security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Change status for old rules

Browse Source
This commit is contained in:
frack113
2021-11-27 11:33:14 +01:00
parent 6664d6e522
commit 01dc930c17
547 changed files with 11964 additions and 11755 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/application/app_sqlinjection_errors.yml
+16 -16
View File
@@ -1,30 +1,30 @@
title: Suspicious SQL Error Messages
id: 8a670c6d-7189-4b1c-8017-a417ca84a086
status: experimental
status: test
description: Detects SQL error messages that indicate probing for an injection attack
author: Bjoern Kimminich
date: 2017/11/27
modified: 2020/09/01
references:
- http://www.sqlinjection.net/errors
- http://www.sqlinjection.net/errors
date: 2017/11/27
modified: 2021/11/27
logsource:
category: application
product: sql
category: application
product: sql
detection:
keywords:
keywords:
# Oracle
- quoted string not properly terminated
- quoted string not properly terminated
# MySQL
- You have an error in your SQL syntax
- You have an error in your SQL syntax
# SQL Server
- Unclosed quotation mark
- Unclosed quotation mark
# SQLite
- 'near "*": syntax error'
- SELECTs to the left and right of UNION do not have the same number of result columns
condition: keywords
- 'near "*": syntax error'
- SELECTs to the left and right of UNION do not have the same number of result columns
condition: keywords
falsepositives:
- Application bugs
- Application bugs
level: high
tags:
- attack.initial_access
- attack.t1190
- attack.initial_access
- attack.t1190
rules/apt/apt_silence_downloader_v3.yml
+29 -29
View File
@@ -1,40 +1,40 @@
title: Silence.Downloader V3
id: 170901d1-de11-4de7-bccb-8fa13678d857
status: experimental
status: test
description: Detects Silence downloader. These commands are hardcoded into the binary.
author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
date: 2019/11/01
modified: 2020/09/01
modified: 2021/11/27
logsource:
category: process_creation
product: windows
category: process_creation
product: windows
detection:
selection_recon:
Image|endswith:
- '\tasklist.exe'
- '\qwinsta.exe'
- '\ipconfig.exe'
- '\hostname.exe'
CommandLine|contains: '>>'
CommandLine|endswith: 'temps.dat'
selection_persistence:
CommandLine|contains: '/C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d'
condition: selection_recon | near selection_persistence # requires both
selection_recon:
Image|endswith:
- '\tasklist.exe'
- '\qwinsta.exe'
- '\ipconfig.exe'
- '\hostname.exe'
CommandLine|contains: '>>'
CommandLine|endswith: 'temps.dat'
selection_persistence:
CommandLine|contains: '/C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d'
condition: selection_recon | near selection_persistence # requires both
fields:
- ComputerName
- User
- Image
- CommandLine
- ComputerName
- User
- Image
- CommandLine
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.persistence
- attack.t1547.001
- attack.t1060 # an old one
- attack.discovery
- attack.t1057
- attack.t1082
- attack.t1016
- attack.t1033
- attack.g0091
- attack.persistence
- attack.t1547.001
- attack.t1060 # an old one
- attack.discovery
- attack.t1057
- attack.t1082
- attack.t1016
- attack.t1033
- attack.g0091
rules/apt/apt_silence_eda.yml
+33 -33
View File
@@ -1,43 +1,43 @@
title: Silence.EDA Detection
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
status: experimental
status: test
description: Detects Silence empireDNSagent
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019/11/01
modified: 2020/09/01
modified: 2021/11/27
logsource:
product: windows
service: powershell
product: windows
service: powershell
detection:
empire:
ScriptBlockText|contains|all: # better to randomise the order
- 'System.Diagnostics.Process'
- 'Stop-Computer'
- 'Restart-Computer'
- 'Exception in execution'
- '$cmdargs'
- 'Close-Dnscat2Tunnel'
dnscat:
ScriptBlockText|contains|all: # better to randomise the order
- 'set type=$LookupType`nserver'
- '$Command | nslookup 2>&1 | Out-String'
- 'New-RandomDNSField'
- '[Convert]::ToString($SYNOptions, 16)'
- '$Session.Dead = $True'
- '$Session["Driver"] -eq'
condition: empire and dnscat
empire:
ScriptBlockText|contains|all: # better to randomise the order
- 'System.Diagnostics.Process'
- 'Stop-Computer'
- 'Restart-Computer'
- 'Exception in execution'
- '$cmdargs'
- 'Close-Dnscat2Tunnel'
dnscat:
ScriptBlockText|contains|all: # better to randomise the order
- 'set type=$LookupType`nserver'
- '$Command | nslookup 2>&1 | Out-String'
- 'New-RandomDNSField'
- '[Convert]::ToString($SYNOptions, 16)'
- '$Session.Dead = $True'
- '$Session["Driver"] -eq'
condition: empire and dnscat
falsepositives:
- Unknown
- Unknown
level: critical
tags:
- attack.execution
- attack.t1059.001
- attack.t1086 # an old one
- attack.command_and_control
- attack.t1071.004
- attack.t1071 # an old one
- attack.t1572
- attack.impact
- attack.t1529
- attack.g0091
- attack.s0363
- attack.execution
- attack.t1059.001
- attack.t1086 # an old one
- attack.command_and_control
- attack.t1071.004
- attack.t1071 # an old one
- attack.t1572
- attack.impact
- attack.t1529
- attack.g0091
- attack.s0363
rules/cloud/azure/azure_creating_number_of_resources_detection.yml
+5 -4
View File
@@ -1,11 +1,12 @@
title: Number Of Resource Creation Or Deployment Activities
id: d2d901db-7a75-45a1-bc39-0cbf00812192
status: experimental
author: sawwinnnaung
date: 2020/05/07
status: test
description: Number of VM creations or deployment activities occur in Azure via the AzureActivity log.
author: sawwinnnaung
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
date: 2020/05/07
modified: 2021/11/27
logsource:
product: azure
service: AzureActivity
@@ -14,8 +15,8 @@ detection:
- Microsoft.Compute/virtualMachines/write
- Microsoft.Resources/deployments/write
condition: keywords
level: medium
falsepositives:
- Valid change
level: medium
tags:
- attack.t1098
rules/cloud/azure/azure_granting_permission_detection.yml
+6 -5
View File
@@ -1,20 +1,21 @@
title: Granting Of Permissions To An Account
id: a622fcd2-4b5a-436a-b8a2-a4171161833c
status: experimental
author: sawwinnnaung
date: 2020/05/07
status: test
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
author: sawwinnnaung
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
date: 2020/05/07
modified: 2021/11/27
logsource:
product: azure
service: AzureActivity
detection:
keywords:
keywords:
- Microsoft.Authorization/roleAssignments/write
condition: keywords
level: medium
falsepositives:
- Valid change
level: medium
tags:
- attack.t1098
rules/cloud/azure/azure_rare_operations.yml
+6 -5
View File
@@ -1,16 +1,17 @@
title: Rare Subscription-level Operations In Azure
id: c1182e02-49a3-481c-b3de-0fadc4091488
status: experimental
author: sawwinnnaung
date: 2020/05/07
status: test
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
author: sawwinnnaung
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml
date: 2020/05/07
modified: 2021/11/27
logsource:
product: azure
service: AzureActivity
detection:
keywords:
keywords:
- Microsoft.DocumentDB/databaseAccounts/listKeys/action
- Microsoft.Maps/accounts/listKeys/action
- Microsoft.Media/mediaservices/listKeys/action
@@ -19,8 +20,8 @@ detection:
- Microsoft.Compute/snapshots/write
- Microsoft.Network/networkSecurityGroups/write
condition: keywords
level: medium
falsepositives:
- Valid change
level: medium
tags:
- attack.t1003
rules/cloud/m365/microsoft365_impossible_travel_activity.yml
+17 -17
View File
@@ -1,27 +1,27 @@
title: Microsoft 365 - Impossible Travel Activity
title: Microsoft 365 - Impossible Travel Activity
id: d7eab125-5f94-43df-8710-795b80fa1189
status: experimental
description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
status: test
description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
author: Austin Songer @austinsonger
date: 2020/07/06
modified: 2020/07/06
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
date: 2020/07/06
modified: 2021/11/27
logsource:
category: ThreatManagement
product: m365
category: ThreatManagement
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Impossible travel activity"
status: success
condition: selection
selection:
eventSource: SecurityComplianceCenter
eventName: "Impossible travel activity"
status: success
condition: selection
falsepositives:
-
-
level: medium
tags:
- attack.initial_access
- attack.t1078
- attack.initial_access
- attack.t1078
rules/generic/generic_brute_force.yml
+16 -16
View File
@@ -1,27 +1,27 @@
title: Brute Force
id: 53c7cca0-2901-493a-95db-d00d6fcf0a37
status: experimental
status: test
description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
author: Aleksandr Akhremchik, oscd.community
date: 2019/10/25
modified: 2020/09/01
modified: 2021/11/27
logsource:
category: authentication
category: authentication
detection:
selection:
action: failure
timeframe: 600s
condition: selection | count(category) by dst_ip > 30
selection:
action: failure
timeframe: 600s
condition: selection | count(category) by dst_ip > 30
fields:
- src_ip
- dst_ip
- user
- src_ip
- dst_ip
- user
falsepositives:
- Inventarization
- Penetration testing
- Vulnerability scanner
- Legitimate application
- Inventarization
- Penetration testing
- Vulnerability scanner
- Legitimate application
level: medium
tags:
- attack.credential_access
- attack.t1110
- attack.credential_access
- attack.t1110
rules/linux/auditd/lnx_auditd_alter_bash_profile.yml
+23 -22
View File
@@ -1,32 +1,33 @@
title: Edit of .bash_profile and .bashrc
id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
status: experimental
status: test
description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
author: Peter Matkovski
date: 2019/05/12
references:
- 'MITRE Attack technique T1156; .bash_profile and .bashrc. '
- 'MITRE Attack technique T1156; .bash_profile and .bashrc. '
date: 2019/05/12
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- '/home/*/.bashrc'
- '/home/*/.bash_profile'
- '/home/*/.profile'
- '/etc/profile'
- '/etc/shells'
- '/etc/bashrc'
- '/etc/csh.cshrc'
- '/etc/csh.login'
condition: selection
selection:
type: 'PATH'
name:
- '/home/*/.bashrc'
- '/home/*/.bash_profile'
- '/home/*/.profile'
- '/etc/profile'
- '/etc/shells'
- '/etc/bashrc'
- '/etc/csh.cshrc'
- '/etc/csh.login'
condition: selection
falsepositives:
- Admin or User activity
- Admin or User activity
level: medium
tags:
- attack.s0003
- attack.t1156 # an old one
- attack.persistence
- attack.t1546.004
- attack.s0003
- attack.t1156 # an old one
- attack.persistence
- attack.t1546.004
rules/linux/auditd/lnx_auditd_auditing_config_change.yml
+21 -24
View File
@@ -1,35 +1,32 @@
title: Auditing Configuration Changes on Linux Host
id: 977ef627-4539-4875-adf4-ed8f780c4922
status: experimental
status: test
description: Detect changes in auditd configuration files
# Example config for this one (place it at the top of audit.rules)
# -w /etc/audit/ -p wa -k etc_modify_auditconfig
# -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig
# -w /etc/audisp/ -p wa -k etc_modify_audispconfig
author: Mikhail Larin, oscd.community
date: 2019/10/25
references:
- https://github.com/Neo23x0/auditd/blob/master/audit.rules
- self experience
- https://github.com/Neo23x0/auditd/blob/master/audit.rules
- self experience
date: 2019/10/25
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
selection:
type: PATH
name:
- /etc/audit/*
- /etc/libaudit.conf
- /etc/audisp/*
condition: selection
selection:
type: PATH
name:
- /etc/audit/*
- /etc/libaudit.conf
- /etc/audisp/*
condition: selection
fields:
- exe
- comm
- key
- exe
- comm
- key
falsepositives:
- Legitimate administrative activity
- Legitimate administrative activity
level: high
tags:
- attack.defense_evasion
- attack.t1054 # an old one
- attack.t1562.006
- attack.defense_evasion
- attack.t1054 # an old one
- attack.t1562.006
rules/linux/auditd/lnx_auditd_binary_padding.yml
+19 -22
View File
@@ -1,33 +1,30 @@
title: 'Binary Padding'
id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
status: experimental
status: test
description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.'
# For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured
# Example config (place it at the bottom of audit.rules)
# -a always,exit -F arch=b32 -S execve -k execve
# -a always,exit -F arch=b64 -S execve -k execve
author: 'Igor Fits, oscd.community'
date: 2020/10/13
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md
date: 2020/10/13
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
execve:
type: 'EXECVE'
truncate:
- 'truncate'
- '-s'
dd:
- 'dd'
- 'if='
filter:
- 'of='
condition: execve and (all of truncate or (all of dd and not filter))
execve:
type: 'EXECVE'
truncate:
- 'truncate'
- '-s'
dd:
- 'dd'
- 'if='
filter:
- 'of='
condition: execve and (all of truncate or (all of dd and not filter))
falsepositives:
- 'Legitimate script work'
- 'Legitimate script work'
level: high
tags:
- attack.defense_evasion
- attack.t1027.001
- attack.defense_evasion
- attack.t1027.001
rules/linux/auditd/lnx_auditd_change_file_time_attr.yml
+19 -22
View File
@@ -1,32 +1,29 @@
title: 'File Time Attribute Change'
id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
status: experimental
status: test
description: 'Detect file time attribute change to hide new or changes to existing files.'
# For this rule to work execve auditing must be configured
# Example config (place it at the bottom of audit.rules)
# -a always,exit -F arch=b32 -S execve -k execve
# -a always,exit -F arch=b64 -S execve -k execve
author: 'Igor Fits, oscd.community'
date: 2020/10/15
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
date: 2020/10/15
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
execve:
type: 'EXECVE'
touch:
- 'touch'
selection2:
- '-t'
- '-acmr'
- '-d'
- '-r'
condition: execve and touch and selection2
execve:
type: 'EXECVE'
touch:
- 'touch'
selection2:
- '-t'
- '-acmr'
- '-d'
- '-r'
condition: execve and touch and selection2
falsepositives:
- 'Unknown'
- 'Unknown'
level: medium
tags:
- attack.defense_evasion
- attack.t1070.006
- attack.defense_evasion
- attack.t1070.006
rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml
+14 -13
View File
@@ -1,23 +1,24 @@
title: Remove Immutable File Attribute
id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
status: experimental
status: test
description: Detects removing immutable file attribute.
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
date: 2019/09/23
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains: 'chattr'
a1|contains: '-i'
condition: selection
selection:
type: 'EXECVE'
a0|contains: 'chattr'
a1|contains: '-i'
condition: selection
falsepositives:
- Administrator interacting with immutable files (e.g. for instance backups).
- Administrator interacting with immutable files (e.g. for instance backups).
level: medium
tags:
- attack.defense_evasion
- attack.t1222.002
- attack.defense_evasion
- attack.t1222.002
rules/linux/auditd/lnx_auditd_create_account.yml
+14 -13
View File
@@ -1,23 +1,24 @@
title: Creation Of An User Account
id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
status: experimental
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
author: Marie Euler
date: 2020/05/18
references:
- 'MITRE Attack technique T1136; Create Account '
- 'MITRE Attack technique T1136; Create Account '
date: 2020/05/18
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
exe|endswith: '/useradd'
condition: selection
selection:
type: 'SYSCALL'
exe|endswith: '/useradd'
condition: selection
falsepositives:
- Admin activity
- Admin activity
level: medium
tags:
- attack.t1136 # an old one
- attack.t1136.001
- attack.persistence
- attack.t1136 # an old one
- attack.t1136.001
- attack.persistence
rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml
+15 -14
View File
@@ -1,24 +1,25 @@
title: File or Folder Permissions Change
id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
status: experimental
status: test
description: Detects file and folder permission changes.
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
date: 2019/09/23
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains:
- 'chmod'
- 'chown'
condition: selection
selection:
type: 'EXECVE'
a0|contains:
- 'chmod'
- 'chown'
condition: selection
falsepositives:
- User interacting with files permissions (normal/daily behaviour).
- User interacting with files permissions (normal/daily behaviour).
level: low
tags:
- attack.defense_evasion
- attack.t1222.002
- attack.defense_evasion
- attack.t1222.002
rules/linux/auditd/lnx_auditd_find_cred_in_files.yml
+15 -18
View File
@@ -1,28 +1,25 @@
title: 'Credentials In Files'
id: df3fcaea-2715-4214-99c5-0056ea59eb35
status: experimental
status: test
description: 'Detecting attempts to extract passwords with grep'
# For this rule to work execve auditing must be configured
# Example config (place it at the bottom of audit.rules)
# -a always,exit -F arch=b32 -S execve -k execve
# -a always,exit -F arch=b64 -S execve -k execve
author: 'Igor Fits, oscd.community'
date: 2020/10/15
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
date: 2020/10/15
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
execve:
type: 'EXECVE'
passwordgrep:
- 'grep'
- 'password'
condition: execve and all of passwordgrep
execve:
type: 'EXECVE'
passwordgrep:
- 'grep'
- 'password'
condition: execve and all of passwordgrep
falsepositives:
- 'Unknown'
- 'Unknown'
level: high
tags:
- attack.credential_access
- attack.t1552.001
- attack.credential_access
- attack.t1552.001
rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
+14 -14
View File
@@ -1,24 +1,24 @@
title: Modification of ld.so.preload
id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751
status: experimental
status: test
description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md
- https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md
- https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
date: 2019/10/24
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name: '/etc/ld.so.preload'
condition: selection
selection:
type: 'PATH'
name: '/etc/ld.so.preload'
condition: selection
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1574.006
- attack.defense_evasion
- attack.t1574.006
rules/linux/auditd/lnx_auditd_logging_config_change.yml
+20 -23
View File
@@ -1,34 +1,31 @@
title: Logging Configuration Changes on Linux Host
id: c830f15d-6f6e-430f-8074-6f73d6807841
status: experimental
status: test
description: Detect changes of syslog daemons configuration files
# Example config for this one (place it at the top of audit.rules)
# -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig
# -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig
# -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig
author: Mikhail Larin, oscd.community
date: 2019/10/25
references:
- self experience
- self experience
date: 2019/10/25
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- /etc/syslog.conf
- /etc/rsyslog.conf
- /etc/syslog-ng/syslog-ng.conf
condition: selection
selection:
type: 'PATH'
name:
- /etc/syslog.conf
- /etc/rsyslog.conf
- /etc/syslog-ng/syslog-ng.conf
condition: selection
fields:
- exe
- comm
- key
- exe
- comm
- key
falsepositives:
- Legitimate administrative activity
- Legitimate administrative activity
level: high
tags:
- attack.defense_evasion
- attack.t1054 # an old one
- attack.t1562.006
- attack.defense_evasion
- attack.t1054 # an old one
- attack.t1562.006
rules/linux/auditd/lnx_auditd_masquerading_crond.yml
+16 -16
View File
@@ -1,24 +1,24 @@
title: Masquerading as Linux Crond Process
id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
status: experimental
description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and
observation. Several different variations of this technique have been observed.
status: test
description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
date: 2019/10/21
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
selection:
type: 'execve'
a0: 'cp'
a1: '-i'
a2: '/bin/sh'
a3|endswith: '/crond'
condition: selection
selection:
type: 'execve'
a0: 'cp'
a1: '-i'
a2: '/bin/sh'
a3|endswith: '/crond'
condition: selection
level: medium
tags:
- attack.defense_evasion
- attack.t1036.003
- attack.defense_evasion
- attack.t1036.003
rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml
+18 -17
View File
@@ -1,27 +1,28 @@
title: Systemd Service Reload or Start
id: 2625cc59-0634-40d0-821e-cb67382a3dd7
status: experimental
status: test
description: Detects a reload or a start of a service.
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
references:
- https://attack.mitre.org/techniques/T1543/002/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md
- https://attack.mitre.org/techniques/T1543/002/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md
date: 2019/09/23
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains: 'systemctl'
a1|contains:
- 'daemon-reload'
- 'start'
condition: selection
selection:
type: 'EXECVE'
a0|contains: 'systemctl'
a1|contains:
- 'daemon-reload'
- 'start'
condition: selection
falsepositives:
- Installation of legitimate service.
- Legitimate reconfiguration of service.
- Installation of legitimate service.
- Legitimate reconfiguration of service.
level: low
tags:
- attack.persistence
- attack.t1543.002
- attack.persistence
- attack.t1543.002
rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml
+13 -16
View File
@@ -1,26 +1,23 @@
title: 'Split A File Into Pieces'
id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769
status: experimental
status: test
description: 'Detection use of the command "split" to split files into parts and possible transfer.'
# For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured
# Example config (place it at the bottom of audit.rules)
# -a always,exit -F arch=b32 -S execve -k execve
# -a always,exit -F arch=b64 -S execve -k execve
author: 'Igor Fits, oscd.community'
date: 2020/10/15
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md
date: 2020/10/15
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
comm: 'split'
condition: selection
selection:
type: 'SYSCALL'
comm: 'split'
condition: selection
falsepositives:
- 'Legitimate administrative activity'
- 'Legitimate administrative activity'
level: low
tags:
- attack.exfiltration
- attack.t1030
- attack.exfiltration
- attack.t1030
rules/linux/auditd/lnx_auditd_susp_c2_commands.yml
+11 -10
View File
@@ -1,21 +1,22 @@
title: Suspicious C2 Activities
id: f7158a64-6204-4d6d-868a-6e6378b467e0
status: experimental
status: test
description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
author: Marie Euler
references:
- 'https://github.com/Neo23x0/auditd'
- 'https://github.com/Neo23x0/auditd'
date: 2020/05/18
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
selection:
key:
- 'susp_activity'
condition: selection
selection:
key:
- 'susp_activity'
condition: selection
falsepositives:
- Admin or User activity
- Admin or User activity
level: medium
tags:
- attack.command_and_control
- attack.command_and_control
rules/linux/auditd/lnx_auditd_susp_cmds.yml
+26 -25
View File
@@ -1,35 +1,36 @@
title: Suspicious Commands Linux
id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
status: experimental
status: test
description: Detects relevant commands often related to malware or hacking activity
author: Florian Roth
date: 2017/12/12
references:
- Internal Research - mostly derived from exploit code including code in MSF
- Internal Research - mostly derived from exploit code including code in MSF
date: 2017/12/12
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
cmd1:
type: 'EXECVE'
a0: 'chmod'
a1: '777'
cmd2:
type: 'EXECVE'
a0: 'chmod'
a1: 'u+s'
cmd3:
type: 'EXECVE'
a0: 'cp'
a1: '/bin/ksh'
cmd4:
type: 'EXECVE'
a0: 'cp'
a1: '/bin/sh'
condition: 1 of them
cmd1:
type: 'EXECVE'
a0: 'chmod'
a1: '777'
cmd2:
type: 'EXECVE'
a0: 'chmod'
a1: 'u+s'
cmd3:
type: 'EXECVE'
a0: 'cp'
a1: '/bin/ksh'
cmd4:
type: 'EXECVE'
a0: 'cp'
a1: '/bin/sh'
condition: 1 of them
falsepositives:
- Admin activity
- Admin activity
level: medium
tags:
- attack.execution
- attack.t1059.004
- attack.execution
- attack.t1059.004
rules/linux/auditd/lnx_auditd_susp_exe_folders.yml
+31 -30
View File
@@ -1,43 +1,44 @@
title: Program Executions in Suspicious Folders
id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
status: experimental
status: test
description: Detects program executions in suspicious non-program folders related to malware or hacking activity
author: Florian Roth
date: 2018/01/23
references:
- Internal Research
- Internal Research
date: 2018/01/23
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
exe|startswith:
selection:
type: 'SYSCALL'
exe|startswith:
# Temporary folder
- '/tmp/'
- '/tmp/'
# Web server
- '/var/www/' # Standard
- '/home/*/public_html/' # Per-user
- '/usr/local/apache2/' # Classical Apache
- '/usr/local/httpd/' # Old SuSE Linux 6.* Apache
- '/var/apache/' # Solaris Apache
- '/srv/www/' # SuSE Linux 9.*
- '/home/httpd/html/' # Redhat 6 or older Apache
- '/srv/http/' # ArchLinux standard
- '/usr/share/nginx/html/' # ArchLinux nginx
- '/var/www/' # Standard
- '/home/*/public_html/' # Per-user
- '/usr/local/apache2/' # Classical Apache
- '/usr/local/httpd/' # Old SuSE Linux 6.* Apache
- '/var/apache/' # Solaris Apache
- '/srv/www/' # SuSE Linux 9.*
- '/home/httpd/html/' # Redhat 6 or older Apache
- '/srv/http/' # ArchLinux standard
- '/usr/share/nginx/html/' # ArchLinux nginx
# Data dirs of typically exploited services (incomplete list)
- '/var/lib/pgsql/data/'
- '/usr/local/mysql/data/'
- '/var/lib/mysql/'
- '/var/vsftpd/'
- '/etc/bind/'
- '/var/named/'
condition: selection
- '/var/lib/pgsql/data/'
- '/usr/local/mysql/data/'
- '/var/lib/mysql/'
- '/var/vsftpd/'
- '/etc/bind/'
- '/var/named/'
condition: selection
falsepositives:
- Admin activity (especially in /tmp folders)
- Crazy web applications
- Admin activity (especially in /tmp folders)
- Crazy web applications
level: medium
tags:
- attack.t1587
- attack.t1584
- attack.resource_development
- attack.t1587
- attack.t1584
- attack.resource_development
rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml
+25 -31
View File
@@ -1,42 +1,36 @@
title: 'Suspicious History File Operations'
id: eae8ce9f-bde9-47a6-8e79-f20d18419910
status: experimental
status: test
description: 'Detects commandline operations on shell history files'
# Rule detects presence of various shell history files in process commandline
# Normally user expected to view own history with dedicated 'history' command and not some other tools
# There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared)
# For this rule to work execve auditing must be configured
# Example config (place it at the bottom of audit.rules)
# -a always,exit -F arch=b32 -S execve -k execve
# -a always,exit -F arch=b64 -S execve -k execve
author: 'Mikhail Larin, oscd.community'
date: 2020/10/17
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
date: 2020/10/17
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
execve:
type: EXECVE
history:
- '.bash_history'
- '.zsh_history'
- '.zhistory'
- '.history'
- '.sh_history'
- 'fish_history'
condition: execve and history
execve:
type: EXECVE
history:
- '.bash_history'
- '.zsh_history'
- '.zhistory'
- '.history'
- '.sh_history'
- 'fish_history'
condition: execve and history
fields:
- a0
- a1
- a2
- a3
- key
- a0
- a1
- a2
- a3
- key
falsepositives:
- 'Legitimate administrative activity'
- 'Ligitimate software, cleaning hist file'
- 'Legitimate administrative activity'
- 'Ligitimate software, cleaning hist file'
level: medium
tags:
- attack.credential_access
- attack.t1552.003
- attack.credential_access
- attack.t1552.003
rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml
+23 -26
View File
@@ -1,36 +1,33 @@
title: 'System Shutdown/Reboot'
id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f
status: experimental
status: test
description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.'
# For this rule to work execve auditing must be configured
# Example config (place it at the bottom of audit.rules)
# -a always,exit -F arch=b32 -S execve -k execve
# -a always,exit -F arch=b64 -S execve -k execve
author: 'Igor Fits, oscd.community'
date: 2020/10/15
references:
- hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
- hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
date: 2020/10/15
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
execve:
type: 'EXECVE'
shutdowncmd:
- 'shutdown'
- 'reboot'
- 'halt'
- 'poweroff'
init:
- 'init'
- 'telinit'
initselection:
- '0'
- '6'
condition: execve and (shutdowncmd or (init and initselection))
execve:
type: 'EXECVE'
shutdowncmd:
- 'shutdown'
- 'reboot'
- 'halt'
- 'poweroff'
init:
- 'init'
- 'telinit'
initselection:
- '0'
- '6'
condition: execve and (shutdowncmd or (init and initselection))
falsepositives:
- 'Legitimate administrative activity'
- 'Legitimate administrative activity'
level: informational
tags:
- attack.impact
- attack.t1529
- attack.impact
- attack.t1529
rules/linux/auditd/lnx_auditd_user_discovery.yml
+17 -17
View File
@@ -1,26 +1,26 @@
title: System Owner or User Discovery
id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
status: experimental
description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not
the adversary fully infects the target and/or attempts specific actions.
status: test
description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
date: 2019/10/21
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0:
- 'users'
- 'w'
- 'who'
condition: selection
selection:
type: 'EXECVE'
a0:
- 'users'
- 'w'
- 'who'
condition: selection
falsepositives:
- Admin activity
- Admin activity
level: low
tags:
- attack.discovery
- attack.t1033
- attack.discovery
- attack.t1033
rules/linux/auditd/lnx_data_compressed.yml
+21 -21
View File
@@ -1,31 +1,31 @@
title: Data Compressed
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
status: experimental
status: test
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
date: 2019/10/21
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
selection1:
type: 'execve'
a0: 'zip'
selection2:
type: 'execve'
a0: 'gzip'
a1: '-f'
selection3:
type: 'execve'
a0: 'tar'
a1|contains: '-c'
condition: 1 of them
selection1:
type: 'execve'
a0: 'zip'
selection2:
type: 'execve'
a0: 'gzip'
a1: '-f'
selection3:
type: 'execve'
a0: 'tar'
a1|contains: '-c'
condition: 1 of them
falsepositives:
- Legitimate use of archiving tools by legitimate user.
- Legitimate use of archiving tools by legitimate user.
level: low
tags:
- attack.exfiltration
- attack.t1560.001
- attack.exfiltration
- attack.t1560.001
rules/linux/auditd/lnx_network_sniffing.yml
+22 -23
View File
@@ -1,32 +1,31 @@
title: Network Sniffing
id: f4d3748a-65d1-4806-bd23-e25728081d01
status: experimental
description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary
may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
status: test
description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
date: 2019/10/21
modified: 2021/11/27
logsource:
product: linux
service: auditd
product: linux
service: auditd
detection:
selection1:
type: 'execve'
a0: 'tcpdump'
a1: '-c'
a3|contains: '-i'
selection2:
type: 'execve'
a0: 'tshark'
a1: '-c'
a3: '-i'
condition: selection1 or selection2
selection1:
type: 'execve'
a0: 'tcpdump'
a1: '-c'
a3|contains: '-i'
selection2:
type: 'execve'
a0: 'tshark'
a1: '-c'
a3: '-i'
condition: selection1 or selection2
falsepositives:
- Legitimate administrator or user uses network sniffing tool for legitimate reasons.
- Legitimate administrator or user uses network sniffing tool for legitimate reasons.
level: low
tags:
- attack.credential_access
- attack.discovery
- attack.t1040
- attack.credential_access
- attack.discovery
- attack.t1040
rules/linux/builtin/lnx_apt_equationgroup_lnx.yml
+50 -49
View File
@@ -1,81 +1,82 @@
title: Equation Group Indicators
id: 41e5c73d-9983-4b69-bd03-e13b67e9623c
status: experimental
status: test
description: Detects suspicious shell commands used in various Equation Group scripts and tools
author: Florian Roth
date: 2017/04/09
references:
- https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
- https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
date: 2017/04/09
modified: 2021/11/27
logsource:
product: linux
product: linux
detection:
keywords:
keywords:
# evolvingstrategy, elgingamble, estesfox
- 'chown root*chmod 4777 '
- 'cp /bin/sh .;chown'
- 'chown root*chmod 4777 '
- 'cp /bin/sh .;chown'
# tmpwatch
- 'chmod 4777 /tmp/.scsi/dev/bin/gsh'
- 'chown root:root /tmp/.scsi/dev/bin/'
- 'chmod 4777 /tmp/.scsi/dev/bin/gsh'
- 'chown root:root /tmp/.scsi/dev/bin/'
# estesfox
- 'chown root:root x;'
- 'chown root:root x;'
# ratload
- '/bin/telnet locip locport < /dev/console | /bin/sh'
- '/tmp/ratload'
- '/bin/telnet locip locport < /dev/console | /bin/sh'
- '/tmp/ratload'
# ewok
- 'ewok -t '
- 'ewok -t '
# xspy
- 'xspy -display '
- 'xspy -display '
# elatedmonkey
- 'cat > /dev/tcp/127.0.0.1/80 <<END'
- 'cat > /dev/tcp/127.0.0.1/80 <<END'
# ftshell
- 'rm -f /current/tmp/ftshell.latest'
- 'rm -f /current/tmp/ftshell.latest'
# ghost
- 'ghost_* -v '
- 'ghost_* -v '
# morerats client
- ' --wipe > /dev/null'
- ' --wipe > /dev/null'
# noclient
- 'ping -c 2 *; grep * /proc/net/arp >/tmp/gx'
- 'iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;'
- 'ping -c 2 *; grep * /proc/net/arp >/tmp/gx'
- 'iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;'
# auditcleaner
- '> /var/log/audit/audit.log; rm -f .'
- 'cp /var/log/audit/audit.log .tmp'
- '> /var/log/audit/audit.log; rm -f .'
- 'cp /var/log/audit/audit.log .tmp'
# reverse shell
- 'sh >/dev/tcp/* <&1 2>&1'
- 'sh >/dev/tcp/* <&1 2>&1'
# packrat
- 'ncat -vv -l -p * <'
- 'nc -vv -l -p * <'
- 'ncat -vv -l -p * <'
- 'nc -vv -l -p * <'
# empty bowl
- '< /dev/console | uudecode && uncompress'
- 'sendmail -osendmail;chmod +x sendmail'
- '< /dev/console | uudecode && uncompress'
- 'sendmail -osendmail;chmod +x sendmail'
# echowrecker
- '/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron'
- '/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron'
# dubmoat
- 'chmod 666 /var/run/utmp~'
- 'chmod 666 /var/run/utmp~'
# poptop
- 'chmod 700 nscd crond'
- 'chmod 700 nscd crond'
# abopscript
- 'cp /etc/shadow /tmp/.'
- 'cp /etc/shadow /tmp/.'
# ys
- '</dev/console |uudecode > /dev/null 2>&1 && uncompress'
- '</dev/console |uudecode > /dev/null 2>&1 && uncompress'
# jacktelnet
- 'chmod 700 jp&&netstat -an|grep'
- 'chmod 700 jp&&netstat -an|grep'
# others
- 'uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755'
- 'chmod 700 crond'
- 'wget http*; chmod +x /tmp/sendmail'
- 'chmod 700 fp sendmail pt'
- 'chmod 755 /usr/vmsys/bin/pipe'
- 'chmod -R 755 /usr/vmsys'
- 'chmod 755 $opbin/*tunnel'
- 'chmod 700 sendmail'
- 'chmod 0700 sendmail'
- '/usr/bin/wget http*sendmail;chmod +x sendmail;'
- '&& telnet * 2>&1 </dev/console'
condition: keywords
- 'uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755'
- 'chmod 700 crond'
- 'wget http*; chmod +x /tmp/sendmail'
- 'chmod 700 fp sendmail pt'
- 'chmod 755 /usr/vmsys/bin/pipe'
- 'chmod -R 755 /usr/vmsys'
- 'chmod 755 $opbin/*tunnel'
- 'chmod 700 sendmail'
- 'chmod 0700 sendmail'
- '/usr/bin/wget http*sendmail;chmod +x sendmail;'
- '&& telnet * 2>&1 </dev/console'
condition: keywords
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.execution
- attack.g0020
- attack.t1059.004
- attack.execution
- attack.g0020
- attack.t1059.004
rules/linux/builtin/lnx_proxy_connection.yml
+11 -10
View File
@@ -1,20 +1,21 @@
title: Connection Proxy
id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c
status: experimental
status: test
description: Detects setting proxy
author: Ömer Günal
date: 2020/06/17
references:
- https://attack.mitre.org/techniques/T1090/
- https://attack.mitre.org/techniques/T1090/
date: 2020/06/17
modified: 2021/11/27
logsource:
product: linux
product: linux
detection:
keyword:
- 'http_proxy=*'
- 'https_proxy=*'
condition: keyword
keyword:
- 'http_proxy=*'
- 'https_proxy=*'
condition: keyword
falsepositives:
- Legitimate administration activities
- Legitimate administration activities
level: low
tags:
- attack.defense_evasion
- attack.defense_evasion
rules/linux/builtin/lnx_setgid_setuid.yml
+15 -14
View File
@@ -1,24 +1,25 @@
title: Setuid and Setgid
id: c21c4eaa-ba2e-419a-92b2-8371703cbe21
status: experimental
status: test
description: Detects suspicious change of file privileges with chown and chmod commands
author: Ömer Günal
date: 2020/06/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1166/T1166.md
- https://attack.mitre.org/techniques/T1166/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1166/T1166.md
- https://attack.mitre.org/techniques/T1166/
date: 2020/06/16
modified: 2021/11/27
logsource:
product: linux
product: linux
detection:
selection1:
- '*chown root*'
selection2:
- '* chmod u+s*'
selection3:
- '* chmod g+s*'
condition: (selection1 and selection2) or (selection1 and selection3)
selection1:
- '*chown root*'
selection2:
- '* chmod u+s*'
selection3:
- '* chmod g+s*'
condition: (selection1 and selection2) or (selection1 and selection3)
falsepositives:
- Legitimate administration activities
- Legitimate administration activities
level: low
tags:
- attack.persistence
- attack.persistence
rules/linux/builtin/lnx_shell_priv_esc_prep.yml
+53 -52
View File
@@ -1,70 +1,71 @@
title: Privilege Escalation Preparation
id: 444ade84-c362-4260-b1f3-e45e20e1a905
status: experimental
status: test
description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
author: Patrick Bareiss
date: 2019/04/05
references:
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/
date: 2019/04/05
modified: 2021/11/27
logsource:
product: linux
product: linux
detection:
keywords:
keywords:
# distribution type and kernel version
- 'cat /etc/issue'
- 'cat /etc/*-release'
- 'cat /proc/version'
- 'uname -a'
- 'uname -mrs'
- 'rpm -q kernel'
- 'dmesg | grep Linux'
- 'ls /boot | grep vmlinuz-'
- 'cat /etc/issue'
- 'cat /etc/*-release'
- 'cat /proc/version'
- 'uname -a'
- 'uname -mrs'
- 'rpm -q kernel'
- 'dmesg | grep Linux'
- 'ls /boot | grep vmlinuz-'
# environment variables
- 'cat /etc/profile'
- 'cat /etc/bashrc'
- 'cat ~/.bash_profile'
- 'cat ~/.bashrc'
- 'cat ~/.bash_logout'
- 'cat /etc/profile'
- 'cat /etc/bashrc'
- 'cat ~/.bash_profile'
- 'cat ~/.bashrc'
- 'cat ~/.bash_logout'
# applications and services as root
- 'ps -aux | grep root'
- 'ps -ef | grep root'
- 'ps -aux | grep root'
- 'ps -ef | grep root'
# scheduled tasks
- 'crontab -l'
- 'cat /etc/cron*'
- 'cat /etc/cron.allow'
- 'cat /etc/cron.deny'
- 'cat /etc/crontab'
- 'crontab -l'
- 'cat /etc/cron*'
- 'cat /etc/cron.allow'
- 'cat /etc/cron.deny'
- 'cat /etc/crontab'
# search for plain text user/passwords
- 'grep -i user *'
- 'grep -i pass *'
- 'grep -i user *'
- 'grep -i pass *'
# networking
- 'ifconfig'
- 'cat /etc/network/interfaces'
- 'cat /etc/sysconfig/network'
- 'cat /etc/resolv.conf'
- 'cat /etc/networks'
- 'iptables -L'
- 'lsof -i'
- 'netstat -antup'
- 'netstat -antpx'
- 'netstat -tulpn'
- 'arp -e'
- 'route'
- 'ifconfig'
- 'cat /etc/network/interfaces'
- 'cat /etc/sysconfig/network'
- 'cat /etc/resolv.conf'
- 'cat /etc/networks'
- 'iptables -L'
- 'lsof -i'
- 'netstat -antup'
- 'netstat -antpx'
- 'netstat -tulpn'
- 'arp -e'
- 'route'
# sensitive files
- 'cat /etc/passwd'
- 'cat /etc/group'
- 'cat /etc/shadow'
- 'cat /etc/passwd'
- 'cat /etc/group'
- 'cat /etc/shadow'
# sticky bits
- 'find / -perm -u=s'
- 'find / -perm -g=s'
- 'find / -perm -4000'
- 'find / -perm -2000'
timeframe: 30m
condition: keywords | count() by host > 6
- 'find / -perm -u=s'
- 'find / -perm -g=s'
- 'find / -perm -4000'
- 'find / -perm -2000'
timeframe: 30m
condition: keywords | count() by host > 6
falsepositives:
- Troubleshooting on Linux Machines
- Troubleshooting on Linux Machines
level: medium
tags:
- attack.execution
- attack.t1059.004
- attack.execution
- attack.t1059.004
rules/linux/builtin/lnx_shell_susp_commands.yml
+45 -45
View File
@@ -1,59 +1,59 @@
title: Suspicious Activity in Shell Commands
id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695
status: experimental
status: test
description: Detects suspicious shell commands used in various exploit codes (see references)
author: Florian Roth
date: 2017/08/21
modified: 2019/02/05
references:
- http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
- http://pastebin.com/FtygZ1cg
- https://artkond.com/2017/03/23/pivoting-guide/
- http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
- http://pastebin.com/FtygZ1cg
- https://artkond.com/2017/03/23/pivoting-guide/
date: 2017/08/21
modified: 2021/11/27
logsource:
product: linux
product: linux
detection:
keywords:
keywords:
# Generic suspicious commands
- 'wget * - http* | perl'
- 'wget * - http* | sh'
- 'wget * - http* | bash'
- 'python -m SimpleHTTPServer'
- '-m http.server' # Python 3
- 'import pty; pty.spawn*'
- 'socat exec:*'
- 'socat -O /tmp/*'
- 'socat tcp-connect*'
- '*echo binary >>*'
- 'wget * - http* | perl'
- 'wget * - http* | sh'
- 'wget * - http* | bash'
- 'python -m SimpleHTTPServer'
- '-m http.server' # Python 3
- 'import pty; pty.spawn*'
- 'socat exec:*'
- 'socat -O /tmp/*'
- 'socat tcp-connect*'
- '*echo binary >>*'
# Malware
- '*wget *; chmod +x*'
- '*wget *; chmod 777 *'
- '*cd /tmp || cd /var/run || cd /mnt*'
- '*wget *; chmod +x*'
- '*wget *; chmod 777 *'
- '*cd /tmp || cd /var/run || cd /mnt*'
# Apache Struts in-the-wild exploit codes
- '*stop;service iptables stop;*'
- '*stop;SuSEfirewall2 stop;*'
- 'chmod 777 2020*'
- '*>>/etc/rc.local'
- '*stop;service iptables stop;*'
- '*stop;SuSEfirewall2 stop;*'
- 'chmod 777 2020*'
- '*>>/etc/rc.local'
# Metasploit framework exploit codes
- '*base64 -d /tmp/*'
- '* | base64 -d *'
- '*/chmod u+s *'
- '*chmod +s /tmp/*'
- '*chmod u+s /tmp/*'
- '* /tmp/haxhax*'
- '* /tmp/ns_sploit*'
- 'nc -l -p *'
- 'cp /bin/ksh *'
- 'cp /bin/sh *'
- '* /tmp/*.b64 *'
- '*/tmp/ysocereal.jar*'
- '*/tmp/x *'
- '*; chmod +x /tmp/*'
- '*;chmod +x /tmp/*'
condition: keywords
- '*base64 -d /tmp/*'
- '* | base64 -d *'
- '*/chmod u+s *'
- '*chmod +s /tmp/*'
- '*chmod u+s /tmp/*'
- '* /tmp/haxhax*'
- '* /tmp/ns_sploit*'
- 'nc -l -p *'
- 'cp /bin/ksh *'
- 'cp /bin/sh *'
- '* /tmp/*.b64 *'
- '*/tmp/ysocereal.jar*'
- '*/tmp/x *'
- '*; chmod +x /tmp/*'
- '*;chmod +x /tmp/*'
condition: keywords
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.execution
- attack.t1059.004
- attack.execution
- attack.t1059.004
rules/linux/builtin/lnx_shell_susp_log_entries.yml
+11 -10
View File
@@ -1,20 +1,21 @@
title: Suspicious Log Entries
id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
status: experimental
status: test
description: Detects suspicious log entries in Linux log files
author: Florian Roth
date: 2017/03/25
modified: 2021/11/27
logsource:
product: linux
product: linux
detection:
keywords:
- entered promiscuous mode
- Deactivating service
- Oversized packet received from
- imuxsock begins to drop messages
condition: keywords
keywords:
- entered promiscuous mode
- Deactivating service
- Oversized packet received from
- imuxsock begins to drop messages
condition: keywords
falsepositives:
- Unknown
- Unknown
level: medium
tags:
- attack.impact
- attack.impact
rules/linux/builtin/lnx_shell_susp_rev_shells.yml
+35 -34
View File
@@ -1,44 +1,45 @@
title: Suspicious Reverse Shell Command Line
id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab
status: experimental
status: test
description: Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
author: Florian Roth
date: 2019/04/02
references:
- https://alamot.github.io/reverse_shells/
- https://alamot.github.io/reverse_shells/
date: 2019/04/02
modified: 2021/11/27
logsource:
product: linux
product: linux
detection:
keywords:
- 'BEGIN {s = "/inet/tcp/0/'
- 'bash -i >& /dev/tcp/'
- 'bash -i >& /dev/udp/'
- 'sh -i >$ /dev/udp/'
- 'sh -i >$ /dev/tcp/'
- '&& while read line 0<&5; do'
- '/bin/bash -c exec 5<>/dev/tcp/'
- '/bin/bash -c exec 5<>/dev/udp/'
- 'nc -e /bin/sh '
- '/bin/sh | nc'
- 'rm -f backpipe; mknod /tmp/backpipe p && nc '
- ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))'
- ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
- '/bin/sh -i <&3 >&3 2>&3'
- 'uname -a; w; id; /bin/bash -i'
- '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'
- ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');"
- '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
- ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print'
- "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:"
- 'rm -f /tmp/p; mknod /tmp/p p &&'
- ' | /bin/bash | telnet '
- ',echo=0,raw tcp-listen:'
- 'nc -lvvp '
- 'xterm -display 1'
condition: keywords
keywords:
- 'BEGIN {s = "/inet/tcp/0/'
- 'bash -i >& /dev/tcp/'
- 'bash -i >& /dev/udp/'
- 'sh -i >$ /dev/udp/'
- 'sh -i >$ /dev/tcp/'
- '&& while read line 0<&5; do'
- '/bin/bash -c exec 5<>/dev/tcp/'
- '/bin/bash -c exec 5<>/dev/udp/'
- 'nc -e /bin/sh '
- '/bin/sh | nc'
- 'rm -f backpipe; mknod /tmp/backpipe p && nc '
- ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))'
- ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
- '/bin/sh -i <&3 >&3 2>&3'
- 'uname -a; w; id; /bin/bash -i'
- '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'
- ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');"
- '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
- ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print'
- "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:"
- 'rm -f /tmp/p; mknod /tmp/p p &&'
- ' | /bin/bash | telnet '
- ',echo=0,raw tcp-listen:'
- 'nc -lvvp '
- 'xterm -display 1'
condition: keywords
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.execution
- attack.t1059.004
- attack.execution
- attack.t1059.004
rules/linux/builtin/lnx_space_after_filename_.yml
+14 -13
View File
@@ -1,21 +1,22 @@
title: Space After Filename
id: 879c3015-c88b-4782-93d7-07adf92dbcb7
status: experimental
id: 879c3015-c88b-4782-93d7-07adf92dbcb7
status: test
description: Detects space after filename
author: Ömer Günal
date: 2020/06/17
references:
- https://attack.mitre.org/techniques/T1064
level: low
- https://attack.mitre.org/techniques/T1064
date: 2020/06/17
modified: 2021/11/27
logsource:
product: linux
product: linux
detection:
selection1:
- 'echo "*" > * && chmod +x *'
selection2:
- 'mv * "* "'
condition: selection1 and selection2
selection1:
- 'echo "*" > * && chmod +x *'
selection2:
- 'mv * "* "'
condition: selection1 and selection2
falsepositives:
- Typos
- Typos
level: low
tags:
- attack.execution
- attack.execution
rules/linux/builtin/lnx_susp_jexboss.yml
+13 -12
View File
@@ -1,22 +1,23 @@
title: JexBoss Command Sequence
id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
status: test
description: Detects suspicious command sequence that JexBoss
status: experimental
author: Florian Roth
date: 2017/08/24
references:
- https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
- https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
date: 2017/08/24
modified: 2021/11/27
logsource:
product: linux
product: linux
detection:
selection1:
- 'bash -c /bin/bash'
selection2:
- '&/dev/tcp/'
condition: selection1 and selection2
selection1:
- 'bash -c /bin/bash'
selection2:
- '&/dev/tcp/'
condition: selection1 and selection2
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.execution
- attack.t1059.004
- attack.execution
- attack.t1059.004
rules/linux/builtin/lnx_symlink_etc_passwd.yml
+12 -11
View File
@@ -1,21 +1,22 @@
title: Symlink Etc Passwd
id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523
status: experimental
status: test
description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
author: Florian Roth
date: 2019/04/05
references:
- https://www.qualys.com/2021/05/04/21nails/21nails.txt
- https://www.qualys.com/2021/05/04/21nails/21nails.txt
date: 2019/04/05
modified: 2021/11/27
logsource:
product: linux
product: linux
detection:
keywords:
- 'ln -s -f /etc/passwd'
- 'ln -s /etc/passwd'
condition: keywords
keywords:
- 'ln -s -f /etc/passwd'
- 'ln -s /etc/passwd'
condition: keywords
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.t1204.001
- attack.execution
- attack.t1204.001
- attack.execution
rules/linux/macos/file_event/macos_emond_launch_daemon.yml
+9 -8
View File
@@ -1,12 +1,13 @@
title: MacOS Emond Launch Daemon
id: 23c43900-e732-45a4-8354-63e4a6c187ce
status: experimental
status: test
description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
author: Alejandro Ortuno, oscd.community
date: 2020/10/23
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md
- https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md
- https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
date: 2020/10/23
modified: 2021/11/27
logsource:
category: file_event
product: macos
@@ -18,9 +19,9 @@ detection:
TargetFilename|contains: '/private/var/db/emondClients/'
condition: selection_1 or selection_2
falsepositives:
- Legitimate administration activities
- Legitimate administration activities
level: medium
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1546.014
- attack.persistence
- attack.privilege_escalation
- attack.t1546.014
rules/linux/macos/file_event/macos_startup_items.yml
+8 -7
View File
@@ -1,11 +1,12 @@
title: Startup Items
id: dfe8b941-4e54-4242-b674-6b613d521962
status: experimental
status: test
description: Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.
author: Alejandro Ortuno, oscd.community
date: 2020/10/14
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md
date: 2020/10/14
modified: 2021/11/27
logsource:
category: file_event
product: macos
@@ -16,9 +17,9 @@ detection:
TargetFilename|endswith: '.plist'
condition: selection_1 and selection_2
falsepositives:
- Legitimate administration activities
- Legitimate administration activities
level: low
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1037.005
- attack.persistence
- attack.privilege_escalation
- attack.t1037.005
rules/linux/macos/process_creation/macos_applescript.yml
+3 -2
View File
@@ -1,11 +1,12 @@
title: MacOS Scripting Interpreter AppleScript
id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
status: experimental
status: test
description: Detects execution of AppleScript of the macOS scripting language AppleScript.
author: Alejandro Ortuno, oscd.community
date: 2020/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md
date: 2020/10/21
modified: 2021/11/27
logsource:
category: process_creation
product: macos
rules/linux/macos/process_creation/macos_base64_decode.yml
+4 -3
View File
@@ -1,11 +1,12 @@
title: Decode Base64 Encoded Text
id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68
status: experimental
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
date: 2020/10/19
modified: 2021/11/27
logsource:
category: process_creation
product: macos
@@ -19,4 +20,4 @@ falsepositives:
level: low
tags:
- attack.defense_evasion
- attack.t1027
- attack.t1027
rules/linux/macos/process_creation/macos_binary_padding.yml
+22 -23
View File
@@ -1,33 +1,32 @@
title: 'Binary Padding'
id: 95361ce5-c891-4b0a-87ca-e24607884a96
status: experimental
status: test
description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.'
# For this rule to work you must enable audit of process execution in OpenBSM, see
# https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020/10/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md
date: 2020/10/19
modified: 2021/11/27
logsource:
product: macos
category: process_creation
product: macos
category: process_creation
detection:
selection1:
Image|endswith:
- '/truncate'
CommandLine|contains:
- '-s'
selection2:
Image|endswith:
- '/dd'
CommandLine|contains:
- 'if='
filter:
CommandLine|contains: 'of='
condition: selection1 or (selection2 and not filter)
selection1:
Image|endswith:
- '/truncate'
CommandLine|contains:
- '-s'
selection2:
Image|endswith:
- '/dd'
CommandLine|contains:
- 'if='
filter:
CommandLine|contains: 'of='
condition: selection1 or (selection2 and not filter)
falsepositives:
- 'Legitimate script work'
- 'Legitimate script work'
level: high
tags:
- attack.defense_evasion
- attack.t1027.001
- attack.defense_evasion
- attack.t1027.001
rules/linux/macos/process_creation/macos_change_file_time_attr.yml
+18 -19
View File
@@ -1,29 +1,28 @@
title: 'File Time Attribute Change'
id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0
status: experimental
status: test
description: 'Detect file time attribute change to hide new or changes to existing files.'
# For this rule to work you must enable audit of process execution in OpenBSM, see
# https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020/10/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
date: 2020/10/19
modified: 2021/11/27
logsource:
product: macos
category: process_creation
product: macos
category: process_creation
detection:
selection1:
Image|endswith: '/touch'
selection2:
CommandLine|contains:
- '-t'
- '-acmr'
- '-d'
- '-r'
condition: selection1 and selection2
selection1:
Image|endswith: '/touch'
selection2:
CommandLine|contains:
- '-t'
- '-acmr'
- '-d'
- '-r'
condition: selection1 and selection2
falsepositives:
- 'Unknown'
- 'Unknown'
level: medium
tags:
- attack.defense_evasion
- attack.t1070.006
- attack.defense_evasion
- attack.t1070.006
rules/linux/macos/process_creation/macos_create_account.yml
+7 -6
View File
@@ -1,11 +1,12 @@
title: Creation Of A Local User Account
id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731
status: experimental
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
author: Alejandro Ortuno, oscd.community
date: 2020/10/06
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
date: 2020/10/06
modified: 2021/11/27
logsource:
category: process_creation
product: macos
@@ -20,6 +21,6 @@ falsepositives:
- Legitimate administration activities
level: low
tags:
- attack.t1136 # an old one
- attack.t1136.001
- attack.persistence
- attack.t1136 # an old one
- attack.t1136.001
- attack.persistence
rules/linux/macos/process_creation/macos_create_hidden_account.yml
+5 -5
View File
@@ -1,11 +1,12 @@
title: Hidden User Creation
id: b22a5b36-2431-493a-8be1-0bae56c28ef3
status: experimental
status: test
description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/10
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md
date: 2020/10/10
modified: 2021/11/27
logsource:
category: process_creation
product: macos
@@ -23,11 +24,10 @@ detection:
- 'true'
- 'yes'
- '1'
condition: dscl_create and id_below_500 or
dscl_create and (ishidden_option_declaration and ishidden_option_confirmation)
condition: dscl_create and id_below_500 or dscl_create and (ishidden_option_declaration and ishidden_option_confirmation)
falsepositives:
- Legitimate administration activities
level: medium
tags:
- attack.defense_evasion
- attack.t1564.002
- attack.t1564.002
rules/linux/macos/process_creation/macos_creds_from_keychain.yml
+20 -19
View File
@@ -1,29 +1,30 @@
title: Credentials from Password Stores - Keychain
id: b120b587-a4c2-4b94-875d-99c9807d6955
status: experimental
status: test
description: Detects passwords dumps from Keychain
author: Tim Ismilyaev, oscd.community, Florian Roth
date: 2020/10/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md
- https://gist.github.com/Capybara/6228955
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md
- https://gist.github.com/Capybara/6228955
date: 2020/10/19
modified: 2021/11/27
logsource:
category: process_creation
product: macos
category: process_creation
product: macos
detection:
selection1:
Image: '/usr/bin/security'
CommandLine|contains:
- 'find-certificate'
- ' export '
selection2:
CommandLine|contains:
- ' dump-keychain '
- ' login-keychain '
condition: 1 of them
selection1:
Image: '/usr/bin/security'
CommandLine|contains:
- 'find-certificate'
- ' export '
selection2:
CommandLine|contains:
- ' dump-keychain '
- ' login-keychain '
condition: 1 of them
falsepositives:
- Legitimate administration activities
- Legitimate administration activities
level: medium
tags:
- attack.credential_access
- attack.t1555.001
- attack.credential_access
- attack.t1555.001
rules/linux/macos/process_creation/macos_disable_security_tools.yml
+4 -3
View File
@@ -1,11 +1,12 @@
title: Disable Security Tools
id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0
status: experimental
status: test
description: Detects disabling security tools
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
date: 2020/10/19
modified: 2021/11/27
logsource:
category: process_creation
product: macos
@@ -39,4 +40,4 @@ falsepositives:
level: medium
tags:
- attack.defense_evasion
- attack.t1562.001
- attack.t1562.001
rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml
+4 -3
View File
@@ -1,11 +1,12 @@
title: File and Directory Discovery
id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6
status: experimental
status: test
description: Detects usage of system utilities to discover files and directories
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
date: 2020/10/19
modified: 2021/11/27
logsource:
category: process_creation
product: macos
@@ -28,4 +29,4 @@ falsepositives:
level: informational
tags:
- attack.discovery
- attack.t1083
- attack.t1083
rules/linux/macos/process_creation/macos_find_cred_in_files.yml
+17 -18
View File
@@ -1,28 +1,27 @@
title: 'Credentials In Files'
id: 53b1b378-9b06-4992-b972-dde6e423d2b4
status: experimental
status: test
description: 'Detecting attempts to extract passwords with grep and laZagne'
# For this rule to work you must enable audit of process execution in OpenBSM, see
# https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020/10/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
date: 2020/10/19
modified: 2021/11/27
logsource:
product: macos
category: process_creation
product: macos
category: process_creation
detection:
selection1:
Image|endswith:
- '/grep'
CommandLine|contains:
- 'password'
selection2:
CommandLine|contains: 'laZagne'
condition: selection1 or selection2
selection1:
Image|endswith:
- '/grep'
CommandLine|contains:
- 'password'
selection2:
CommandLine|contains: 'laZagne'
condition: selection1 or selection2
falsepositives:
- 'Unknown'
- 'Unknown'
level: high
tags:
- attack.credential_access
- attack.t1552.001
- attack.credential_access
- attack.t1552.001
rules/linux/macos/process_creation/macos_local_account.yml
+3 -2
View File
@@ -1,11 +1,12 @@
title: Local System Accounts Discovery
id: ddf36b67-e872-4507-ab2e-46bda21b842c
status: experimental
status: test
description: Detects enumeration of local systeam accounts on MacOS
author: Alejandro Ortuno, oscd.community
date: 2020/10/08
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md
date: 2020/10/08
modified: 2021/11/27
logsource:
category: process_creation
product: macos
rules/linux/macos/process_creation/macos_local_groups.yml
+3 -2
View File
@@ -1,11 +1,12 @@
title: Local Groups Discovery
id: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276
status: experimental
status: test
description: Detects enumeration of local system groups
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020/10/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
date: 2020/10/11
modified: 2021/11/27
logsource:
category: process_creation
product: macos
rules/linux/macos/process_creation/macos_network_service_scanning.yml
+4 -3
View File
@@ -1,11 +1,12 @@
title: MacOS Network Service Scanning
id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f
status: experimental
status: test
description: Detects enumeration of local or remote network services.
author: Alejandro Ortuno, oscd.community
date: 2020/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md
date: 2020/10/21
modified: 2021/11/27
logsource:
category: process_creation
product: macos
@@ -20,7 +21,7 @@ detection:
- '/telnet'
filter:
CommandLine|contains: 'l'
condition: (selection_1 and not filter) or selection_2
condition: (selection_1 and not filter) or selection_2
falsepositives:
- Legitimate administration activities
level: low
rules/linux/macos/process_creation/macos_network_sniffing.yml
+3 -2
View File
@@ -1,11 +1,12 @@
title: Network Sniffing
id: adc9bcc4-c39c-4f6b-a711-1884017bf043
status: experimental
status: test
description: Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
author: Alejandro Ortuno, oscd.community
date: 2020/10/14
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
date: 2020/10/14
modified: 2021/11/27
logsource:
category: process_creation
product: macos
rules/linux/macos/process_creation/macos_remote_system_discovery.yml
+3 -2
View File
@@ -1,11 +1,12 @@
title: Macos Remote System Discovery
id: 10227522-8429-47e6-a301-f2b2d014e7ad
status: experimental
status: test
description: Detects the enumeration of other remote systems.
author: Alejandro Ortuno, oscd.community
date: 2020/10/22
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
date: 2020/10/22
modified: 2021/11/27
logsource:
category: process_creation
product: macos
rules/linux/macos/process_creation/macos_schedule_task_job_cron.yml
+9 -8
View File
@@ -1,11 +1,12 @@
title: Scheduled Cron Task/Job
id: 7c3b43d8-d794-47d2-800a-d277715aa460
status: experimental
status: test
description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
author: Alejandro Ortuno, oscd.community
date: 2020/10/06
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
date: 2020/10/06
modified: 2021/11/27
logsource:
category: process_creation
product: macos
@@ -17,10 +18,10 @@ detection:
- '/tmp/'
condition: selection
falsepositives:
- Legitimate administration activities
- Legitimate administration activities
level: medium
tags:
- attack.execution
- attack.persistence
- attack.privilege_escalation
- attack.t1053.003
- attack.execution
- attack.persistence
- attack.privilege_escalation
- attack.t1053.003
rules/linux/macos/process_creation/macos_screencapture.yml
+13 -12
View File
@@ -1,22 +1,23 @@
title: Screen Capture - macOS
id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
status: experimental
status: test
description: Detects attempts to use screencapture to collect macOS screenshots
author: remotephone, oscd.community
date: 2020/10/13
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md
- https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md
- https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py
date: 2020/10/13
modified: 2021/11/27
logsource:
product: macos
category: process_creation
product: macos
category: process_creation
detection:
selection:
Image: '/usr/sbin/screencapture'
condition: selection
selection:
Image: '/usr/sbin/screencapture'
condition: selection
falsepositives:
- Legitimate user activity taking screenshots
- Legitimate user activity taking screenshots
level: low
tags:
- attack.collection
- attack.t1113
- attack.collection
- attack.t1113
rules/linux/macos/process_creation/macos_security_software_discovery.yml
+5 -5
View File
@@ -1,11 +1,12 @@
title: Security Software Discovery
id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0
status: experimental
status: test
description: Detects usage of system utilities (only grep for now) to discover security software discovery
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md
date: 2020/10/19
modified: 2021/11/27
logsource:
category: process_creation
product: macos
@@ -29,11 +30,10 @@ detection:
CommandLine|contains|all:
- 'Little'
- 'Snitch'
condition: grep_execution and security_services_and_processes or
grep_execution and little_snitch_process
condition: grep_execution and security_services_and_processes or grep_execution and little_snitch_process
falsepositives:
- Legitimate activities
level: medium
tags:
- attack.discovery
- attack.t1518.001
- attack.t1518.001
rules/linux/macos/process_creation/macos_split_file_into_pieces.yml
+12 -13
View File
@@ -1,23 +1,22 @@
title: 'Split A File Into Pieces'
id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12
status: experimental
status: test
description: 'Detection use of the command "split" to split files into parts and possible transfer.'
# For this rule to work you must enable audit of process execution in OpenBSM, see link
# https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020/10/15
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md
date: 2020/10/15
modified: 2021/11/27
logsource:
product: macos
category: process_creation
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/split'
condition: selection
selection:
Image|endswith: '/split'
condition: selection
falsepositives:
- 'Legitimate administrative activity'
- 'Legitimate administrative activity'
level: low
tags:
- attack.exfiltration
- attack.t1030
- attack.exfiltration
- attack.t1030
rules/linux/macos/process_creation/macos_susp_histfile_operations.yml
+19 -23
View File
@@ -1,33 +1,29 @@
title: 'Suspicious History File Operations'
id: 508a9374-ad52-4789-b568-fc358def2c65
status: experimental
status: test
description: 'Detects commandline operations on shell history files'
# Rule detects presence of various shell history files in process commandline
# Normally user expected to view own history with dedicated 'history' command and not some other tools
# There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared)
# For this rule to work you must enable audit of process execution in OpenBSM, see
# https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
author: 'Mikhail Larin, oscd.community'
date: 2020/10/17
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
date: 2020/10/17
modified: 2021/11/27
logsource:
product: macos
category: process_creation
product: macos
category: process_creation
detection:
selection:
CommandLine|contains:
- '.bash_history'
- '.zsh_history'
- '.zhistory'
- '.history'
- '.sh_history'
- 'fish_history'
condition: selection
selection:
CommandLine|contains:
- '.bash_history'
- '.zsh_history'
- '.zhistory'
- '.history'
- '.sh_history'
- 'fish_history'
condition: selection
falsepositives:
- 'Legitimate administrative activity'
- 'Ligitimate software, cleaning hist file'
- 'Legitimate administrative activity'
- 'Ligitimate software, cleaning hist file'
level: medium
tags:
- attack.credential_access
- attack.t1552.003
- attack.credential_access
- attack.t1552.003
rules/linux/macos/process_creation/macos_system_network_connections_discovery.yml
+4 -3
View File
@@ -1,11 +1,12 @@
title: System Network Connections Discovery
id: 9a7a0393-2144-4626-9bf1-7c2f5a7321db
status: experimental
status: test
description: Detects usage of system utilities to discover system network connections
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md
date: 2020/10/19
modified: 2021/11/27
logsource:
category: process_creation
product: macos
@@ -23,4 +24,4 @@ falsepositives:
level: informational
tags:
- attack.discovery
- attack.t1049
- attack.t1049
rules/linux/macos/process_creation/macos_system_network_discovery.yml
+23 -22
View File
@@ -1,32 +1,33 @@
title: System Network Discovery - macOS
id: 58800443-f9fc-4d55-ae0c-98a3966dfb97
status: experimental
status: test
description: Detects enumeration of local network configuration
author: remotephone, oscd.community
date: 2020/10/06
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
date: 2020/10/06
modified: 2021/11/27
logsource:
product: macos
category: process_creation
product: macos
category: process_creation
detection:
selection1:
Image:
- '/usr/sbin/netstat'
- '/sbin/ifconfig'
- '/usr/sbin/ipconfig'
- '/usr/libexec/ApplicationFirewall/socketfilterfw'
- '/usr/sbin/networksetup'
- '/usr/sbin/arp'
selection2:
Image: '/usr/bin/defaults'
CommandLine|contains|all:
- 'read'
- '/Library/Preferences/com.apple.alf'
condition: selection1 or selection2
selection1:
Image:
- '/usr/sbin/netstat'
- '/sbin/ifconfig'
- '/usr/sbin/ipconfig'
- '/usr/libexec/ApplicationFirewall/socketfilterfw'
- '/usr/sbin/networksetup'
- '/usr/sbin/arp'
selection2:
Image: '/usr/bin/defaults'
CommandLine|contains|all:
- 'read'
- '/Library/Preferences/com.apple.alf'
condition: selection1 or selection2
falsepositives:
- Legitimate administration activities
- Legitimate administration activities
level: informational
tags:
- attack.discovery
- attack.t1016
- attack.discovery
- attack.t1016
rules/linux/macos/process_creation/macos_system_shutdown_reboot.yml
+15 -16
View File
@@ -1,26 +1,25 @@
title: 'System Shutdown/Reboot'
id: 40b1fbe2-18ea-4ee7-be47-0294285811de
status: experimental
status: test
description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.'
# For this rule to work you must enable audit of process execution in OpenBSM, see
# https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020/10/19
references:
- hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
- hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
date: 2020/10/19
modified: 2021/11/27
logsource:
product: macos
category: process_creation
product: macos
category: process_creation
detection:
selection:
Image|endswith:
- '/shutdown'
- '/reboot'
- '/halt'
condition: selection
selection:
Image|endswith:
- '/shutdown'
- '/reboot'
- '/halt'
condition: selection
falsepositives:
- 'Legitimate administrative activity'
- 'Legitimate administrative activity'
level: informational
tags:
- attack.impact
- attack.t1529
- attack.impact
- attack.t1529
rules/linux/macos/process_creation/macos_xattr_gatekeeper_bypass.yml
+5 -4
View File
@@ -1,18 +1,19 @@
title: Gatekeeper Bypass via Xattr
id: f5141b6d-9f42-41c6-a7bf-2a780678b29b
status: experimental
status: test
description: Detects macOS Gatekeeper bypass via xattr utility
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md
date: 2020/10/19
modified: 2021/11/27
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/xattr'
CommandLine|contains|all:
CommandLine|contains|all:
- '-r'
- 'com.apple.quarantine'
condition: selection
@@ -21,4 +22,4 @@ falsepositives:
level: low
tags:
- attack.defense_evasion
- attack.t1553.001
- attack.t1553.001
rules/linux/other/lnx_ssh_cve_2018_15473.yml
+12 -11
View File
@@ -1,21 +1,22 @@
title: SSHD Error Message CVE-2018-15473
id: 4c9d903d-4939-4094-ade0-3cb748f4d7da
status: experimental
status: test
description: Detects exploitation attempt using public exploit code for CVE-2018-15473
author: Florian Roth
date: 2017/08/24
references:
- https://github.com/Rhynorater/CVE-2018-15473-Exploit
- https://github.com/Rhynorater/CVE-2018-15473-Exploit
date: 2017/08/24
modified: 2021/11/27
logsource:
product: linux
service: sshd
product: linux
service: sshd
detection:
keywords:
- 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]'
condition: keywords
keywords:
- 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]'
condition: keywords
falsepositives:
- Unknown
- Unknown
level: medium
tags:
- attack.reconnaissance
- attack.t1589
- attack.reconnaissance
- attack.t1589
rules/linux/other/lnx_susp_failed_logons_single_source.yml
+15 -14
View File
@@ -1,24 +1,25 @@
title: Failed Logins with Different Accounts from Single Source System
id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
status: experimental
status: test
description: Detects suspicious failed logins with different user accounts from a single source system
author: Florian Roth
date: 2017/02/16
modified: 2021/11/27
logsource:
product: linux
service: auth
product: linux
service: auth
detection:
selection:
pam_message: authentication failure
pam_user: '*'
pam_rhost: '*'
timeframe: 24h
condition: selection | count(pam_user) by pam_rhost > 3
selection:
pam_message: authentication failure
pam_user: '*'
pam_rhost: '*'
timeframe: 24h
condition: selection | count(pam_user) by pam_rhost > 3
falsepositives:
- Terminal servers
- Jump servers
- Workstations with frequently changing users
- Terminal servers
- Jump servers
- Workstations with frequently changing users
level: medium
tags:
- attack.credential_access
- attack.t1110
- attack.credential_access
- attack.t1110
rules/linux/other/lnx_susp_guacamole.yml
+12 -11
View File
@@ -1,21 +1,22 @@
title: Guacamole Two Users Sharing Session Anomaly
id: 1edd77db-0669-4fef-9598-165bda82826d
status: experimental
status: test
description: Detects suspicious session with two users present
author: Florian Roth
date: 2020/07/03
references:
- https://research.checkpoint.com/2020/apache-guacamole-rce/
- https://research.checkpoint.com/2020/apache-guacamole-rce/
date: 2020/07/03
modified: 2021/11/27
logsource:
product: linux
service: guacamole
product: linux
service: guacamole
detection:
selection:
- '(2 users now present)'
condition: selection
selection:
- '(2 users now present)'
condition: selection
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.credential_access
- attack.t1212
- attack.credential_access
- attack.t1212
rules/linux/other/lnx_susp_named.yml
+14 -13
View File
@@ -1,23 +1,24 @@
title: Suspicious Named Error
id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365
status: experimental
status: test
description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
author: Florian Roth
date: 2018/02/20
references:
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
date: 2018/02/20
modified: 2021/11/27
logsource:
product: linux
service: syslog
product: linux
service: syslog
detection:
keywords:
- '* dropping source port zero packet from *'
- '* denied AXFR from *'
- '* exiting (due to fatal error)*'
condition: keywords
keywords:
- '* dropping source port zero packet from *'
- '* denied AXFR from *'
- '* exiting (due to fatal error)*'
condition: keywords
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.initial_access
- attack.t1190
- attack.initial_access
- attack.t1190
rules/linux/other/lnx_susp_ssh.yml
+23 -23
View File
@@ -1,33 +1,33 @@
title: Suspicious OpenSSH Daemon Error
id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
status: experimental
status: test
description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
author: Florian Roth
date: 2017/06/30
modified: 2020/05/15
references:
- https://github.com/openssh/openssh-portable/blob/master/ssherr.c
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
- https://github.com/openssh/openssh-portable/blob/master/ssherr.c
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
date: 2017/06/30
modified: 2021/11/27
logsource:
product: linux
service: sshd
product: linux
service: sshd
detection:
keywords:
- '*unexpected internal error*'
- '*unknown or unsupported key type*'
- '*invalid certificate signing key*'
- '*invalid elliptic curve value*'
- '*incorrect signature*'
- '*error in libcrypto*'
- '*unexpected bytes remain after decoding*'
- '*fatal: buffer_get_string: bad string*'
- '*Local: crc32 compensation attack*'
- '*bad client public DH value*'
- '*Corrupted MAC on input*'
condition: keywords
keywords:
- '*unexpected internal error*'
- '*unknown or unsupported key type*'
- '*invalid certificate signing key*'
- '*invalid elliptic curve value*'
- '*incorrect signature*'
- '*error in libcrypto*'
- '*unexpected bytes remain after decoding*'
- '*fatal: buffer_get_string: bad string*'
- '*Local: crc32 compensation attack*'
- '*bad client public DH value*'
- '*Corrupted MAC on input*'
condition: keywords
falsepositives:
- Unknown
- Unknown
level: medium
tags:
- attack.initial_access
- attack.t1190
- attack.initial_access
- attack.t1190
rules/linux/other/lnx_susp_vsftp.yml
+28 -27
View File
@@ -1,37 +1,38 @@
title: Suspicious VSFTPD Error Messages
id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
status: experimental
status: test
description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
author: Florian Roth
date: 2017/07/05
references:
- https://github.com/dagwieers/vsftpd/
- https://github.com/dagwieers/vsftpd/
date: 2017/07/05
modified: 2021/11/27
logsource:
product: linux
service: vsftpd
product: linux
service: vsftpd
detection:
keywords:
- 'Connection refused: too many sessions for this address.'
- 'Connection refused: tcp_wrappers denial.'
- 'Bad HTTP verb.'
- 'port and pasv both active'
- 'pasv and port both active'
- 'Transfer done (but failed to open directory).'
- 'Could not set file modification time.'
- 'bug: pid active in ptrace_sandbox_free'
- 'PTRACE_SETOPTIONS failure'
- 'weird status:'
- "couldn't handle sandbox event"
- 'syscall * out of bounds'
- 'syscall not permitted:'
- 'syscall validate failed:'
- 'Input line too long.'
- 'poor buffer accounting in str_netfd_alloc'
- 'vsf_sysutil_read_loop'
condition: keywords
keywords:
- 'Connection refused: too many sessions for this address.'
- 'Connection refused: tcp_wrappers denial.'
- 'Bad HTTP verb.'
- 'port and pasv both active'
- 'pasv and port both active'
- 'Transfer done (but failed to open directory).'
- 'Could not set file modification time.'
- 'bug: pid active in ptrace_sandbox_free'
- 'PTRACE_SETOPTIONS failure'
- 'weird status:'
- "couldn't handle sandbox event"
- 'syscall * out of bounds'
- 'syscall not permitted:'
- 'syscall validate failed:'
- 'Input line too long.'
- 'poor buffer accounting in str_netfd_alloc'
- 'vsf_sysutil_read_loop'
condition: keywords
falsepositives:
- Unknown
- Unknown
level: medium
tags:
- attack.initial_access
- attack.t1190
- attack.initial_access
- attack.t1190
rules/linux/process_creation/lnx_base64_decode.yml
+4 -3
View File
@@ -1,11 +1,12 @@
title: Decode Base64 Encoded Text
id: e2072cab-8c9a-459b-b63c-40ae79e27031
status: experimental
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
date: 2020/10/19
modified: 2021/11/27
logsource:
category: process_creation
product: linux
@@ -19,4 +20,4 @@ falsepositives:
level: low
tags:
- attack.defense_evasion
- attack.t1027
- attack.t1027
rules/linux/process_creation/lnx_file_and_directory_discovery.yml
+4 -3
View File
@@ -1,11 +1,12 @@
title: File and Directory Discovery
id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
status: experimental
status: test
description: Detects usage of system utilities to discover files and directories
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
date: 2020/10/19
modified: 2021/11/27
logsource:
category: process_creation
product: linux
@@ -26,4 +27,4 @@ falsepositives:
level: informational
tags:
- attack.discovery
- attack.t1083
- attack.t1083
rules/linux/process_creation/lnx_install_root_certificate.yml
+15 -14
View File
@@ -1,23 +1,24 @@
title: Install Root Certificate
id: 78a80655-a51e-4669-bc6b-e9d206a462ee
status: test
description: Detects installed new certificate
status: experimental
author: Ömer Günal, oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
date: 2020/10/05
tags:
- attack.defense_evasion
- attack.t1553.004
level: low
modified: 2021/11/27
logsource:
product: linux
category: process_creation
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/update-ca-certificates'
- '/update-ca-trust'
condition: selection
selection:
Image|endswith:
- '/update-ca-certificates'
- '/update-ca-trust'
condition: selection
falsepositives:
- Legitimate administration activities
- Legitimate administration activities
level: low
tags:
- attack.defense_evasion
- attack.t1553.004
rules/linux/process_creation/lnx_local_account.yml
+3 -2
View File
@@ -1,11 +1,12 @@
title: Local System Accounts Discovery
id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c
status: experimental
status: test
description: Detects enumeration of local systeam accounts
author: Alejandro Ortuno, oscd.community
date: 2020/10/08
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md
date: 2020/10/08
modified: 2021/11/27
logsource:
category: process_creation
product: linux
rules/linux/process_creation/lnx_local_groups.yml
+3 -2
View File
@@ -1,11 +1,12 @@
title: Local Groups Discovery
id: 676381a6-15ca-4d73-a9c8-6a22e970b90d
status: experimental
status: test
description: Detects enumeration of local system groups
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020/10/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
date: 2020/10/11
modified: 2021/11/27
logsource:
category: process_creation
product: linux
rules/linux/process_creation/lnx_remote_system_discovery.yml
+3 -2
View File
@@ -1,11 +1,12 @@
title: Linux Remote System Discovery
id: 11063ec2-de63-4153-935e-b1a8b9e616f1
status: experimental
status: test
description: Detects the enumeration of other remote systems.
author: Alejandro Ortuno, oscd.community
date: 2020/10/22
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
date: 2020/10/22
modified: 2021/11/27
logsource:
category: process_creation
product: linux
rules/linux/process_creation/lnx_schedule_task_job_cron.yml
+9 -8
View File
@@ -1,11 +1,12 @@
title: Scheduled Cron Task/Job
id: 6b14bac8-3e3a-4324-8109-42f0546a347f
status: experimental
status: test
description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
author: Alejandro Ortuno, oscd.community
date: 2020/10/06
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
date: 2020/10/06
modified: 2021/11/27
logsource:
category: process_creation
product: linux
@@ -17,10 +18,10 @@ detection:
- '/tmp/'
condition: selection
falsepositives:
- Legitimate administration activities
- Legitimate administration activities
level: medium
tags:
- attack.execution
- attack.persistence
- attack.privilege_escalation
- attack.t1053.003
- attack.execution
- attack.persistence
- attack.privilege_escalation
- attack.t1053.003
rules/linux/process_creation/lnx_security_software_discovery.yml
+5 -4
View File
@@ -1,11 +1,12 @@
title: Security Software Discovery
id: c9d8b7fd-78e4-44fe-88f6-599135d46d60
status: experimental
status: test
description: Detects usage of system utilities (only grep for now) to discover security software discovery
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md
date: 2020/10/19
modified: 2021/11/27
logsource:
category: process_creation
product: linux
@@ -13,7 +14,7 @@ detection:
grep_execution:
Image|endswith: '/grep'
security_services_and_processes:
CommandLine|contains:
CommandLine|contains:
- 'nessusd' # nessus vulnerability scanner
- 'td-agent' # fluentd log shipper
- 'packetbeat' # elastic network logger/shipper
@@ -28,4 +29,4 @@ falsepositives:
level: low
tags:
- attack.discovery
- attack.t1518.001
- attack.t1518.001
rules/linux/process_creation/lnx_system_network_connections_discovery.yml
+5 -4
View File
@@ -1,17 +1,18 @@
title: System Network Connections Discovery
id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79
status: experimental
status: test
description: Detects usage of system utilities to discover system network connections
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md
date: 2020/10/19
modified: 2021/11/27
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
Image|endswith:
- '/who'
- '/w'
- '/last'
@@ -23,4 +24,4 @@ falsepositives:
level: low
tags:
- attack.discovery
- attack.t1049
- attack.t1049
rules/linux/process_creation/lnx_system_network_discovery.yml
+23 -22
View File
@@ -1,32 +1,33 @@
title: System Network Discovery - Linux
id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
status: experimental
status: test
description: Detects enumeration of local network configuration
author: Ömer Günal and remotephone, oscd.community
date: 2020/10/06
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
date: 2020/10/06
modified: 2021/11/27
logsource:
category: process_creation
product: linux
category: process_creation
product: linux
detection:
selection1:
Image|endswith:
- '/firewall-cmd'
- '/ufw'
- '/iptables'
- '/netstat'
- '/ss'
- '/ip'
- '/ifconfig'
- '/systemd-resolve'
- '/route'
selection2:
CommandLine|contains: '/etc/resolv.conf'
condition: selection1 or selection2
selection1:
Image|endswith:
- '/firewall-cmd'
- '/ufw'
- '/iptables'
- '/netstat'
- '/ss'
- '/ip'
- '/ifconfig'
- '/systemd-resolve'
- '/route'
selection2:
CommandLine|contains: '/etc/resolv.conf'
condition: selection1 or selection2
falsepositives:
- Legitimate administration activities
- Legitimate administration activities
level: informational
tags:
- attack.discovery
- attack.t1016
- attack.discovery
- attack.t1016
rules/network/cisco/aaa/cisco_cli_clear_logs.yml
+19 -19
View File
@@ -1,29 +1,29 @@
title: Cisco Clear Logs
id: ceb407f6-8277-439b-951f-e4210e3ed956
status: experimental
status: test
description: Clear command history in network OS which is used for defense evasion
author: Austin Clark
date: 2019/08/12
modified: 2020/09/02
modified: 2021/11/27
logsource:
product: cisco
service: aaa
category: accounting
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
product: cisco
service: aaa
category: accounting
detection:
keywords:
- 'clear logging'
- 'clear archive'
condition: keywords
keywords:
- 'clear logging'
- 'clear archive'
condition: keywords
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
falsepositives:
- Legitimate administrators may run these commands
- Legitimate administrators may run these commands
level: high
tags:
- attack.defense_evasion
- attack.t1146 # an old one
- attack.t1070.003
- attack.defense_evasion
- attack.t1146 # an old one
- attack.t1070.003
rules/network/cisco/aaa/cisco_cli_collect_data.yml
+27 -27
View File
@@ -1,37 +1,37 @@
title: Cisco Collect Data
id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
status: experimental
status: test
description: Collect pertinent data from the configuration files
author: Austin Clark
date: 2019/08/11
modified: 2020/09/02
modified: 2021/11/27
logsource:
product: cisco
service: aaa
category: accounting
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
product: cisco
service: aaa
category: accounting
detection:
keywords:
- 'show running-config'
- 'show startup-config'
- 'show archive config'
- 'more'
condition: keywords
keywords:
- 'show running-config'
- 'show startup-config'
- 'show archive config'
- 'more'
condition: keywords
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
falsepositives:
- Commonly run by administrators
- Commonly run by administrators
level: low
tags:
- attack.discovery
- attack.credential_access
- attack.collection
- attack.t1087 # an old one
- attack.t1087.001
- attack.t1003 # an old one
- attack.t1081 # an old one
- attack.t1552.001
- attack.t1005
- attack.discovery
- attack.credential_access
- attack.collection
- attack.t1087 # an old one
- attack.t1087.001
- attack.t1003 # an old one
- attack.t1081 # an old one
- attack.t1552.001
- attack.t1005
rules/network/cisco/aaa/cisco_cli_crypto_actions.yml
+23 -22
View File
@@ -1,32 +1,33 @@
title: Cisco Crypto Commands
id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
status: experimental
status: test
description: Show when private keys are being exported from the device, or when new certificates are installed
author: Austin Clark
date: 2019/08/12
modified: 2021/11/27
logsource:
product: cisco
service: aaa
category: accounting
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
product: cisco
service: aaa
category: accounting
detection:
keywords:
- 'crypto pki export'
- 'crypto pki import'
- 'crypto pki trustpoint'
condition: keywords
keywords:
- 'crypto pki export'
- 'crypto pki import'
- 'crypto pki trustpoint'
condition: keywords
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
falsepositives:
- Not commonly run by administrators. Also whitelist your known good certificates
- Not commonly run by administrators. Also whitelist your known good certificates
level: high
tags:
- attack.credential_access
- attack.defense_evasion
- attack.t1130 # an old one
- attack.t1553.004
- attack.t1145 # an old one
- attack.t1552.004
- attack.credential_access
- attack.defense_evasion
- attack.t1130 # an old one
- attack.t1553.004
- attack.t1145 # an old one
- attack.t1552.004
rules/network/cisco/aaa/cisco_cli_disable_logging.yml
+19 -18
View File
@@ -1,28 +1,29 @@
title: Cisco Disabling Logging
id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
status: experimental
status: test
description: Turn off logging locally or remote
author: Austin Clark
date: 2019/08/11
modified: 2021/11/27
logsource:
product: cisco
service: aaa
category: accounting
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
product: cisco
service: aaa
category: accounting
detection:
keywords:
- 'no logging'
- 'no aaa new-model'
condition: keywords
keywords:
- 'no logging'
- 'no aaa new-model'
condition: keywords
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1089 # an old one
- attack.t1562.001
- attack.defense_evasion
- attack.t1089 # an old one
- attack.t1562.001
rules/network/cisco/aaa/cisco_cli_discovery.yml
+35 -34
View File
@@ -1,44 +1,45 @@
title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: experimental
status: test
description: Find information about network devices that is not stored in config files
author: Austin Clark
date: 2019/08/12
modified: 2021/11/27
logsource:
product: cisco
service: aaa
category: accounting
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
product: cisco
service: aaa
category: accounting
detection:
keywords:
- 'dir'
- 'show processes'
- 'show arp'
- 'show cdp'
- 'show version'
- 'show ip route'
- 'show ip interface'
- 'show ip sockets'
- 'show users'
- 'show ssh'
- 'show clock'
condition: keywords
keywords:
- 'dir'
- 'show processes'
- 'show arp'
- 'show cdp'
- 'show version'
- 'show ip route'
- 'show ip interface'
- 'show ip sockets'
- 'show users'
- 'show ssh'
- 'show clock'
condition: keywords
fields:
- src
- CmdSet
- User
- Privilege_Level
- Remote_Address
falsepositives:
- Commonly used by administrators for troubleshooting
- Commonly used by administrators for troubleshooting
level: low
tags:
- attack.discovery
- attack.t1083
- attack.t1201
- attack.t1057
- attack.t1018
- attack.t1082
- attack.t1016
- attack.t1049
- attack.t1033
- attack.t1124
- attack.discovery
- attack.t1083
- attack.t1201
- attack.t1057
- attack.t1018
- attack.t1082
- attack.t1016
- attack.t1049
- attack.t1033
- attack.t1124
rules/network/cisco/aaa/cisco_cli_dos.yml
+18 -18
View File
@@ -1,28 +1,28 @@
title: Cisco Denial of Service
id: d94a35f0-7a29-45f6-90a0-80df6159967c
status: experimental
status: test
description: Detect a system being shutdown or put into different boot mode
author: Austin Clark
date: 2019/08/15
modified: 2020/09/02
modified: 2021/11/27
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
product: cisco
service: aaa
category: accounting
detection:
keywords:
- 'shutdown'
- 'config-register 0x2100'
- 'config-register 0x2142'
condition: keywords
keywords:
- 'shutdown'
- 'config-register 0x2100'
- 'config-register 0x2142'
condition: keywords
fields:
- CmdSet
falsepositives:
- Legitimate administrators may run these commands, though rarely.
- Legitimate administrators may run these commands, though rarely.
level: medium
tags:
- attack.impact
- attack.t1495
- attack.t1529
- attack.t1492 # an old one
- attack.t1565.001
- attack.impact
- attack.t1495
- attack.t1529
- attack.t1492 # an old one
- attack.t1565.001
rules/network/cisco/aaa/cisco_cli_file_deletion.yml
+21 -20
View File
@@ -1,30 +1,31 @@
title: Cisco File Deletion
id: 71d65515-c436-43c0-841b-236b1f32c21e
status: experimental
status: test
description: See what files are being deleted from flash file systems
author: Austin Clark
date: 2019/08/12
modified: 2021/11/27
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
product: cisco
service: aaa
category: accounting
detection:
keywords:
- 'erase'
- 'delete'
- 'format'
condition: keywords
keywords:
- 'erase'
- 'delete'
- 'format'
condition: keywords
fields:
- CmdSet
falsepositives:
- Will be used sometimes by admins to clean up local flash space
- Will be used sometimes by admins to clean up local flash space
level: medium
tags:
- attack.defense_evasion
- attack.impact
- attack.t1107 # an old one
- attack.t1070.004
- attack.t1488 # an old one
- attack.t1561.001
- attack.t1487 # an old one
- attack.t1561.002
- attack.defense_evasion
- attack.impact
- attack.t1107 # an old one
- attack.t1070.004
- attack.t1488 # an old one
- attack.t1561.001
- attack.t1487 # an old one
- attack.t1561.002
rules/network/cisco/aaa/cisco_cli_input_capture.yml
+16 -17
View File
@@ -1,27 +1,26 @@
title: Cisco Show Commands Input
id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
status: experimental
status: test
description: See what commands are being input into the device by other people, full credentials can be in the history
author: Austin Clark
date: 2019/08/11
modified: 2020/09/02
modified: 2021/11/27
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
product: cisco
service: aaa
category: accounting
detection:
keywords:
- 'show history'
- 'show history all'
- 'show logging'
condition: keywords
keywords:
- 'show history'
- 'show history all'
- 'show logging'
condition: keywords
fields:
- CmdSet
falsepositives:
- Not commonly run by administrators, especially if remote logging is configured
- Not commonly run by administrators, especially if remote logging is configured
level: medium
tags:
- attack.credential_access
- attack.t1139 # an old one
- attack.t1552.003
- attack.credential_access
- attack.t1139 # an old one
- attack.t1552.003
rules/network/cisco/aaa/cisco_cli_local_accounts.yml
+16 -16
View File
@@ -1,26 +1,26 @@
title: Cisco Local Accounts
id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
status: experimental
status: test
description: Find local accounts being created or modified as well as remote authentication configurations
author: Austin Clark
date: 2019/08/12
modified: 2020/09/02
modified: 2021/11/27
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
product: cisco
service: aaa
category: accounting
detection:
keywords:
- 'username'
- 'aaa'
condition: keywords
keywords:
- 'username'
- 'aaa'
condition: keywords
fields:
- CmdSet
falsepositives:
- When remote authentication is in place, this should not change often
- When remote authentication is in place, this should not change often
level: high
tags:
- attack.persistence
- attack.t1136 # an old one
- attack.t1136.001
- attack.t1098
- attack.persistence
- attack.t1136 # an old one
- attack.t1136.001
- attack.t1098
rules/network/cisco/aaa/cisco_cli_modify_config.yml
+26 -26
View File
@@ -1,36 +1,36 @@
title: Cisco Modify Configuration
id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
status: experimental
status: test
description: Modifications to a config that will serve an adversary's impacts or persistence
author: Austin Clark
date: 2019/08/12
modified: 2020/09/02
modified: 2021/11/27
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
product: cisco
service: aaa
category: accounting
detection:
keywords:
- 'ip http server'
- 'ip https server'
- 'kron policy-list'
- 'kron occurrence'
- 'policy-list'
- 'access-list'
- 'ip access-group'
- 'archive maximum'
condition: keywords
keywords:
- 'ip http server'
- 'ip https server'
- 'kron policy-list'
- 'kron occurrence'
- 'policy-list'
- 'access-list'
- 'ip access-group'
- 'archive maximum'
condition: keywords
fields:
- CmdSet
falsepositives:
- Legitimate administrators may run these commands
- Legitimate administrators may run these commands
level: medium
tags:
- attack.persistence
- attack.impact
- attack.t1490
- attack.t1505
- attack.t1493 # an old one
- attack.t1565.002
- attack.t1168 # an old one
- attack.t1053
- attack.persistence
- attack.impact
- attack.t1490
- attack.t1505
- attack.t1493 # an old one
- attack.t1565.002
- attack.t1168 # an old one
- attack.t1053
rules/network/cisco/aaa/cisco_cli_moving_data.yml
+24 -24
View File
@@ -1,34 +1,34 @@
title: Cisco Stage Data
id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
status: experimental
status: test
description: Various protocols maybe used to put data on the device for exfil or infil
author: Austin Clark
date: 2019/08/12
modified: 2020/09/02
modified: 2021/11/27
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
product: cisco
service: aaa
category: accounting
detection:
keywords:
- 'tftp'
- 'rcp'
- 'puts'
- 'copy'
- 'configure replace'
- 'archive tar'
condition: keywords
keywords:
- 'tftp'
- 'rcp'
- 'puts'
- 'copy'
- 'configure replace'
- 'archive tar'
condition: keywords
fields:
- CmdSet
falsepositives:
- Generally used to copy configs or IOS images
- Generally used to copy configs or IOS images
level: low
tags:
- attack.collection
- attack.lateral_movement
- attack.command_and_control
- attack.exfiltration
- attack.t1074
- attack.t1105
- attack.t1002 # an old one
- attack.t1560.001
- attack.collection
- attack.lateral_movement
- attack.command_and_control
- attack.exfiltration
- attack.t1074
- attack.t1105
- attack.t1002 # an old one
- attack.t1560.001
rules/network/cisco/aaa/cisco_cli_net_sniff.yml
+16 -15
View File
@@ -1,25 +1,26 @@
title: Cisco Sniffing
id: b9e1f193-d236-4451-aaae-2f3d2102120d
status: experimental
status: test
description: Show when a monitor or a span/rspan is setup or modified
author: Austin Clark
date: 2019/08/11
modified: 2021/11/27
logsource:
product: cisco
service: aaa
category: accounting
fields:
- CmdSet
product: cisco
service: aaa
category: accounting
detection:
keywords:
- 'monitor capture point'
- 'set span'
- 'set rspan'
condition: keywords
keywords:
- 'monitor capture point'
- 'set span'
- 'set rspan'
condition: keywords
fields:
- CmdSet
falsepositives:
- Admins may setup new or modify old spans, or use a monitor for troubleshooting
- Admins may setup new or modify old spans, or use a monitor for troubleshooting
level: medium
tags:
- attack.credential_access
- attack.discovery
- attack.t1040
- attack.credential_access
- attack.discovery
- attack.t1040
rules/network/net_apt_equationgroup_c2.yml
+19 -18
View File
@@ -1,28 +1,29 @@
title: Equation Group C2 Communication
id: 881834a4-6659-4773-821e-1c151789d873
status: test
description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
status: experimental
author: Florian Roth
date: 2017/04/15
references:
- https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
- https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
date: 2017/04/15
modified: 2021/11/27
logsource:
category: firewall
category: firewall
detection:
outgoing:
dst_ip:
- '69.42.98.86'
- '89.185.234.145'
incoming:
src_ip:
- '69.42.98.86'
- '89.185.234.145'
condition: 1 of them
outgoing:
dst_ip:
- '69.42.98.86'
- '89.185.234.145'
incoming:
src_ip:
- '69.42.98.86'
- '89.185.234.145'
condition: 1 of them
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.command_and_control
- attack.g0020
- attack.t1041
- attack.command_and_control
- attack.g0020
- attack.t1041
rules/network/net_dns_c2_detection.yml
+17 -18
View File
@@ -1,27 +1,26 @@
title: Possible DNS Tunneling
id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e
status: experimental
description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain,
which can be an indicator that DNS is used to transfer data.
status: test
description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.
author: Patrick Bareiss
date: 2019/04/07
modified: 2020/08/27
references:
- https://zeltser.com/c2-dns-tunneling/
- https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
- https://zeltser.com/c2-dns-tunneling/
- https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
date: 2019/04/07
modified: 2021/11/27
logsource:
category: dns
category: dns
detection:
selection:
parent_domain: '*'
condition: selection | count(dns_query) by parent_domain > 1000
selection:
parent_domain: '*'
condition: selection | count(dns_query) by parent_domain > 1000
falsepositives:
- Valid software, which uses dns for transferring data
- Valid software, which uses dns for transferring data
level: high
tags:
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
- attack.exfiltration
- attack.t1048 # an old one
- attack.t1048.003
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
- attack.exfiltration
- attack.t1048 # an old one
- attack.t1048.003
rules/network/net_high_null_records_requests_rate.yml
+14 -14
View File
@@ -1,24 +1,24 @@
title: High NULL Records Requests Rate
id: 44ae5117-9c44-40cf-9c7c-7edad385ca70
status: experimental
status: test
description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
modified: 2020/08/27
modified: 2021/11/27
logsource:
category: dns
category: dns
detection:
selection:
record_type: "NULL"
timeframe: 1m
condition: selection | count() by src_ip > 50
selection:
record_type: "NULL"
timeframe: 1m
condition: selection | count() by src_ip > 50
falsepositives:
- Legitimate high DNS NULL requests rate to domain name which should be added to whitelist
- Legitimate high DNS NULL requests rate to domain name which should be added to whitelist
level: medium
tags:
- attack.exfiltration
- attack.t1048 # an old one
- attack.t1048.003
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
- attack.exfiltration
- attack.t1048 # an old one
- attack.t1048.003
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
rules/network/net_high_txt_records_requests_rate.yml
+14 -14
View File
@@ -1,24 +1,24 @@
title: High TXT Records Requests Rate
id: f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35
status: experimental
status: test
description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
modified: 2020/08/27
modified: 2021/11/27
logsource:
category: dns
category: dns
detection:
selection:
record_type: "TXT"
timeframe: 1m
condition: selection | count() by src_ip > 50
selection:
record_type: "TXT"
timeframe: 1m
condition: selection | count() by src_ip > 50
falsepositives:
- Legitimate high DNS TXT requests rate to domain name which should be added to whitelist
- Legitimate high DNS TXT requests rate to domain name which should be added to whitelist
level: medium
tags:
- attack.exfiltration
- attack.t1048 # an old one
- attack.t1048.003
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
- attack.exfiltration
- attack.t1048 # an old one
- attack.t1048.003
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
rules/network/net_susp_dns_txt_exec_strings.yml
+17 -17
View File
@@ -1,27 +1,27 @@
title: DNS TXT Answer with Possible Execution Strings
id: 8ae51330-899c-4641-8125-e39f2e07da72
status: experimental
status: test
description: Detects strings used in command execution in DNS TXT Answer
author: Markus Neis
date: 2018/08/08
modified: 2020/08/27
references:
- https://twitter.com/stvemillertime/status/1024707932447854592
- https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
- https://twitter.com/stvemillertime/status/1024707932447854592
- https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
date: 2018/08/08
modified: 2021/11/27
logsource:
category: dns
category: dns
detection:
selection:
record_type: 'TXT'
answer|contains:
- 'IEX'
- 'Invoke-Expression'
- 'cmd.exe'
condition: selection
selection:
record_type: 'TXT'
answer|contains:
- 'IEX'
- 'Invoke-Expression'
- 'cmd.exe'
condition: selection
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
rules/network/net_susp_network_scan_by_ip.yml
+18 -18
View File
@@ -1,26 +1,26 @@
title: Network Scans Count By Destination IP
id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8
status: experimental
status: test
description: Detects many failed connection attempts to different ports or hosts
author: Thomas Patzke
date: 2017/02/19
modified: 2020/08/27
modified: 2021/11/27
logsource:
category: firewall
tags:
- attack.discovery
- attack.t1046
category: firewall
detection:
selection:
action: denied
timeframe: 24h
condition: selection | count(dst_ip) by src_ip > 10
falsepositives:
- Inventarization systems
- Vulnerability scans
- Penetration testing activity
level: medium
selection:
action: denied
timeframe: 24h
condition: selection | count(dst_ip) by src_ip > 10
fields:
- src_ip
- dst_ip
- dst_port
- src_ip
- dst_ip
- dst_port
falsepositives:
- Inventarization systems
- Vulnerability scans
- Penetration testing activity
level: medium
tags:
- attack.discovery
- attack.t1046
rules/network/net_wannacry_killswitch_domain.yml
+19 -18
View File
@@ -1,26 +1,27 @@
title: Wannacry Killswitch Domain
id: 3eaf6218-3bed-4d8a-8707-274096f12a18
status: experimental
status: test
description: Detects wannacry killswitch domain dns queries
references:
- https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html
author: Mike Wade
references:
- https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html
date: 2020/09/16
tags:
- attack.command_and_control
- attack.t1071.001
modified: 2021/11/27
logsource:
category: dns
category: dns
detection:
selection:
query:
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'
- 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- ''
condition: selection
selection:
query:
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'
- 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- ''
condition: selection
falsepositives:
- Analyst testing
level: high
- Analyst testing
level: high
tags:
- attack.command_and_control
- attack.t1071.001

Some files were not shown because too many files have changed in this diff Show More