Home

Awesome

TheHive2Sigma

What is?

TheHive2Sigma is a python script that through the API of The Hive, gets all observables related to an specific case and creates a Sigma Rule to search in your Siem solution to know how many logs matches your observables.

At this moment, TheHive2Sigma is able to create Sigma rules for the following type of observables:

How it works?

Install python libraries:

pip install -r requirements.txt

Open with your favourite text editor the file and fulfill the three empty variables written on the begining of the script:

#Config
thehive_url = 'https://thehive.bussiness.com:9000' # The hive URL including port
thehive_api = 'oczZpMn44t6bgImffz7Odfred87sEA7u' #Api key for The Hive
thehive_case = 'ADAS3pWuOTfe0bZni0kV' # The Hive case id (20 chars)

Simply run the script and it will print out a Sigma Rule:

python thehive2sigma.py

Sample output:

action: global 
title: Case 5 WannaFuck infection
status: experimental
description: Detects Observables based on Case 5 from TheHive
author: jordisk
references:
    - http://thehive.lab.int:9000/index.html#/case/ADAS3pWuOTfe0bZni0kV/details
date: 2018/08/09
---
logsource:
    category: firewall
detection:
    outgoing: 
        dst_ip:
            - '155.151.29.109'
            - '8.8.8.8'
    incoming: 
        src_ip:
            - '155.151.29.109'
            - '8.8.8.8'
    condition: 1 of them
---
logsource:
    category: dns
detection:
    selection: 
        query: 
            - 'google.co.uk'
            - 'github.com'
            - 'hackmd.io'
    condition: selection
---
logsource:
    category: proxy
detection:
    selection1: 
        UserAgent: 
            - '*(hydra)*'
    condition: selection1
---
logsource:
    product: windows
    service: sysmon
detection:
    selection2: 
        EventID: 
            - 13
            - 12
            - 14
        TargetObject: 
            - 'HKLM\REGISTRY\MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run\wannafuck'
            - 'HKLM\REGISTRY\MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run\wanna*'
    condition: selection2
---
logsource:
    product: windows
    service: sysmon
detection:
    selection3: 
        EventID: 1
        TargetImage: 
            - '*\badcmd.exe'
            - '*\wannafuck.exe'
    condition: selection3