OSCD: Threat Detection Sprint #1, results (EN)

Figures for 6 of December 2019, when final PR from OSCD to Sigma master branch has been created

Original publication date — December 31, 2019

Open Security Collaborative Development (OSCD) is an open international cybersecurity specialist initiative. We collaborate on common problems and share knowledge.

It was created fall 2019 by friendly open source security projects. The collaborative development is organized as two weeks-long sprints.
The First Sprint focused on the Threat Detection area and Sigma Project ruleset specifically.

Why Sigma

Sigma Project is Generic Signature Format for SIEM Systems. It has a converter that generates searches/queries for different SIEM systems and a set of Detection Rules, which converter uses for queries generation.

With time, Sigma Project ruleset has become the biggest and the most mature community-driven Detection Rules set. This is the place where you could find Detection Rules for emerging threats (like BlueKeep exploits), adversary simulations tools (Empire, Cobalt Strike), adversary behaviors (Token stealing), and many more. Most of the rules are mapped to the MITRE ATT&CK.

Even if you are not using Sigma converter, you still can benefit from its ruleset. Most of the advanced security teams are subscribed to the Sigma Project updates on GitHub. It’s a good time to do so if you haven’t yet.

There are some gaps and issues in it, at the same time, there is plenty of decent analytics published (i.e. researches on Hunting for Windows Privilege Escalation / Lateral Movement / Credentials Dumping tools and techniques) that haven’t been added to Sigma Project repository. This is the thing we’ve decided to focus on during The First Sprint.

How it was

About 50 individuals confirmed that they will join the the sprint. The plan was simple:

1. Two weeks-long sprint starts October 21, 2019
2. Participants pick up tasks from the backlog or contribute other analytics
3. Participants use the guideline to get familiar with the workflow
4. Results reviewed and pushed to Sigma repository on GitHub

A few days after the start, 24 of October, we’ve conducted a workshop at the hack.lu conference, presented the OSCD, explained what we were doing and why. Although most of the participants were joining remotely, it was quite fruitful time, as we were able to sit next to each other and discuss the rules.

Next day we’ve reported the first results on EU MITRE ATT&CK workshop in Luxembourg:

And we’ve achieved the expected results, even though by the end of the sprint the number of participants dropped to 16.

Results

During the two-weeks long sprint we have:

• Developed 144 Sigma rules
• Improved 19 existing rules and deprecated 2

This way, we increased Sigma ruleset by more than 40%!

The listing of contributed rules is available in the description of the Pull Request in the Sigma project repository.

Backlog

Even though we achieved a lot during the first sprint, there are many things that we were not able to manage in two weeks. We decided to detail the backlog and put it into the Sigma Repo issues for the community to pick up:

• Develop Sigma rules for Privilege Escalation in Windows Environment
• Develop Sigma rules for PowerShell Abuse
• Develop Sigma rules for Lateral Movement in Windows Infrastructure
• Develop Sigma rules for Invoke-DOSfuscation
• Develop Sigma rules for Invoke-Obfuscation
• Develop Sigma rules for Living Off The Land Binaries and Scripts
• Develop Sigma rules for Atomic Red Team tests

We believe that community collaboration to solve the listed (and others, but the same kind) tasks is the most realistic and fast solution to the problem of the “Offensive Security Tools release”, that is under heavy discussion for the last weeks.

We are aiming to have Detection Rules covering TTP level by The Pyramid of Pain, this way we would be able to detect adversary behaviors, regardless of the tool. ‘Offensive Security Tools’ are our best friends in this area.

Acknowledgment

The First OSCD sprint wouldn’t happen without Alexandre Dulaunoy and the team of hack.lu conference organizers. They have provided a timeslot at the conference for the OSCD workshop; visa, accommodation, and informational support. We are very grateful for that.

Last but not least, it wouldn’t happen without the participants who have done all the hard work:

🇩🇪 Eva Maria Anhaus | BSI
🇩🇪 Jan Hasenbusch | BSI
🇩🇪 Thomas Patzke | Sigma Project
🇷🇺 Denis Beyu | Independent Researcher
🇷🇺 Ilyas Ochkov | Independent Researcher
🇷🇺 Teymur Kheirkhabarov | BI.ZONE SOC
🇵🇱 Jakob Weinzettl | Tieto SOC
🇵🇱 Mateusz Wydra | Relativity
🇦🇪 Victor Sergeev | Help AG
🇦🇷 Diego Perez | Independent Researcher
🇦🇺 James Pemberton | Hydro Tasmania
🇨🇿 Ian Davis | Tieto SOC
🏳️ Daniil Yugoslavskiy | Atomic Threat Coverage
🇸🇬 Gleb Sukhodolskiy | Independent Researcher
🇸🇮 Tom Kern | NIL SOC
🇺🇸 Daniel Bohannon | FireEye

Thank you all. See you next sprint!

Want to be involved

Do you also want to make the world a little safer and apply your knowledge for the greater good? OSCD has no entry requirements. The work is done openly and solely for the benefit of the community, not for profit and without any relations to commercial organizations. Follow the news on Twitter or in Telegram, wait for the next sprint announcement, choose a task from the backlog or propose your own, and develop a solution together with the community!

Useful links

• Our website
• Our twitter; mirror in telegram
• OSCD Participants Twitter list

Original publication date — December 31, 2019