Tiago Faria 0xtf

## 3cs-rule-example.yaml
title: Windows ETW Tampering
id: 29d02e66-cc4e-4cd4-8fd3-7e729e1a230d
status: experimental
description: Detects commands that remove, disable, stop or tamper tracing sessions relevant to security.
author: 3CORESec
date: 2020/11/16
references:
    - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
    - https://github.com/Neo23x0/sigma/blob/8f6ad7df6b7f099db4bc1e867c4614074ea57e87/rules/windows/process_creation/win_etw_trace_evasion.yml
tags:

## fireeye_ost_nids.yml
title: NIDS FireEye Breached Red Team Tool Detected
id: ce129fbc-5c2e-4e49-ac2d-9742afa10c25
status: experimental
description: A red team tool, from the FireEye breach, has been detected.
author: 3CORESec
date: 2020/12/09
modified: 2020/12/10
references:
  - https://github.com/fireeye/red_team_tool_countermeasures
tags:

## ecs-cloudtrail-mapping
python3 sigmac -c config/ecs-cloudtrail.yml -t es-qs ../rules/cloud/aws_ec2_vm_export_failure.yml

((event.action:"CreateInstanceExportTask" AND event.provider:"ec2.amazonaws.com") AND event.outcome:failure)

## sigma-with-failure-logic.yaml
title: AWS EC2 VM Export failure
id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
status: experimental
description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
references:
  - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
author: Diogo Braz
date: 2020/04/16
tags:
  - attack.collection

## sigma-overrides-config.yaml
overrides:
  - field: event.outcome
    value: failure
    regexes:
      - (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))
      - (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))
      - (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
      - (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
      - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))
      - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))

## sigma-overrides-regexes.yaml
regexes:
  - (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))
  - (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))
  - (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
  - (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\*Failure\*\)\))
  - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))
  - (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))
  - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_message.keyword:\*\)\))
  - (\(\(aws.cloudtrail.response_elements.keyword:\*Failure\*.* aws.cloudtrail.error_code.keyword:\*\)\))

## sigma-overrides-literals.yaml
literals:
  - ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*))
  - ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*))
  - ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*) OR (aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin"))
  - ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:*) OR (aws.cloudtrail.response_elements.keyword:*Failure* AND event.action:"ConsoleLogin"))
  - ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*) OR (aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*))
  - ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:*Failure*) OR (aws.cloudtrail.error_code.keyword:* OR aws.clo

## d4-tmux.sh
#!/bin/bash

tmux new-session -d -s d4

tmux send-keys -t d4 'tmux new-window -n d4-auth ' ENTER
tmux send-keys -t d4 'tmux new-window -n d4-eve ' ENTER
tmux send-keys -t d4 'tmux new-window -n suricata ' ENTER

# D4 - auth.log
tmux send-keys -t d4 'tmux send-keys -t d4-auth "tail -F /var/log/auth.log | grep --line-buffered sshd | egrep --line-buffered '"'Invalid user'"' | /home/user/d4-goclient/d4-goclient_linux_amd64 -c /home/administrator/d4-goclient/confs/ssh/" ENTER' ENTER

## S3 + Cloudfront CICD Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::your_website.com",
                "arn:aws:s3:::your_website.com/*"
            ]

## myip-SG-update-based-on-description
#!/bin/bash

# This is based on the work done at https://gist.github.com/isalgueiro/212a612fc232f1437ce88876937691d3/revisions#diff-c6d6f47361666bfba5538e6e0101bafd

####################
# Define variables #
####################
# Expected for securityGroupIds is sg-...
securityGroupIds="Insert_Your_SGID"
# Expected for ruleDescription is something like Home, or OfficeNY
	title: Windows ETW Tampering
	id: 29d02e66-cc4e-4cd4-8fd3-7e729e1a230d
	status: experimental
	description: Detects commands that remove, disable, stop or tamper tracing sessions relevant to security.
	author: 3CORESec
	date: 2020/11/16
	references:
	- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
	- https://github.com/Neo23x0/sigma/blob/8f6ad7df6b7f099db4bc1e867c4614074ea57e87/rules/windows/process_creation/win_etw_trace_evasion.yml
	tags:
	title: NIDS FireEye Breached Red Team Tool Detected
	id: ce129fbc-5c2e-4e49-ac2d-9742afa10c25
	status: experimental
	description: A red team tool, from the FireEye breach, has been detected.
	author: 3CORESec
	date: 2020/12/09
	modified: 2020/12/10
	references:
	- https://github.com/fireeye/red_team_tool_countermeasures
	tags:
	python3 sigmac -c config/ecs-cloudtrail.yml -t es-qs ../rules/cloud/aws_ec2_vm_export_failure.yml

	((event.action:"CreateInstanceExportTask" AND event.provider:"ec2.amazonaws.com") AND event.outcome:failure)
	title: AWS EC2 VM Export failure
	id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
	status: experimental
	description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
	references:
	- https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
	author: Diogo Braz
	date: 2020/04/16
	tags:
	- attack.collection
	overrides:
	- field: event.outcome
	value: failure
	regexes:
	- (\(\(aws.cloudtrail.error_message.keyword:.* event.action:\"ConsoleLogin\"\)\))
	- (\(\(aws.cloudtrail.error_code.keyword:.* event.action:\"ConsoleLogin\"\)\))
	- (\(\(aws.cloudtrail.error_message.keyword:.* aws.cloudtrail.response_elements.keyword:\Failure\\)\))
	- (\(\(aws.cloudtrail.error_code.keyword:.* aws.cloudtrail.response_elements.keyword:\Failure\\)\))
	- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_message.keyword:\*\)\))
	- (\(\(event.action:\"ConsoleLogin\".* aws.cloudtrail.error_code.keyword:\*\)\))
	literals:
	- ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure*))
	- ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:) OR (event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure*))
	- ((aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:) OR (aws.cloudtrail.response_elements.keyword:Failure* AND event.action:"ConsoleLogin"))
	- ((aws.cloudtrail.error_code.keyword:* OR aws.cloudtrail.error_message.keyword:) OR (aws.cloudtrail.response_elements.keyword:Failure* AND event.action:"ConsoleLogin"))
	- ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure) OR (aws.cloudtrail.error_message.keyword:* OR aws.cloudtrail.error_code.keyword:*))
	- ((event.action:"ConsoleLogin" AND aws.cloudtrail.response_elements.keyword:Failure) OR (aws.cloudtrail.error_code.keyword:* OR aws.clo
	#!/bin/bash

	tmux new-session -d -s d4

	tmux send-keys -t d4 'tmux new-window -n d4-auth ' ENTER
	tmux send-keys -t d4 'tmux new-window -n d4-eve ' ENTER
	tmux send-keys -t d4 'tmux new-window -n suricata ' ENTER

	# D4 - auth.log
	tmux send-keys -t d4 'tmux send-keys -t d4-auth "tail -F /var/log/auth.log \| grep --line-buffered sshd \| egrep --line-buffered '"'Invalid user'"' \| /home/user/d4-goclient/d4-goclient_linux_amd64 -c /home/administrator/d4-goclient/confs/ssh/" ENTER' ENTER
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": "s3:*",
	"Resource": [
	"arn:aws:s3:::your_website.com",
	"arn:aws:s3:::your_website.com/*"
	]
	#!/bin/bash

	# This is based on the work done at https://gist.github.com/isalgueiro/212a612fc232f1437ce88876937691d3/revisions#diff-c6d6f47361666bfba5538e6e0101bafd

	####################
	# Define variables #
	####################
	# Expected for securityGroupIds is sg-...
	securityGroupIds="Insert_Your_SGID"
	# Expected for ruleDescription is something like Home, or OfficeNY