoa8i+XY1YiRFtdLWk=
+github.com/qmuntal/stateless v1.6.0/go.mod h1:cWTwXu9ey+FxI0fHvDi1nGCtpYa8N1X2aOmoRg2RUCI=
 github.com/rifflock/lfshook v0.0.0-20180920164130-b9218ef580f5 h1:mZHayPoR0lNmnHyvtYjDeq0zlVHn9K/ZXoy17ylucdo=
 github.com/rifflock/lfshook v0.0.0-20180920164130-b9218ef580f5/go.mod h1:GEXHk5HgEKCvEIIrSpFI3ozzG5xOKA2DVlEX/gGnewM=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 
@@ -0,0 +1,18 @@
+- group: internal network traffic
+  enabled: false
+  selector:
+    type: Connect
+  policy: exclude
+  relation: and
+  tags:
+    - TE
+  from-strings:
+    - name: only network category
+      def: kevt.category = 'net'
+
+- group: rouge processes
+  selector:
+    category: net
+  rules:
+    - name: suspicious network {{ upper "activity" }}
+      condition: kevt.category = 'net' and ps.name in ('at.exe', 'java.exe')