Merge pull request #493 from alx1m1k/oscd
[OSCD] rules from Jet CSIRT team
This commit is contained in:
yugoslavskiy
@@ -0,0 +1,26 @@
|
||||
title: Brute Force
|
||||
description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
|
||||
references:
|
||||
- None
|
||||
tags:
|
||||
- attack.t1110
|
||||
author: Aleksandr Akhremchik, oscd.community
|
||||
date: 2019/10/25
|
||||
status: experimental
|
||||
logsource:
|
||||
category: authentication
|
||||
detection:
|
||||
selection:
|
||||
action: failure
|
||||
timeframe: 600s
|
||||
condition: selection | count(category) by dst_ip > 30
|
||||
fields:
|
||||
- src_ip
|
||||
- dst_ip
|
||||
- user
|
||||
falsepositives:
|
||||
- Inventarization
|
||||
- Penetration testing
|
||||
- Vulnerability scanner
|
||||
- Legitimate application
|
||||
level: medium
|
||||
@@ -0,0 +1,33 @@
|
||||
title: Auditing configuration changes on linux host
|
||||
description: Detect changes if auditd configuration files
|
||||
# Example config for this one (place it at the top of audit.rules)
|
||||
# -w /etc/audit/ -p wa -k etc_modify_auditconfig
|
||||
# -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig
|
||||
# -w /etc/audisp/ -p wa -k etc_modify_audispconfig
|
||||
references:
|
||||
- https://github.com/Neo23x0/auditd/blob/master/audit.rules
|
||||
- self experience
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1054
|
||||
author: Mikhail Larin, oscd.community
|
||||
status: experimental
|
||||
date: 2019/10/25
|
||||
logsource:
|
||||
product: linux
|
||||
service: auditd
|
||||
detection:
|
||||
selection:
|
||||
type: 'SYSCALL'
|
||||
key:
|
||||
- 'etc_modify_auditconfig'
|
||||
- 'etc_modify_libauditconfig'
|
||||
- 'etc_modify_audispconfig'
|
||||
condition: selection
|
||||
fields:
|
||||
- exe
|
||||
- comm
|
||||
- key
|
||||
falsepositives:
|
||||
- Legitimate administrative activity
|
||||
level: high
|
||||
@@ -0,0 +1,32 @@
|
||||
title: Logging configuration changes on linux host
|
||||
description: Detect changes of syslog daemons configuration files
|
||||
# Example config for this one (place it at the top of audit.rules)
|
||||
# -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig
|
||||
# -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig
|
||||
# -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig
|
||||
references:
|
||||
- self experience
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1054
|
||||
author: Mikhail Larin, oscd.community
|
||||
status: experimental
|
||||
date: 2019/10/25
|
||||
logsource:
|
||||
product: linux
|
||||
service: auditd
|
||||
detection:
|
||||
selection:
|
||||
type: 'SYSCALL'
|
||||
key:
|
||||
- 'etc_modify_syslogconfig'
|
||||
- 'etc_modify_rsyslogconfig'
|
||||
- 'etc_modify_syslogngconfig'
|
||||
condition: selection
|
||||
fields:
|
||||
- exe
|
||||
- comm
|
||||
- key
|
||||
falsepositives:
|
||||
- Legitimate administrative activity
|
||||
level: high
|
||||
@@ -0,0 +1,26 @@
|
||||
title: Narrator's Feedback-Hub Persistence
|
||||
description: Detects abusing Windows 10 Narrator's Feedback-Hub
|
||||
references:
|
||||
- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1060
|
||||
author: Dmitriy Lifanov, oscd.community
|
||||
status: experimental
|
||||
date: 2019/10/25
|
||||
modified: 2019/11/10
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
condition: 1 of them
|
||||
selection1:
|
||||
EventID: 12
|
||||
EventType: DeleteValue
|
||||
TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
|
||||
selection2:
|
||||
EventID: 13
|
||||
TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
|
||||
falsepositives:
|
||||
- unknown
|
||||
level: high
|
||||
@@ -0,0 +1,27 @@
|
||||
title: Regsvr32 network activity
|
||||
description: Detects network connections and DNS queries initiated by Regsvr32.exe
|
||||
references:
|
||||
- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
|
||||
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.defense_evasion
|
||||
- attack.t1117
|
||||
author: Dmitriy Lifanov, oscd.community
|
||||
status: experimental
|
||||
date: 2019/10/25
|
||||
modified: 2019/11/10
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
selection:
|
||||
EventID:
|
||||
- 3
|
||||
- 22
|
||||
Image|endswith: '\regsvr32.exe'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- unknown
|
||||
level: high
|
||||
Reference in New Issue
Block a user