Change status for old rules

2021-11-27 11:33:14 +01:00
parent 6664d6e522
commit 01dc930c17
547 changed files with 11964 additions and 11755 deletions
@@ -1,11 +1,12 @@
 title: Decode Base64 Encoded Text
 id: e2072cab-8c9a-459b-b63c-40ae79e27031
-status: experimental
+status: test
 description: Detects usage of base64 utility to decode arbitrary base64-encoded text
 author: Daniil Yugoslavskiy, oscd.community
-date: 2020/10/19
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
@@ -19,4 +20,4 @@ falsepositives:
 level: low
 tags:
  - attack.defense_evasion
-  - attack.t1027
+  - attack.t1027
@@ -1,11 +1,12 @@
 title: File and Directory Discovery
 id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
-status: experimental
+status: test
 description: Detects usage of system utilities to discover files and directories
 author: Daniil Yugoslavskiy, oscd.community
-date: 2020/10/19
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
@@ -26,4 +27,4 @@ falsepositives:
 level: informational
 tags:
  - attack.discovery
-  - attack.t1083
+  - attack.t1083
@@ -1,23 +1,24 @@
 title: Install Root Certificate
 id: 78a80655-a51e-4669-bc6b-e9d206a462ee
+status: test
 description: Detects installed new certificate
-status: experimental
 author: Ömer Günal, oscd.community
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
 date: 2020/10/05
-tags:
-    - attack.defense_evasion
-    - attack.t1553.004
-level: low
+modified: 2021/11/27
 logsource:
-    product: linux
-    category: process_creation
+  product: linux
+  category: process_creation
 detection:
-    selection:
-         Image|endswith:
-          - '/update-ca-certificates'
-          - '/update-ca-trust'
-    condition: selection
+  selection:
+    Image|endswith:
+      - '/update-ca-certificates'
+      - '/update-ca-trust'
+  condition: selection
 falsepositives:
-    - Legitimate administration activities
+  - Legitimate administration activities
+level: low
+tags:
+  - attack.defense_evasion
+  - attack.t1553.004
@@ -1,11 +1,12 @@
 title: Local System Accounts Discovery
 id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c
-status: experimental
+status: test
 description: Detects enumeration of local systeam accounts
 author: Alejandro Ortuno, oscd.community
-date: 2020/10/08
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md
+date: 2020/10/08
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
@@ -1,11 +1,12 @@
 title: Local Groups Discovery
 id: 676381a6-15ca-4d73-a9c8-6a22e970b90d
-status: experimental
+status: test
 description: Detects enumeration of local system groups
 author: Ömer Günal, Alejandro Ortuno, oscd.community
-date: 2020/10/11
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
+date: 2020/10/11
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
@@ -1,11 +1,12 @@
 title: Linux Remote System Discovery
 id: 11063ec2-de63-4153-935e-b1a8b9e616f1
-status: experimental
+status: test
 description: Detects the enumeration of other remote systems.
 author: Alejandro Ortuno, oscd.community
-date: 2020/10/22
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+date: 2020/10/22
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
@@ -1,11 +1,12 @@
 title: Scheduled Cron Task/Job
 id: 6b14bac8-3e3a-4324-8109-42f0546a347f
-status: experimental
+status: test
 description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
 author: Alejandro Ortuno, oscd.community
-date: 2020/10/06
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
+date: 2020/10/06
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
@@ -17,10 +18,10 @@ detection:
      - '/tmp/'
  condition: selection
 falsepositives:
-    - Legitimate administration activities
+  - Legitimate administration activities
 level: medium
 tags:
-    - attack.execution
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1053.003
+  - attack.execution
+  - attack.persistence
+  - attack.privilege_escalation
+  - attack.t1053.003
@@ -1,11 +1,12 @@
 title: Security Software Discovery
 id: c9d8b7fd-78e4-44fe-88f6-599135d46d60
-status: experimental
+status: test
 description: Detects usage of system utilities (only grep for now) to discover security software discovery
 author: Daniil Yugoslavskiy, oscd.community
-date: 2020/10/19
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
@@ -13,7 +14,7 @@ detection:
  grep_execution:
    Image|endswith: '/grep'
  security_services_and_processes:
-    CommandLine|contains: 
+    CommandLine|contains:
      - 'nessusd'        # nessus vulnerability scanner
      - 'td-agent'       # fluentd log shipper
      - 'packetbeat'     # elastic network logger/shipper
@@ -28,4 +29,4 @@ falsepositives:
 level: low
 tags:
  - attack.discovery
-  - attack.t1518.001
+  - attack.t1518.001
@@ -1,17 +1,18 @@
 title: System Network Connections Discovery
 id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79
-status: experimental
+status: test
 description: Detects usage of system utilities to discover system network connections
 author: Daniil Yugoslavskiy, oscd.community
-date: 2020/10/19
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
 detection:
  selection:
-    Image|endswith: 
+    Image|endswith:
      - '/who'
      - '/w'
      - '/last'
@@ -23,4 +24,4 @@ falsepositives:
 level: low
 tags:
  - attack.discovery
-  - attack.t1049
+  - attack.t1049
@@ -1,32 +1,33 @@
 title: System Network Discovery - Linux
 id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
-status: experimental
+status: test
 description: Detects enumeration of local network configuration
 author: Ömer Günal and remotephone, oscd.community
-date: 2020/10/06
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+date: 2020/10/06
+modified: 2021/11/27
 logsource:
-    category: process_creation
-    product: linux
+  category: process_creation
+  product: linux
 detection:
-    selection1:
-        Image|endswith:
-            - '/firewall-cmd'
-            - '/ufw'
-            - '/iptables'
-            - '/netstat'
-            - '/ss'
-            - '/ip'
-            - '/ifconfig'
-            - '/systemd-resolve'
-            - '/route'
-    selection2:
-        CommandLine|contains: '/etc/resolv.conf'
-    condition: selection1 or selection2
+  selection1:
+    Image|endswith:
+      - '/firewall-cmd'
+      - '/ufw'
+      - '/iptables'
+      - '/netstat'
+      - '/ss'
+      - '/ip'
+      - '/ifconfig'
+      - '/systemd-resolve'
+      - '/route'
+  selection2:
+    CommandLine|contains: '/etc/resolv.conf'
+  condition: selection1 or selection2
 falsepositives:
-    - Legitimate administration activities
+  - Legitimate administration activities
 level: informational
 tags:
-    - attack.discovery
-    - attack.t1016
+  - attack.discovery
+  - attack.t1016