fix(rules): Fix rules schema validation (#228)

rabbitstack · Dec 22, 2023 · 13f15a0 · 13f15a0
1 parent 6279563
commit 13f15a0
Show file tree

Hide file tree

Showing 8 changed files with 44 additions and 58 deletions.
diff --git a/pkg/config/_fixtures/filters/default.yml b/pkg/config/_fixtures/filters/default.yml
@@ -10,7 +10,7 @@
       output: >
         `%ps.exe` attempted to reach out to `%net.sip` IP address
       action:
-      - kill:
+      - name: kill
         pid: ps.pid
       min-engine-version: 2.0.0
 

diff --git a/pkg/config/filters.go b/pkg/config/filters.go
@@ -79,10 +79,6 @@ func (a KillAction) PidToInt(pid string) uint32 {
 	return uint32(n)
 }
 
-const (
-	killActionID = "kill"
-)
-
 // DecodeActions converts raw YAML map to
 // typed action structures.
 func (f FilterConfig) DecodeActions() ([]any, error) {
@@ -102,7 +98,8 @@ func (f FilterConfig) DecodeActions() ([]any, error) {
 		if !ok {
 			continue
 		}
-		if _, ok := m[killActionID]; ok {
+		switch m["name"] {
+		case "kill":
 			var kill KillAction
 			if err := dec(m, kill); err != nil {
 				return nil, err

diff --git a/pkg/config/schema_windows.go b/pkg/config/schema_windows.go
@@ -484,59 +484,43 @@ var schema = `
 var rulesSchema = `
 {
 	"$schema": "http://json-schema.org/draft-07/schema#",
-    "definitions": {"rules": {"$id": "#rules", "type": "object", "type": "array",
-			"items":
-				{
-					"type": "object",
-					"properties": {
-						"name": 				{"type": "string", "minLength": 3},
-                        "description":  		{"type": "string"},
-						"output": 				{"type": "string", "minLength": 5},
-						"severity":  			{"type": "string", "enum": ["low", "medium", "high", "critical"]},
-						"min-engine-version":  	{"type": "string", "minLength": 5, "pattern": "^([0-9]+.)([0-9]+.)([0-9]+)$"},
-						"condition": 			{"type": "string", "minLength": 3},
-						"action": 		{
-							"type": "array",
-							"items": [
-								{
-									"type": "object",
-									"properties": {
-										"kill": {
-											"type": "object",
-											"properties": {
-												"pid":	{"type": "string", "minLength": 4}
-											}
-										}
-									}
-								}
-							]
-							},
-							"additionalProperties": false
-						}
-					},
-					"required": ["name", "condition", "min-engine-version"],
-					"minItems": 1,
-					"additionalProperties": false
-				}}},
-
-
 	"type": "object",
 	"properties": {
 		"group": 		{"type": "string", "minLength": 1},
         "description":  {"type": "string"},
 		"enabled":  	{"type": "boolean"},
 		"tags":			{"type": "array", "items": [{"type": "string", "minLength": 1}]},
-		"rules": 		{"$ref": "#rules"},
+		"rules": 		{"type": "array", "items": {
+							"type": "object",
+							"properties": {
+								"name": 				{"type": "string", "minLength": 3},
+         			    	    "description":  		{"type": "string"},
+								"output": 				{"type": "string", "minLength": 5},
+								"severity":  			{"type": "string", "enum": ["low", "medium", "high", "critical"]},
+								"min-engine-version":  	{"type": "string", "minLength": 5, "pattern": "^([0-9]+.)([0-9]+.)([0-9]+)$"},
+								"condition": 			{"type": "string", "minLength": 3},
+								"action": 				{
+									"type": "array",
+									"items": {
+										"type": "object",
+										"properties": {
+											"name": 	{"type": "string", "enum": ["kill"]},
+											"pid": 		{"type": "string", "minLength": 5}
+										},
+										"required": ["name"],
+										"additionalProperties": false
+									}
+								}
+							},
+							"required": ["name", "condition", "min-engine-version"],
+							"minItems": 1,
+							"additionalProperties": false}},
         "labels": {
   			"type": "object",
   			"additionalProperties": { "type": "string" }
 		}
 	},
-	"required": ["group"],
-	"oneOf": [
-		{"required": ["from-strings"]},
-		{"required": ["rules"]}
-	],
+	"required": ["group", "rules"],
 	"additionalProperties": false
 }
 `

diff --git a/pkg/filter/_fixtures/kill_action.yml b/pkg/filter/_fixtures/kill_action.yml
@@ -5,6 +5,6 @@
       condition: kevt.name = 'CreateProcess' and ps.child.name = 'calc.exe'
       severity: critical
       action:
-      - kill:
+      - name: kill
         pid: ps.child.pid
       min-engine-version: 2.0.0
diff --git a/pkg/filter/rules.go b/pkg/filter/rules.go
@@ -542,7 +542,7 @@ func (r *Rules) Compile() error {
 
 		g := newFilterGroup(group, filters)
 		log.Infof("loaded rule group [%s]. "+
-			"Number of rules: %d",
+			"Number of rules: [%d]",
 			group.Name,
 			len(filters))
 
@@ -795,7 +795,11 @@ func (r *Rules) processActions() error {
 		for _, act := range actions {
 			switch act := act.(type) {
 			case config.KillAction:
-				pid := act.PidToInt(InterpolateFields("%"+act.Pid, evts))
+				field := act.Pid
+				if field == "" {
+					field = "ps.pid"
+				}
+				pid := act.PidToInt(InterpolateFields("%"+field, evts))
 				log.Infof("executing kill action: pid=%d rule=%s", pid, f.Name)
 				if err := action.Kill(pid); err != nil {
 					return ErrRuleAction(f.Name, err)

diff --git a/rules/credential_access_credentials_from_password_stores.yml b/rules/credential_access_credentials_from_password_stores.yml
@@ -169,3 +169,4 @@
               '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
               '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe'
             )
+      min-engine-version: 2.0.0
diff --git a/rules/credential_access_modify_authentication_process.yml b/rules/credential_access_modify_authentication_process.yml
@@ -34,10 +34,11 @@
            get_reg_value(registry.key.name) iin (base($e1.file.name, false))
           |
       output: >
-        `%1.ps.exe` process dropped a potentially malicious
-        `%1.file.name` password filter DLL and `%2.ps.name`
-         process registered the password filter DLL under
-         %2.registry.key.name registry key
+        Detected `%1.ps.exe` process dropping a potentially malicious
+        `%1.file.name` password filter DLL and subsequently `%2.ps.name`
+        process registering the password filter DLL in the Notification
+        Packages registry key. This may be indicative of potential abuse
+        of password filters to steal credentials material.
       min-engine-version: 2.0.0
     - name: Potential credentials dumping or exfiltration via malicious password filter DLL
       description: |

diff --git a/rules/persistence_boot_or_logon_autostart_execution.yml b/rules/persistence_boot_or_logon_autostart_execution.yml
@@ -99,7 +99,7 @@
               ps.cmdline imatches startup_locations
             )
           |
-          |connect_socket or accept_socket|
+          |(inbound_network) or (outbound_network)|
       min-engine-version: 2.0.0
     - name: Suspicious persistence via registry modification
       description: |
@@ -157,6 +157,5 @@
             file.name imatches startup_locations
         )
       action:
-      - kill:
-        pid: ps.pid
+      - name: kill
       min-engine-version: 2.0.0