diff --git a/rules/application/app_python_sql_exceptions.yml b/rules/application/app_python_sql_exceptions.yml index 62868b5be..c69a917af 100644 --- a/rules/application/app_python_sql_exceptions.yml +++ b/rules/application/app_python_sql_exceptions.yml @@ -1,12 +1,10 @@ title: Python SQL Exceptions id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9 +status: stable description: Generic rule for SQL exceptions in Python according to PEP 249 author: Thomas Patzke date: 2017/08/12 modified: 2020/09/01 -tags: - - attack.initial_access - - attack.t1190 references: - https://www.python.org/dev/peps/pep-0249/#exceptions logsource: @@ -23,3 +21,6 @@ falsepositives: - Application bugs - Penetration testing level: medium +tags: + - attack.initial_access + - attack.t1190 \ No newline at end of file diff --git a/rules/application/app_sqlinjection_errors.yml b/rules/application/app_sqlinjection_errors.yml index 1f238c695..2add5d608 100644 --- a/rules/application/app_sqlinjection_errors.yml +++ b/rules/application/app_sqlinjection_errors.yml @@ -5,9 +5,6 @@ description: Detects SQL error messages that indicate probing for an injection a author: Bjoern Kimminich date: 2017/11/27 modified: 2020/09/01 -tags: - - attack.initial_access - - attack.t1190 references: - http://www.sqlinjection.net/errors logsource: @@ -28,3 +25,6 @@ detection: falsepositives: - Application bugs level: high +tags: + - attack.initial_access + - attack.t1190 \ No newline at end of file diff --git a/rules/application/appframework_django_exceptions.yml b/rules/application/appframework_django_exceptions.yml index 6ffdf64f3..bedcfb1d6 100644 --- a/rules/application/appframework_django_exceptions.yml +++ b/rules/application/appframework_django_exceptions.yml @@ -1,12 +1,10 @@ title: Django Framework Exceptions id: fd435618-981e-4a7c-81f8-f78ce480d616 +status: stable description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts author: Thomas Patzke date: 2017/08/05 modified: 2020/09/01 -tags: - - attack.initial_access - - attack.t1190 references: - https://docs.djangoproject.com/en/1.11/ref/exceptions/ - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security @@ -34,3 +32,6 @@ falsepositives: - Application bugs - Penetration testing level: medium +tags: + - attack.initial_access + - attack.t1190 \ No newline at end of file diff --git a/rules/application/appframework_ruby_on_rails_exceptions.yml b/rules/application/appframework_ruby_on_rails_exceptions.yml index fcd8876cd..45682035c 100644 --- a/rules/application/appframework_ruby_on_rails_exceptions.yml +++ b/rules/application/appframework_ruby_on_rails_exceptions.yml @@ -1,12 +1,10 @@ title: Ruby on Rails Framework Exceptions id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a +status: stable description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts author: Thomas Patzke date: 2017/08/06 modified: 2020/09/01 -tags: - - attack.initial_access - - attack.t1190 references: - http://edgeguides.rubyonrails.org/security.html - http://guides.rubyonrails.org/action_controller_overview.html @@ -27,3 +25,6 @@ falsepositives: - Application bugs - Penetration testing level: medium +tags: + - attack.initial_access + - attack.t1190 \ No newline at end of file diff --git a/rules/application/appframework_spring_exceptions.yml b/rules/application/appframework_spring_exceptions.yml index c827e640c..df34f0402 100644 --- a/rules/application/appframework_spring_exceptions.yml +++ b/rules/application/appframework_spring_exceptions.yml @@ -1,12 +1,10 @@ title: Spring Framework Exceptions id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33 +status: stable description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts author: Thomas Patzke date: 2017/08/06 modified: 2020/09/01 -tags: - - attack.initial_access - - attack.t1190 references: - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html logsource: @@ -26,3 +24,6 @@ falsepositives: - Application bugs - Penetration testing level: medium +tags: + - attack.initial_access + - attack.t1190 \ No newline at end of file diff --git a/rules/apt/apt_silence_downloader_v3.yml b/rules/apt/apt_silence_downloader_v3.yml index 9b729ac57..e46b0c220 100644 --- a/rules/apt/apt_silence_downloader_v3.yml +++ b/rules/apt/apt_silence_downloader_v3.yml @@ -4,16 +4,9 @@ status: experimental description: Detects Silence downloader. These commands are hardcoded into the binary. author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community date: 2019/11/01 -modified: 2020/09/01 +modified: 2019/11/22 tags: - attack.persistence - - attack.t1547.001 - - attack.t1060 # an old one - - attack.discovery - - attack.t1057 - - attack.t1082 - - attack.t1016 - - attack.t1033 - attack.g0091 logsource: category: process_creation diff --git a/rules/apt/apt_silence_eda.yml b/rules/apt/apt_silence_eda.yml index c027197d9..f27167fd0 100644 --- a/rules/apt/apt_silence_eda.yml +++ b/rules/apt/apt_silence_eda.yml @@ -4,17 +4,8 @@ status: experimental description: Detects Silence empireDNSagent author: Alina Stepchenkova, Group-IB, oscd.community date: 2019/11/01 -modified: 2020/09/01 +modified: 2019/11/20 tags: - - attack.execution - - attack.t1059.001 - - attack.t1086 # an old one - - attack.command_and_control - - attack.t1071.004 - - attack.t1071 # an old one - - attack.t1572 - - attack.impact - - attack.t1529 - attack.g0091 - attack.s0363 logsource: diff --git a/rules/cloud/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws_cloudtrail_disable_logging.yml index 75d6fd3ab..c1634de08 100644 --- a/rules/cloud/aws_cloudtrail_disable_logging.yml +++ b/rules/cloud/aws_cloudtrail_disable_logging.yml @@ -1,9 +1,9 @@ title: AWS CloudTrail Important Change id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74 status: experimental +description: Detects disabling, deleting and updating of a Trail author: vitaliy0x1 date: 2020/01/21 -description: Detects disabling, deleting and updating of a Trail references: - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html logsource: @@ -17,9 +17,9 @@ detection: - UpdateTrail - DeleteTrail condition: selection_source AND events -level: medium falsepositives: - Valid change in a Trail +level: medium tags: - attack.defense_evasion - attack.t1562.001 diff --git a/rules/cloud/aws_config_disable_recording.yml b/rules/cloud/aws_config_disable_recording.yml index 00112ffcd..331701dc0 100644 --- a/rules/cloud/aws_config_disable_recording.yml +++ b/rules/cloud/aws_config_disable_recording.yml @@ -1,9 +1,9 @@ title: AWS Config Disabling Channel/Recorder id: 07330162-dba1-4746-8121-a9647d49d297 status: experimental +description: Detects AWS Config Service disabling author: vitaliy0x1 date: 2020/01/21 -description: Detects AWS Config Service disabling logsource: service: cloudtrail detection: @@ -14,9 +14,9 @@ detection: - DeleteDeliveryChannel - StopConfigurationRecorder condition: selection_source AND events -level: high falsepositives: - Valid change in AWS Config Service +level: high tags: - attack.defense_evasion - attack.t1562.001 diff --git a/rules/cloud/aws_ec2_download_userdata.yml b/rules/cloud/aws_ec2_download_userdata.yml index 65ce7d1b2..11daeccb8 100644 --- a/rules/cloud/aws_ec2_download_userdata.yml +++ b/rules/cloud/aws_ec2_download_userdata.yml @@ -1,10 +1,10 @@ title: AWS EC2 Download Userdata id: 26ff4080-194e-47e7-9889-ef7602efed0c status: experimental +description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment. author: faloker date: 2020/02/11 modified: 2020/09/01 -description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment. references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24 logsource: @@ -18,9 +18,9 @@ detection: - eventName: DescribeInstanceAttribute timeframe: 30m condition: all of them | count() > 10 -level: medium falsepositives: - Assets management software like device42 +level: medium tags: - attack.exfiltration - attack.t1020 diff --git a/rules/cloud/aws_ec2_startup_script_change.yml b/rules/cloud/aws_ec2_startup_script_change.yml index 8e167c93c..15f39ba44 100644 --- a/rules/cloud/aws_ec2_startup_script_change.yml +++ b/rules/cloud/aws_ec2_startup_script_change.yml @@ -1,10 +1,10 @@ title: AWS EC2 Startup Shell Script Change id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df status: experimental +description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up. author: faloker date: 2020/02/12 modified: 2020/09/01 -description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up. references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9 logsource: @@ -17,9 +17,9 @@ detection: selection_eventname: - eventName: ModifyInstanceAttribute condition: all of them -level: high falsepositives: - Valid changes to the startup script +level: high tags: - attack.execution - attack.t1059.001 diff --git a/rules/cloud/aws_ec2_vm_export_failure.yml b/rules/cloud/aws_ec2_vm_export_failure.yml index a6db628c5..4e832c06b 100644 --- a/rules/cloud/aws_ec2_vm_export_failure.yml +++ b/rules/cloud/aws_ec2_vm_export_failure.yml @@ -1,17 +1,10 @@ title: AWS EC2 VM Export Failure id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b status: experimental -description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance. -references: - - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance +description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance. author: Diogo Braz date: 2020/04/16 -tags: - - attack.collection - - attack.t1005 - - attack.exfiltration - - attack.t1537 -level: low +references: https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance logsource: service: cloudtrail detection: @@ -26,3 +19,10 @@ detection: eventName: 'ConsoleLogin' responseElements: '*Failure*' condition: selection and (filter1 or filter2 or filter3) +level: low +tags: +- attack.collection +- attack.t1005 +- attack.exfiltration +- attack.t1537 + diff --git a/rules/cloud/aws_guardduty_disruption.yml b/rules/cloud/aws_guardduty_disruption.yml index 90058c9e3..6d8d2890e 100644 --- a/rules/cloud/aws_guardduty_disruption.yml +++ b/rules/cloud/aws_guardduty_disruption.yml @@ -1,9 +1,9 @@ title: AWS GuardDuty Important Change id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3 status: experimental +description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs. author: faloker date: 2020/02/11 -description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs. references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9 logsource: @@ -14,9 +14,9 @@ detection: selection_eventName: - eventName: CreateIPSet condition: all of them -level: high falsepositives: - Valid change in the GuardDuty (e.g. to ignore internal scanners) +level: high tags: - attack.defense_evasion - attack.t1562.001 diff --git a/rules/cloud/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws_iam_backdoor_users_keys.yml index 7693948ed..af87cad91 100644 --- a/rules/cloud/aws_iam_backdoor_users_keys.yml +++ b/rules/cloud/aws_iam_backdoor_users_keys.yml @@ -1,10 +1,10 @@ title: AWS IAM Backdoor Users Keys id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2 status: experimental +description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org. author: faloker date: 2020/02/12 modified: 2020/09/01 -description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org. references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6 logsource: @@ -22,10 +22,10 @@ fields: - responseElements.accessKey.userName - errorCode - errorMessage -level: medium falsepositives: - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming) - AWS API keys legitimate exchange workflows +level: medium tags: - attack.persistence - attack.t1098 diff --git a/rules/cloud/aws_rds_change_master_password.yml b/rules/cloud/aws_rds_change_master_password.yml index 429b529b9..1c13de054 100644 --- a/rules/cloud/aws_rds_change_master_password.yml +++ b/rules/cloud/aws_rds_change_master_password.yml @@ -1,10 +1,10 @@ title: AWS RDS Master Password Change id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2 status: experimental +description: Detects the change of database master password. It may be a part of data exfiltration. author: faloker date: 2020/02/12 modified: 2020/09/01 -description: Detects the change of database master password. It may be a part of data exfiltration. references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10 logsource: @@ -17,9 +17,9 @@ detection: selection_eventname: - eventName: ModifyDBInstance condition: all of them -level: medium falsepositives: - Benign changes to a db instance +level: medium tags: - attack.exfiltration - attack.t1020 diff --git a/rules/cloud/aws_rds_public_db_restore.yml b/rules/cloud/aws_rds_public_db_restore.yml index 9e1591eec..d1d818413 100644 --- a/rules/cloud/aws_rds_public_db_restore.yml +++ b/rules/cloud/aws_rds_public_db_restore.yml @@ -1,10 +1,10 @@ title: Restore Public AWS RDS Instance id: c3f265c7-ff03-4056-8ab2-d486227b4599 status: experimental +description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration. author: faloker date: 2020/02/12 modified: 2020/09/01 -description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration. references: - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10 logsource: @@ -17,9 +17,9 @@ detection: selection_eventname: - eventName: RestoreDBInstanceFromDBSnapshot condition: all of them -level: high falsepositives: - unknown +level: high tags: - attack.exfiltration - attack.t1020 diff --git a/rules/cloud/aws_root_account_usage.yml b/rules/cloud/aws_root_account_usage.yml index 6d047f135..8702c3a7a 100644 --- a/rules/cloud/aws_root_account_usage.yml +++ b/rules/cloud/aws_root_account_usage.yml @@ -1,10 +1,10 @@ title: AWS Root Credentials id: 8ad1600d-e9dc-4251-b0ee-a65268f29add status: experimental +description: Detects AWS root account usage author: vitaliy0x1 date: 2020/01/21 modified: 2020/09/01 -description: Detects AWS root account usage references: - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html logsource: @@ -15,9 +15,9 @@ detection: selection_eventtype: - eventType: AwsServiceEvent condition: selection_usertype AND NOT selection_eventtype -level: medium falsepositives: - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html +level: medium tags: - attack.privilege_escalation - attack.t1078.004 diff --git a/rules/compliance/cleartext_protocols.yml b/rules/compliance/cleartext_protocols.yml index fe0a367a8..cda779381 100644 --- a/rules/compliance/cleartext_protocols.yml +++ b/rules/compliance/cleartext_protocols.yml @@ -1,15 +1,15 @@ action: global title: Cleartext Protocol Usage id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f +status: stable description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. +author: Alexandr Yampolskyi, SOC Prime +date: 2019/03/26 references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf -author: Alexandr Yampolskyi, SOC Prime -status: stable -date: 2019/03/26 falsepositives: - unknown level: low diff --git a/rules/compliance/default_credentials_usage.yml b/rules/compliance/default_credentials_usage.yml index 0dcac1431..297e16aac 100644 --- a/rules/compliance/default_credentials_usage.yml +++ b/rules/compliance/default_credentials_usage.yml @@ -1,9 +1,9 @@ title: Default Credentials Usage id: 1a395cbc-a84a-463a-9086-ed8a70e573c7 +status: stable description: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. author: Alexandr Yampolskyi, SOC Prime -status: stable references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf diff --git a/rules/compliance/group_modification_logging.yml b/rules/compliance/group_modification_logging.yml index c06eb2887..083cc2b60 100644 --- a/rules/compliance/group_modification_logging.yml +++ b/rules/compliance/group_modification_logging.yml @@ -1,11 +1,12 @@ title: Group Modification Logging id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e +status: stable description: "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects\ \ Event ID 4728 indicates a \u2018Member is added to a Security Group\u2019. Event ID 4729 indicates a \u2018Member is removed from a Security enabled-group\u2019\ . Event ID 4730 indicates a\u2018Security Group is deleted\u2019. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2\ \ and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP." author: Alexandr Yampolskyi, SOC Prime -status: stable +date: 2019/03/26 references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf @@ -16,7 +17,6 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634 -date: 2019/03/26 logsource: product: windows service: security diff --git a/rules/compliance/host_without_firewall.yml b/rules/compliance/host_without_firewall.yml index 527d7ecae..264327142 100644 --- a/rules/compliance/host_without_firewall.yml +++ b/rules/compliance/host_without_firewall.yml @@ -1,14 +1,13 @@ title: Host Without Firewall id: 6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9 +status: stable description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. author: Alexandr Yampolskyi, SOC Prime +date: 2019/03/19 references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf -date: 2019/03/19 -status: stable -level: low logsource: product: Qualys detection: @@ -16,6 +15,7 @@ detection: event.category: Security Policy host.scan.vuln_name: Firewall Product Not Detected* condition: selection +level: low tags: - CSC9 - CSC9.4 diff --git a/rules/compliance/workstation_was_locked.yml b/rules/compliance/workstation_was_locked.yml index 6938a14d0..37fd37c90 100644 --- a/rules/compliance/workstation_was_locked.yml +++ b/rules/compliance/workstation_was_locked.yml @@ -1,15 +1,15 @@ title: Locked Workstation id: 411742ad-89b0-49cb-a7b0-3971b5c1e0a4 +status: stable description: Automatically lock workstation sessions after a standard period of inactivity. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019. author: Alexandr Yampolskyi, SOC Prime -status: stable +date: 2019/03/26 references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800 -date: 2019/03/26 logsource: product: windows service: security diff --git a/rules/generic/generic_brute_force.yml b/rules/generic/generic_brute_force.yml index c02246878..6767424a8 100644 --- a/rules/generic/generic_brute_force.yml +++ b/rules/generic/generic_brute_force.yml @@ -1,13 +1,10 @@ title: Brute Force id: 53c7cca0-2901-493a-95db-d00d6fcf0a37 +status: experimental description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity -tags: - - attack.credential_access - - attack.t1110 author: Aleksandr Akhremchik, oscd.community date: 2019/10/25 modified: 2020/09/01 -status: experimental logsource: category: authentication detection: @@ -25,3 +22,6 @@ falsepositives: - Vulnerability scanner - Legitimate application level: medium +tags: + - attack.credential_access + - attack.t1110 \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml index e8bb866a4..ddc0901a3 100644 --- a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml +++ b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml @@ -2,15 +2,10 @@ title: Edit of .bash_profile and .bashrc id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9 status: experimental description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell. +author: Peter Matkovski +date: 2019/05/12 references: - 'MITRE Attack technique T1156; .bash_profile and .bashrc. ' -date: 2019/05/12 -tags: - - attack.s0003 - - attack.t1156 # an old one - - attack.persistence - - attack.t1546.004 -author: Peter Matkovski logsource: product: linux service: auditd @@ -30,3 +25,8 @@ detection: falsepositives: - Admin or User activity level: medium +tags: + - attack.s0003 + - attack.t1156 # an old one + - attack.persistence + - attack.t1546.004 \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml index ef36ca7cb..4fac21234 100644 --- a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -1,20 +1,16 @@ title: Auditing Configuration Changes on Linux Host id: 977ef627-4539-4875-adf4-ed8f780c4922 +status: experimental description: Detect changes in auditd configuration files # Example config for this one (place it at the top of audit.rules) # -w /etc/audit/ -p wa -k etc_modify_auditconfig # -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig # -w /etc/audisp/ -p wa -k etc_modify_audispconfig +author: Mikhail Larin, oscd.community +date: 2019/10/25 references: - https://github.com/Neo23x0/auditd/blob/master/audit.rules - self experience -tags: - - attack.defense_evasion - - attack.t1054 # an old one - - attack.t1562.006 -author: Mikhail Larin, oscd.community -status: experimental -date: 2019/10/25 logsource: product: linux service: auditd @@ -33,3 +29,7 @@ fields: falsepositives: - Legitimate administrative activity level: high +tags: + - attack.defense_evasion + - attack.t1054 # an old one + - attack.t1562.006 \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index f3ac6df9c..b674ad938 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -2,14 +2,10 @@ title: Creation Of An User Account id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512 status: experimental description: Detects the creation of a new user account. According to MITRE ATT&CK, "such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system" +author: Marie Euler +date: 2020/05/18 references: - 'MITRE Attack technique T1136; Create Account ' -date: 2020/05/18 -tags: - - attack.t1136 # an old one - - attack.t1136.001 - - attack.persistence -author: Marie Euler logsource: product: linux service: auditd @@ -21,3 +17,7 @@ detection: falsepositives: - Admin activity level: medium +tags: + - attack.t1136 # an old one + - attack.t1136.001 + - attack.persistence \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml index 77e2e9b1a..b0ca98ab8 100644 --- a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml +++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -1,16 +1,13 @@ title: Modification of ld.so.preload id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751 -description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. status: experimental +description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 modified: 2019/11/11 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.yaml - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html -tags: - - attack.defense_evasion - - attack.t1574.006 logsource: product: linux service: auditd @@ -22,3 +19,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1574.006 \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml index 1657563b6..06e93c2e8 100644 --- a/rules/linux/auditd/lnx_auditd_logging_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -1,19 +1,15 @@ title: Logging Configuration Changes on Linux Host id: c830f15d-6f6e-430f-8074-6f73d6807841 +status: experimental description: Detect changes of syslog daemons configuration files # Example config for this one (place it at the top of audit.rules) # -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig # -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig # -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig +author: Mikhail Larin, oscd.community +date: 2019/10/25 references: - self experience -tags: - - attack.defense_evasion - - attack.t1054 # an old one - - attack.t1562.006 -author: Mikhail Larin, oscd.community -status: experimental -date: 2019/10/25 logsource: product: linux service: auditd @@ -32,3 +28,7 @@ fields: falsepositives: - Legitimate administrative activity level: high +tags: + - attack.defense_evasion + - attack.t1054 # an old one + - attack.t1562.006 \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml index de7ecdfb6..0dfbfe404 100644 --- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -7,9 +7,6 @@ author: Timur Zinniatullin, oscd.community date: 2019/10/21 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml -tags: - - attack.defense_evasion - - attack.t1036.003 logsource: product: linux service: auditd @@ -22,3 +19,6 @@ detection: a3: '*/crond' condition: selection level: medium +tags: + - attack.defense_evasion + - attack.t1036.003 \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml index 77971d06a..97eac4429 100644 --- a/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml +++ b/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml @@ -2,12 +2,11 @@ title: Suspicious C2 Activities id: f7158a64-6204-4d6d-868a-6e6378b467e0 status: experimental description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132) +author: Marie Euler references: - 'https://github.com/Neo23x0/auditd' date: 2020/05/18 -tags: - - attack.command_and_control -author: Marie Euler + logsource: product: linux service: auditd @@ -19,3 +18,5 @@ detection: falsepositives: - Admin or User activity level: medium +tags: + - attack.command_and_control \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml index 1b18d682c..96bf95add 100644 --- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml +++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml @@ -2,13 +2,10 @@ title: Suspicious Commands Linux id: 1543ae20-cbdf-4ec1-8d12-7664d667a825 status: experimental description: Detects relevant commands often related to malware or hacking activity +author: Florian Roth +date: 2017/12/12 references: - Internal Research - mostly derived from exploit code including code in MSF -tags: - - attack.execution - - attack.t1059.004 -date: 2017/12/12 -author: Florian Roth logsource: product: linux service: auditd @@ -33,3 +30,6 @@ detection: falsepositives: - Admin activity level: medium +tags: + - attack.execution + - attack.t1059.004 \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml index 03f84ba9d..64175ef8a 100644 --- a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml +++ b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -2,10 +2,10 @@ title: Program Executions in Suspicious Folders id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc status: experimental description: Detects program executions in suspicious non-program folders related to malware or hacking activity +author: Florian Roth +date: 2018/01/23 references: - Internal Research -date: 2018/01/23 -author: Florian Roth logsource: product: linux service: auditd diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml index bb464b90f..59ae6cd87 100644 --- a/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -2,14 +2,12 @@ title: Webshell Remote Command Execution id: c0d3734d-330f-4a03-aae2-65dacc6a8222 status: experimental description: Detects posible command execution by web application/web shell -tags: - - attack.persistence - - attack.t1505.003 -references: - - personal experience author: Ilyas Ochkov, Beyu Denis, oscd.community date: 2019/10/12 modified: 2019/11/04 +references: + - personal experience + logsource: product: linux service: auditd @@ -23,3 +21,6 @@ falsepositives: - Admin activity - Crazy web applications level: critical +tags: + - attack.persistence + - attack.t1505.003 \ No newline at end of file diff --git a/rules/linux/auditd/lnx_data_compressed.yml b/rules/linux/auditd/lnx_data_compressed.yml index 6e3ac9193..5987f9335 100644 --- a/rules/linux/auditd/lnx_data_compressed.yml +++ b/rules/linux/auditd/lnx_data_compressed.yml @@ -7,9 +7,6 @@ date: 2019/10/21 modified: 2019/11/04 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.yaml -tags: - - attack.exfiltration - - attack.t1560.001 logsource: product: linux service: auditd @@ -29,3 +26,6 @@ detection: falsepositives: - Legitimate use of archiving tools by legitimate user level: low +tags: + - attack.exfiltration + - attack.t1560.001 \ No newline at end of file diff --git a/rules/linux/lnx_apt_equationgroup_lnx.yml b/rules/linux/lnx_apt_equationgroup_lnx.yml index 73c8489b3..532c619bc 100755 --- a/rules/linux/lnx_apt_equationgroup_lnx.yml +++ b/rules/linux/lnx_apt_equationgroup_lnx.yml @@ -1,14 +1,11 @@ title: Equation Group Indicators id: 41e5c73d-9983-4b69-bd03-e13b67e9623c +status: experimental description: Detects suspicious shell commands used in various Equation Group scripts and tools -references: - - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 -tags: - - attack.execution - - attack.g0020 - - attack.t1059.004 author: Florian Roth date: 2017/04/09 +references: + - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 logsource: product: linux detection: @@ -78,3 +75,7 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.execution + - attack.g0020 + - attack.t1059.004 \ No newline at end of file diff --git a/rules/linux/lnx_buffer_overflows.yml b/rules/linux/lnx_buffer_overflows.yml index 3ed4a8233..f92de840e 100644 --- a/rules/linux/lnx_buffer_overflows.yml +++ b/rules/linux/lnx_buffer_overflows.yml @@ -1,5 +1,6 @@ title: Buffer Overflow Attempts id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781 +status: stable description: Detects buffer overflow attempts in Unix system log files author: Florian Roth date: 2017/03/01 diff --git a/rules/linux/lnx_chattr_immutable_removal.yml b/rules/linux/lnx_chattr_immutable_removal.yml index 069ea56c0..0c3868332 100644 --- a/rules/linux/lnx_chattr_immutable_removal.yml +++ b/rules/linux/lnx_chattr_immutable_removal.yml @@ -1,12 +1,11 @@ title: Remove Immutable File Attribute id: a5b977d6-8a81-4475-91b9-49dbfcd941f7 -description: Detects removing immutable file attribute status: experimental -tags: - - attack.defense_evasion - - attack.t1222.002 +description: Detects removing immutable file attribute author: Jakob Weinzettl, oscd.community date: 2019/09/23 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml logsource: product: linux service: auditd @@ -19,5 +18,6 @@ detection: falsepositives: - Administrator interacting with immutable files (for instance backups) level: medium -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml +tags: + - attack.defense_evasion + - attack.t1222.002 \ No newline at end of file diff --git a/rules/linux/lnx_clamav.yml b/rules/linux/lnx_clamav.yml index 5605d012e..cd19a25a4 100644 --- a/rules/linux/lnx_clamav.yml +++ b/rules/linux/lnx_clamav.yml @@ -1,5 +1,6 @@ title: Relevant ClamAV Message id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb +status: stable description: Detects relevant ClamAV messages author: Florian Roth date: 2017/03/01 diff --git a/rules/linux/lnx_dd_delete_file.yml b/rules/linux/lnx_dd_delete_file.yml index b5b74aead..c5a1ed98d 100644 --- a/rules/linux/lnx_dd_delete_file.yml +++ b/rules/linux/lnx_dd_delete_file.yml @@ -1,11 +1,11 @@ title: Overwriting the File with Dev Zero or Null id: 37222991-11e9-4b6d-8bdf-60fbe48f753e -date: 2019/10/23 +status: stable description: Detects overwriting (effectively wiping/deleting) the file author: Jakob Weinzettl, oscd.community -tags: - - attack.impact - - attack.t1485 +date: 2019/10/23 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml logsource: product: linux service: auditd @@ -21,5 +21,7 @@ falsepositives: - Appending null bytes to files - Legitimate overwrite of files level: low -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml + +tags: + - attack.impact + - attack.t1485 \ No newline at end of file diff --git a/rules/linux/lnx_file_copy.yml b/rules/linux/lnx_file_copy.yml index 5a9d1b320..028476447 100644 --- a/rules/linux/lnx_file_copy.yml +++ b/rules/linux/lnx_file_copy.yml @@ -1,15 +1,11 @@ title: Remote File Copy id: 7a14080d-a048-4de8-ae58-604ce58a795b +status: stable description: Detects the use of tools that copy files from or to remote systems -references: - - https://attack.mitre.org/techniques/T1105/ author: Ömer Günal date: 2020/06/18 -tags: - - attack.command_and_control - - attack.lateral_movement - - attack.t1105 -level: low +references: + - https://attack.mitre.org/techniques/T1105/ logsource: product: linux detection: @@ -25,3 +21,8 @@ detection: condition: keywords falsepositives: - Legitimate administration activities +level: low +tags: + - attack.command_and_control + - attack.lateral_movement + - attack.t1105 \ No newline at end of file diff --git a/rules/linux/lnx_file_or_folder_permissions.yml b/rules/linux/lnx_file_or_folder_permissions.yml index c73c58b86..474ea08f6 100644 --- a/rules/linux/lnx_file_or_folder_permissions.yml +++ b/rules/linux/lnx_file_or_folder_permissions.yml @@ -1,12 +1,11 @@ title: File or Folder Permissions Change -description: Detects id: 74c01ace-0152-4094-8ae2-6fd776dd43e5 status: experimental -tags: - - attack.defense_evasion - - attack.t1222.002 +description: Detects file and folder permission changes author: Jakob Weinzettl, oscd.community date: 2019/09/23 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml logsource: product: linux service: auditd @@ -20,5 +19,6 @@ detection: falsepositives: - User interracting with files permissions (normal/daily behaviour) level: low -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml +tags: + - attack.defense_evasion + - attack.t1222.002 \ No newline at end of file diff --git a/rules/linux/lnx_pers_systemd_reload.yml b/rules/linux/lnx_pers_systemd_reload.yml index 0bf77a531..69881a029 100644 --- a/rules/linux/lnx_pers_systemd_reload.yml +++ b/rules/linux/lnx_pers_systemd_reload.yml @@ -1,12 +1,12 @@ title: Systemd Service Reload or Start id: 2625cc59-0634-40d0-821e-cb67382a3dd7 -description: Detects a reload or a start of a service status: experimental -tags: - - attack.persistence - - attack.t1543.002 +description: Detects a reload or a start of a service author: Jakob Weinzettl, oscd.community date: 2019/09/23 +references: + - https://attack.mitre.org/techniques/T1543/002/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.yaml logsource: product: linux service: auditd @@ -22,6 +22,6 @@ falsepositives: - Installation of legitimate service - Legitimate reconfiguration of service level: low -references: - - https://attack.mitre.org/techniques/T1543/002/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.yaml +tags: + - attack.persistence + - attack.t1543.002 \ No newline at end of file diff --git a/rules/linux/lnx_proxy_connection.yml b/rules/linux/lnx_proxy_connection.yml index a8127dcf1..2caeba777 100644 --- a/rules/linux/lnx_proxy_connection.yml +++ b/rules/linux/lnx_proxy_connection.yml @@ -1,13 +1,11 @@ title: Connection Proxy id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c +status: experimental description: Detects setting proxy -references: - - https://attack.mitre.org/techniques/T1090/ author: Ömer Günal date: 2020/06/17 -tags: - - attack.defense_evasion -level: low +references: + - https://attack.mitre.org/techniques/T1090/ logsource: product: linux detection: @@ -17,3 +15,6 @@ detection: condition: keyword falsepositives: - Legitimate administration activities +level: low +tags: + - attack.defense_evasion diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index dff7b93da..206c9a490 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -1,14 +1,12 @@ title: Disabling Security Tools id: e3a8a052-111f-4606-9aee-f28ebeb76776 +status: experimental description: Detects disabling security tools +author: Ömer Günal +date: 2020/06/17 references: - https://attack.mitre.org/techniques/T1089/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md -author: Ömer Günal -date: 2020/06/17 -tags: - - attack.defense_evasion -level: medium logsource: product: linux detection: @@ -31,3 +29,6 @@ detection: condition: keywords falsepositives: - Legitimate administration activities +level: medium +tags: + - attack.defense_evasion \ No newline at end of file diff --git a/rules/linux/lnx_setgid_setuid.yml b/rules/linux/lnx_setgid_setuid.yml index b243d65df..50fda753c 100644 --- a/rules/linux/lnx_setgid_setuid.yml +++ b/rules/linux/lnx_setgid_setuid.yml @@ -1,14 +1,12 @@ title: Setuid and Setgid id: c21c4eaa-ba2e-419a-92b2-8371703cbe21 +status: experimental description: Detects suspicious change of file privileges with chown and chmod commands +author: Ömer Günal +date: 2020/06/16 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1166/T1166.md - https://attack.mitre.org/techniques/T1166/ -author: Ömer Günal -date: 2020/06/16 -tags: - - attack.persistence -level: low logsource: product: linux detection: @@ -21,3 +19,6 @@ detection: condition: (selection1 and selection2) or (selection1 and selection3) falsepositives: - Legitimate administration activities +level: low +tags: + - attack.persistence diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/lnx_shell_clear_cmd_history.yml index f00443e24..0249d6134 100644 --- a/rules/linux/lnx_shell_clear_cmd_history.yml +++ b/rules/linux/lnx_shell_clear_cmd_history.yml @@ -9,13 +9,13 @@ description: Clear command history in linux which is used for defense evasion. # It has two advantages over the version suggested by Patrick Bareiss : # - it is not relative to the exact command used to clear .bash_history : for instance Caldera uses "> .bash_history" to clear the history and this is not one the commands listed here. We can't be exhaustive for all the possibilities ! # - the method suggested by Patrick Bareiss logs all the commands entered directly in a bash shell. therefore it may miss some events (for instance it doesn't log the commands launched from a Caldera agent). Here if .bash_history is cleared, it will always be detected +author: Patrick Bareiss +date: 2019/03/24 +modified: 2020/07/13 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.yaml - https://attack.mitre.org/techniques/T1070/003/ - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics -author: Patrick Bareiss -date: 2019/03/24 -modified: 2020/07/13 logsource: product: linux detection: diff --git a/rules/linux/lnx_shell_priv_esc_prep.yml b/rules/linux/lnx_shell_priv_esc_prep.yml index a07d00610..930f25781 100644 --- a/rules/linux/lnx_shell_priv_esc_prep.yml +++ b/rules/linux/lnx_shell_priv_esc_prep.yml @@ -2,15 +2,11 @@ title: Privilege Escalation Preparation id: 444ade84-c362-4260-b1f3-e45e20e1a905 status: experimental description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. +author: Patrick Bareiss +date: 2019/04/05 references: - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ - https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/ -author: Patrick Bareiss -date: 2019/04/05 -tags: - - attack.execution - - attack.t1059.004 -level: medium logsource: product: linux detection: @@ -68,3 +64,7 @@ detection: condition: keywords | count() by host > 6 falsepositives: - Troubleshooting on Linux Machines +level: medium +tags: + - attack.execution + - attack.t1059.004 diff --git a/rules/linux/lnx_shell_susp_commands.yml b/rules/linux/lnx_shell_susp_commands.yml index 22917c788..f4eecddd2 100644 --- a/rules/linux/lnx_shell_susp_commands.yml +++ b/rules/linux/lnx_shell_susp_commands.yml @@ -1,17 +1,15 @@ title: Suspicious Activity in Shell Commands id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695 +status: experimental description: Detects suspicious shell commands used in various exploit codes (see references) +author: Florian Roth +date: 2017/08/21 +modified: 2019/02/05 references: - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121 - http://pastebin.com/FtygZ1cg - https://artkond.com/2017/03/23/pivoting-guide/ -tags: - - attack.execution - - attack.t1059.004 -author: Florian Roth -date: 2017/08/21 -modified: 2019/02/05 logsource: product: linux detection: @@ -56,3 +54,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.execution + - attack.t1059.004 \ No newline at end of file diff --git a/rules/linux/lnx_shell_susp_log_entries.yml b/rules/linux/lnx_shell_susp_log_entries.yml index 656256bee..55756eff6 100644 --- a/rules/linux/lnx_shell_susp_log_entries.yml +++ b/rules/linux/lnx_shell_susp_log_entries.yml @@ -1,5 +1,6 @@ title: Suspicious Log Entries id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1 +status: experimental description: Detects suspicious log entries in Linux log files author: Florian Roth date: 2017/03/25 diff --git a/rules/linux/lnx_shell_susp_rev_shells.yml b/rules/linux/lnx_shell_susp_rev_shells.yml index 095c6af16..129707573 100644 --- a/rules/linux/lnx_shell_susp_rev_shells.yml +++ b/rules/linux/lnx_shell_susp_rev_shells.yml @@ -2,13 +2,10 @@ title: Suspicious Reverse Shell Command Line id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab status: experimental description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell -references: - - https://alamot.github.io/reverse_shells/ -tags: - - attack.execution - - attack.t1059.004 author: Florian Roth date: 2019/04/02 +references: + - https://alamot.github.io/reverse_shells/ logsource: product: linux detection: @@ -42,3 +39,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.execution + - attack.t1059.004 \ No newline at end of file diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/lnx_shellshock.yml index 6e81bc604..59a534cd3 100644 --- a/rules/linux/lnx_shellshock.yml +++ b/rules/linux/lnx_shellshock.yml @@ -1,8 +1,9 @@ title: Shellshock Expression id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e +status: experimental description: Detects shellshock expressions in log files -date: 2017/03/14 author: Florian Roth +date: 2017/03/14 references: - http://rubular.com/r/zxBfjWfFYs logsource: diff --git a/rules/linux/lnx_space_after_filename_.yml b/rules/linux/lnx_space_after_filename_.yml index 07eeb857e..ab1533e62 100644 --- a/rules/linux/lnx_space_after_filename_.yml +++ b/rules/linux/lnx_space_after_filename_.yml @@ -1,12 +1,11 @@ title: Space After Filename id: 879c3015-c88b-4782-93d7-07adf92dbcb7 +status: experimental description: Detects space after filename -references: - - https://attack.mitre.org/techniques/T1064 author: Ömer Günal date: 2020/06/17 -tags: - - attack.execution +references: + - https://attack.mitre.org/techniques/T1064 level: low logsource: product: linux @@ -18,3 +17,5 @@ detection: condition: selection1 and selection2 falsepositives: - Typos +tags: + - attack.execution \ No newline at end of file diff --git a/rules/linux/lnx_ssh_cve_2018_15473.yml b/rules/linux/lnx_ssh_cve_2018_15473.yml index be54cade7..a88aa6715 100644 --- a/rules/linux/lnx_ssh_cve_2018_15473.yml +++ b/rules/linux/lnx_ssh_cve_2018_15473.yml @@ -1,10 +1,11 @@ title: SSHD Error Message CVE-2018-15473 id: 4c9d903d-4939-4094-ade0-3cb748f4d7da +status: experimental description: Detects exploitation attempt using public exploit code for CVE-2018-15473 -references: - - https://github.com/Rhynorater/CVE-2018-15473-Exploit author: Florian Roth date: 2017/08/24 +references: + - https://github.com/Rhynorater/CVE-2018-15473-Exploit logsource: product: linux service: sshd diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml index f472e028d..ff20897bb 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287.yml @@ -3,22 +3,22 @@ title: Sudo Privilege Escalation CVE-2019-14287 id: f74107df-b6c6-4e80-bf00-4170b658162b status: experimental description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 +author: Florian Roth +date: 2019/10/15 +modified: 2019/10/20 references: - https://www.openwall.com/lists/oss-security/2019/10/14/1 - https://access.redhat.com/security/cve/cve-2019-14287 - https://twitter.com/matthieugarin/status/1183970598210412546 -author: Florian Roth -date: 2019/10/15 -modified: 2019/10/20 -tags: - - attack.privilege_escalation - - attack.t1068 - - attack.t1169 logsource: product: linux falsepositives: - Unlikely level: critical +tags: + - attack.privilege_escalation + - attack.t1068 + - attack.t1169 --- detection: selection_keywords: diff --git a/rules/linux/lnx_susp_failed_logons_single_source.yml b/rules/linux/lnx_susp_failed_logons_single_source.yml index 8a5b02277..1d7f4c45c 100644 --- a/rules/linux/lnx_susp_failed_logons_single_source.yml +++ b/rules/linux/lnx_susp_failed_logons_single_source.yml @@ -1,8 +1,9 @@ title: Failed Logins with Different Accounts from Single Source System id: fc947f8e-ea81-4b14-9a7b-13f888f94e18 +status: experimental +description: Detects suspicious failed logins with different user accounts from a single source system author: Florian Roth date: 2017/02/16 -description: Detects suspicious failed logins with different user accounts from a single source system logsource: product: linux service: auth diff --git a/rules/linux/lnx_susp_guacamole.yml b/rules/linux/lnx_susp_guacamole.yml index a224144a6..3e6b77594 100644 --- a/rules/linux/lnx_susp_guacamole.yml +++ b/rules/linux/lnx_susp_guacamole.yml @@ -1,11 +1,11 @@ title: Guacamole Two Users Sharing Session Anomaly -status: experimental id: 1edd77db-0669-4fef-9598-165bda82826d +status: experimental description: Detects suspicious session with two users present -references: - - https://research.checkpoint.com/2020/apache-guacamole-rce/ author: Florian Roth date: 2020/07/03 +references: + - https://research.checkpoint.com/2020/apache-guacamole-rce/ logsource: product: linux service: guacamole diff --git a/rules/linux/lnx_susp_jexboss.yml b/rules/linux/lnx_susp_jexboss.yml index 4541a98a0..599f6b062 100644 --- a/rules/linux/lnx_susp_jexboss.yml +++ b/rules/linux/lnx_susp_jexboss.yml @@ -1,13 +1,10 @@ title: JexBoss Command Sequence id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae description: Detects suspicious command sequence that JexBoss -references: - - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A -tags: - - attack.execution - - attack.t1059.004 author: Florian Roth date: 2017/08/24 +references: + - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A logsource: product: linux detection: @@ -19,3 +16,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.execution + - attack.t1059.004 \ No newline at end of file diff --git a/rules/linux/lnx_susp_named.yml b/rules/linux/lnx_susp_named.yml index 7d1a67003..2fc43980a 100644 --- a/rules/linux/lnx_susp_named.yml +++ b/rules/linux/lnx_susp_named.yml @@ -2,13 +2,10 @@ title: Suspicious Named Error id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365 status: experimental description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts -references: - - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml -tags: - - attack.initial_access - - attack.t1190 author: Florian Roth date: 2018/02/20 +references: + - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml logsource: product: linux service: syslog @@ -21,3 +18,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.initial_access + - attack.t1190 \ No newline at end of file diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/lnx_susp_ssh.yml index d9044d60b..b84992387 100644 --- a/rules/linux/lnx_susp_ssh.yml +++ b/rules/linux/lnx_susp_ssh.yml @@ -1,15 +1,13 @@ title: Suspicious OpenSSH Daemon Error id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc +status: experimental description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts -references: - - https://github.com/openssh/openssh-portable/blob/master/ssherr.c - - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml -tags: - - attack.initial_access - - attack.t1190 author: Florian Roth date: 2017/06/30 modified: 2020/05/15 +references: + - https://github.com/openssh/openssh-portable/blob/master/ssherr.c + - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml logsource: product: linux service: sshd @@ -30,3 +28,6 @@ detection: falsepositives: - Unknown level: medium +tags: + - attack.initial_access + - attack.t1190 \ No newline at end of file diff --git a/rules/linux/lnx_susp_vsftp.yml b/rules/linux/lnx_susp_vsftp.yml index 90de6e767..8476f6190 100644 --- a/rules/linux/lnx_susp_vsftp.yml +++ b/rules/linux/lnx_susp_vsftp.yml @@ -1,13 +1,11 @@ title: Suspicious VSFTPD Error Messages id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe +status: experimental description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts -references: - - https://github.com/dagwieers/vsftpd/ -tags: - - attack.initial_access - - attack.t1190 author: Florian Roth date: 2017/07/05 +references: + - https://github.com/dagwieers/vsftpd/ logsource: product: linux service: vsftpd @@ -34,3 +32,6 @@ detection: falsepositives: - Unknown level: medium +tags: + - attack.initial_access + - attack.t1190 \ No newline at end of file diff --git a/rules/linux/modsecurity/modsec_mulitple_blocks.yml b/rules/linux/modsecurity/modsec_mulitple_blocks.yml index 4122f9f16..aa6461ee9 100644 --- a/rules/linux/modsecurity/modsec_mulitple_blocks.yml +++ b/rules/linux/modsecurity/modsec_mulitple_blocks.yml @@ -1,8 +1,9 @@ title: Multiple Modsecurity Blocks id: a06eea10-d932-4aa6-8ba9-186df72c8d23 +status: stable description: Detects multiple blocks by the mod_security module (Web Application Firewall) -date: 2017/02/28 author: Florian Roth +date: 2017/02/28 logsource: product: linux service: modsecurity