Merge branch 'master' into dependabot/pip/cbapi-1.7.10

common.py

@@ -1,4 +1,5 @@
 import logging
+import os
 from abc import ABC, abstractmethod
 from dataclasses import dataclass
 from typing import Tuple, Optional, Any
@@ -137,7 +138,23 @@ def _echo(self, message: str, level: int = logging.DEBUG):
         """
         log_echo(message, self.log, level, use_tqdm=self._tqdm_echo)
 
-def sigma_translation(product: str, sigma_rules: list) -> dict:
+def sigma_translation(product: str, sigma_rules: list, pq: bool = False) -> dict:
+    """
+    Translates a list of sigma rules into the target product language
+
+    Parameters
+    ----------
+    product : str
+        Name of target product
+    sigma_rules : list
+        List of files containing sigma rules or YML-formatted strings
+        Does not support a mixed list of files and strings
+    pq : bool
+        Only used for SentinelOne translations (default is False)
+        If true, translates into PowerQuery syntax
+        Otherwise, uses DeepVisibility
+    """
+
     supports_json_ouput = True
 
     try:
@@ -158,16 +175,34 @@ def sigma_translation(product: str, sigma_rules: list) -> dict:
 
         backend = CarbonBlackBackend(cb_pipeline())
     elif product == 's1':
-        plugins.get_plugin_by_id('sentinelone').install()
-        from sigma.backends.sentinel_one import SentinelOneBackend # type: ignore
-        backend = SentinelOneBackend()
+        if pq:
+            plugins.get_plugin_by_id('sentinelone-pq').install()
+            from sigma.backends.sentinelone_pq import SentinelOnePQBackend # type: ignore
+            backend = SentinelOnePQBackend()
+        else:
+            plugins.get_plugin_by_id('sentinelone').install()
+            from sigma.backends.sentinelone import SentinelOneBackend # type: ignore
+            backend = SentinelOneBackend()
     elif product == 'dfe':
         supports_json_ouput = False
         plugins.get_plugin_by_id('microsoft365defender').install()
         from sigma.backends.microsoft365defender import Microsoft365DefenderBackend # type: ignore
         backend = Microsoft365DefenderBackend()
+    elif product == 'cortex':
+        plugins.get_plugin_by_id('cortexxdr').install()
+        from sigma.backends.cortexxdr import CortexXDRBackend # type: ignore
+        backend = CortexXDRBackend()
+
+    are_files = [os.path.isfile(i) for i in sigma_rules]
+
+    if all(are_files): # if all items in the list are files
+        rule_collection = SigmaCollection.load_ruleset(sigma_rules)
+    elif not any(are_files): # if none of the items in the list are files, assume YML formatted strings
+        rule_collection = SigmaCollection.merge([SigmaCollection.from_yaml(i) for i in sigma_rules])
+    else:
+        logging.error("There appears to be a mix of files and YML strings. Cannot process a mixed list of values. Aborting.")
+        return {'queries': []}
 
-    rule_collection = SigmaCollection.load_ruleset(sigma_rules)
     if supports_json_ouput:
         return backend.convert(rule_collection, "json")
     else:

definitions/remote-admin.json

@@ -1,13 +1,15 @@
-{{
+{
     "AweRay (AweSun)": {
-        "process_name": ["aweray_remote*.exe"],
+        "process_name": ["aweray_remote*.exe",
+                         "AweSun.exe"],
         "domain": ["asapi.aweray.net", 
                    "asapi-us.aweray.net"],
         "digsig_publisher": ["AWERAY PTE. LTD."]
     },
     "Ammyy Admin": { 
         "process_name": ["aa_v*.exe"],
-        "domain": ["ammyy.com"]
+        "domain": ["ammyy.com"],
+        "digsig_publisher": ["Ammyy LLC"]
     },
     "AeroAdmin" : {
         "process_name": ["AeroAdmin.exe"],
@@ -27,7 +29,8 @@
         "digsig_publisher": ["AOMEI International Network Limited"]
     },
     "Atera": {
-        "process_name": ["atera_agent.exe"]
+        "process_name": ["atera_agent.exe"],
+        "digsig_publisher": ["Atera Networks Ltd"]
     },
     "BeyondTrust (Bomgar)": {
         "process_name": ["bomgar-scc.exe",
@@ -60,15 +63,17 @@
                          "g2printh.exe",
                          "g2svc.exe",
                          "g2tray.exe",
-                         "gopcsrv.exe"]
+                         "gopcsrv.exe"],
+        "digsig_publisher": ["LogMeIn, Inc."]
     },
     "LiteManager": {
         "process_name": ["ROMServer.exe", 
                         "ROMFUSClient.exe"],
         "digsig_publisher": ["Yakhnovets Denis Aleksandrovich IP"]
     },
     "Microsoft RDP": { 
-        "process_name": ["termsrv.exe","Microsoft Remote Desktop"]
+        "process_name": ["termsrv.exe",
+                        "Microsoft Remote Desktop"]
     },
     "Microsoft TSC": { 
         "process_name": ["mstsc.exe"]
@@ -92,10 +97,13 @@
     },
     "RAdmin": { 
         "process_name": ["radmin3.exe",
-                         "famitrfc.exe"]
+                         "famitrfc.exe",
+                         "rserver3.exe"],
+        "digsig_publisher": ["Famatech Corp."]
     },
     "RemoteUtilities": {
-        "process_name": ["rutserv.exe"],
+        "process_name": ["rutserv.exe",
+                         "rutview.exe"],
         "domain": ["remoteutilities.com"],
         "digsig_publisher": ["Remote Utilities LLC"]
     },
@@ -115,12 +123,18 @@
     },
     "TeamViewer Desktop": { 
         "process_name": ["teamviewer_desktop.exe",
-                         "teamviewer"]
+                         "teamviewer.exe"],
+        "digsig_publisher": ["TeamViewer Germany GmbH",
+                             "TeamViewer GmbH",
+                             "TeamViewer"]
     },
     "TeamViewer Service": { 
         "process_name": ["teamviewer.exe",
                          "teamviewer_service.exe",
-                         "teamviewerhost"]
+                         "teamviewerhost"],
+        "digsig_publisher": ["TeamViewer Germany GmbH",
+                             "TeamViewer GmbH",
+                             "TeamViewer"]
     },
     "VNC": {
         "process_name": ["winvnc.exe", 
@@ -155,7 +169,8 @@
     },
     "Desktop Central": {
 		"process_name": ["dcagentservice.exe"],
-        "domain": ["desktopcentral.manageengine.com"]
+        "domain": ["desktopcentral.manageengine.com"],
+        "digsig_publisher": ["ZOHO Corporation Private Limited"] 
 	},
     "UltraView": {
         "process_name": ["UltraViewer_Desktop.exe",
@@ -166,11 +181,12 @@
     },
     "NinjaRMM": {
         "process_name": ["NinjaRMMAgent.exe",
-                        "NinjaRMMAgenPatcher.exe"],
+                        "NinjaRMMAgenPatcher.exe",
+                        "ninjarmm-cli.exe"],
         "digsig_publisher": ["NinjaRMM, LLC"],
         "domain": ["resources.ninjarmm.com"]
     },
-    "FleetDesk.io": {
+    "FleetDeck.io": {
         "process_name": ["fleetdeck_agent.exe",
                         "fleetdeck_agent_svc.exe",
                         "fleetdeck_installer.exe",
@@ -183,7 +199,8 @@
         "domain": ["*.level.io"],
         "digsig_publisher": ["Level Software, Inc."],
         "process_name": ["level-windows-amd64.exe",
-                        "level.exe"]
+                        "level.exe",
+	                "level-remote-control-ffmpeg.exe"]
     },
     "FixMe": {
         "domain": ["fixme.it"],
@@ -263,7 +280,9 @@
                         "SolarWinds-Dameware-DRS*.exe",
                         "DameWare Mini Remote Control*.exe",
                         "SolarWinds-Dameware-MRC*.exe"],
-        "internal_name": ["DWRCST"]
+        "internal_name": ["DWRCST"],
+        "digsig_publisher": ["SolarWinds, Inc.",
+                             "Solarwinds Worldwide, LLC"]
     },
     "N-Able Advanced Monitoring Agent": {
         "process_name": ["Agent_*_RW.exe",
@@ -325,7 +344,8 @@
         "process_name": ["TightVNCViewerPortable*.exe",
                         "tvnviewer.exe",
                         "tvnserver.exe"],
-        "digsig_publisher": ["GlavSoft LLC."]
+        "digsig_publisher": ["GlavSoft LLC.",
+                             "GlavSoft LLC"]
     },
     "ShowMyPC": {
         "domain": ["showmypc.com"],
@@ -336,7 +356,9 @@
     },
     "Xeox": {
         "domain":["*.xeox.com", "xeox.com"],
-        "process_name":["xeox_service_windows.exe", "xeox-agent_x64.exe", "xeox-agent_x86.exe"],
+        "process_name":["xeox_service_windows.exe", 
+                        "xeox-agent_x64.exe", 
+                        "xeox-agent_x86.exe"],
         "digsig_publisher": ["hs2n Informationstechnologie GmbH"],
         "internal_name": ["XEOX Agent for Windows"]
     },
@@ -350,31 +372,65 @@
         "digsig_publisher": ["Instant Housecall", "Specialist Sign-in.exe"],
         "process_name": ["InstantHousecall.exe"],
         "internal_name": ["InstantHousecall.exe"],
-        "domain": ["secure.instanthousecall.com", "*.instanthousecall.com", "instanthousecall.com"]
+        "domain": ["secure.instanthousecall.com", 
+                "*.instanthousecall.com", 
+                "instanthousecall.com"]
     },
     "ISL Online":{
         "digsig_publisher":["ISL Online Ltd"],
         "process_name": ["ISLLight.exe", "ISLLightClient.exe"],
         "internal_name": ["ISL Light"],
-        "domain": ["*islonline.net"]
+        "domain": ["*.islonline.net"]
     },
     "Parallels Access": {
+        "process_name": ["TSClient.exe"],
         "digsig_publisher": ["Parallels International GmbH"]
     },
     "Pilixo": {
-        "digsig_publisher": ["Pilixo Cloud Solutions", "PILIXO INTERNATIONAL LLC"],
-        "domain": ["*.pilixo.com", "pilixo.com", "download.pilixo.com"],
+        "digsig_publisher": ["Pilixo Cloud Solutions", 
+                            "PILIXO INTERNATIONAL LLC"],
+        "domain": ["*.pilixo.com", 
+                "pilixo.com", 
+                "download.pilixo.com"],
         "process_name": ["Pilixo_Installer*.exe"]
     },
     "RemotePC": {
-        "digsig_publisher": ["IDrive, Inc", "IDrive Incorporated"],
-        "domain": ["remotepc.com", "www.remotepc.com"],
-        "process_name": ["idrive.RemotePCAgent", "Idrive.File-Transfer"]
+        "digsig_publisher": ["IDrive, Inc", 
+                            "IDrive Incorporated"],
+        "domain": ["remotepc.com", 
+                "www.remotepc.com"],
+        "process_name": ["idrive.RemotePCAgent", 
+                        "Idrive.File-Transfer",
+                        "RemotePC.exe",
+                        "RemotePCService.exe"]
     },
     "SuperOps": {
         "digsig_publisher": ["Superops Inc"],
-        "process_name": ["superops.exe", "superopsticket.exe"],
-        "domain": ["serv.superopsalpha.com", "*.superops.ai", "*.superopsalpha.com", "*.superopsbeta.com"]
+        "process_name": ["superops.exe", 
+                        "superopsticket.exe"],
+        "domain": ["serv.superopsalpha.com", 
+                "*.superops.ai", 
+                "*.superopsalpha.com", 
+                "*.superopsbeta.com"]
+    },
+    "Rocket Remote Desktop":{
+        "digsig_publisher": ["Rocket Remote Desktop"],
+        "process_name":["RDConsole.exe", 
+                        "RocketRemoteDesktop_Setup.exe"]
+    },
+    "GetScreen":{
+        "digsig_publisher":["Get Skrin Softver"],
+        "process_name":["GetScreen.exe", 
+                        "GetScreen.me"]
+    },
+    "ManageEngine":{
+        "digsig_publisher":["ManageEngine Remote Access Plus", 
+                            "Zoho Corporation Pvt. Ltd."],
+        "process_name":["ManageEngine_Remote_Access_Plus.exe", 
+                        "InstallShield Setup.exe"]
+    },
+    "Remcos":{
+        "process_name":["remcos*.exe"],
+        "digsig_publisher":["BreakingSecurity.net"]
     }
 }
-}

products/cortex_xdr.py

@@ -30,6 +30,7 @@ class Query:
     'ipaddr': 'action_remote_ip',
     'cmdline': 'action_process_command_line',
     'digsig_publisher': 'action_file_signature_vendor',
+    'domain': 'action_external_hostname',
     'modload': 'action_module_path',
     'filemod': 'action_file_path',
     'regmod': 'action_registry_key_name',