From 638fd7eeabe01565911f11387594ba65c86379fa Mon Sep 17 00:00:00 2001
From: Alejandro Ortuno <alejandro.ortuno@auth0.com>
Date: Thu, 22 Oct 2020 10:37:29 +0200
Subject: [PATCH 1/7] Remote system discovery sigma rules for macos and linux

---
 rules/linux/lnx_remote_system_discovery.yml   | 27 +++++++++++++++++++
 rules/linux/macos_remote_system_discovery.yml | 27 +++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 rules/linux/lnx_remote_system_discovery.yml
 create mode 100644 rules/linux/macos_remote_system_discovery.yml

diff --git a/rules/linux/lnx_remote_system_discovery.yml b/rules/linux/lnx_remote_system_discovery.yml
new file mode 100644
index 000000000..67defedf7
--- /dev/null
+++ b/rules/linux/lnx_remote_system_discovery.yml
@@ -0,0 +1,27 @@
+title: Linux Remote System Discovery
+id: 11063ec2-de63-4153-935e-b1a8b9e616f1
+status: experimental
+description: Detects the enumeration of other remote systems.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/22
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+logsource:
+  category: process_creation
+  product: linux
+detection:
+  selection_1:
+    ProcessName|endswith:
+      - '/arp'
+    CommandLine|contains|all:
+      - '-a'
+  selection_2:
+    ProcessName|endswith:
+      - '/ping'
+  condition: 1 of them
+falsepositives:
+  - Legitimate administration activities
+level: medium
+tags:
+  - attack.discovery
+  - attack.t1018
diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml
new file mode 100644
index 000000000..d1a21338a
--- /dev/null
+++ b/rules/linux/macos_remote_system_discovery.yml
@@ -0,0 +1,27 @@
+title: Macos Remote System Discovery
+id: 11063ec2-de63-4153-935e-b1a8b9e616f1
+status: experimental
+description: Detects the enumeration of other remote systems.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/22
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  selection_1:
+    ProcessName|endswith:
+      - '/arp'
+    CommandLine|contains|all:
+      - '-a'
+  selection_2:
+    ProcessName|endswith:
+      - '/ping'
+  condition: 1 of them
+falsepositives:
+  - Legitimate administration activities
+level: medium
+tags:
+  - attack.discovery
+  - attack.t1018

From c83d5a3d65dfa708c7e93ccc21ac1cc7f4601975 Mon Sep 17 00:00:00 2001
From: Alejandro Ortuno <alejandro.ortuno@auth0.com>
Date: Mon, 26 Oct 2020 09:45:13 +0100
Subject: [PATCH 2/7] Added some minor tuning of ip ranges

---
 rules/linux/lnx_remote_system_discovery.yml   | 23 ++++++++++++++++++-
 rules/linux/macos_remote_system_discovery.yml | 23 ++++++++++++++++++-
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/rules/linux/lnx_remote_system_discovery.yml b/rules/linux/lnx_remote_system_discovery.yml
index 67defedf7..96209f7b8 100644
--- a/rules/linux/lnx_remote_system_discovery.yml
+++ b/rules/linux/lnx_remote_system_discovery.yml
@@ -13,11 +13,32 @@ detection:
   selection_1:
     ProcessName|endswith:
       - '/arp'
-    CommandLine|contains|all:
+    CommandLine|contains:
       - '-a'
   selection_2:
     ProcessName|endswith:
       - '/ping'
+    CommandLine|contains:
+      - '10.' #10.0.0.0/8
+      - '192.168.' #192.168.0.0/16
+      - '172.16.' #172.16.0.0/12
+      - '172.17.'
+      - '172.18.'
+      - '172.19.'
+      - '172.20.'
+      - '172.21.'
+      - '172.22.'
+      - '172.23.'
+      - '172.24.'
+      - '172.25.'
+      - '172.26.'
+      - '172.27.'
+      - '172.28.'
+      - '172.29.'
+      - '172.30.'
+      - '172.31.'
+      - '127.' #127.0.0.0/8
+      - '169.254.' #169.254.0.0/16
   condition: 1 of them
 falsepositives:
   - Legitimate administration activities
diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml
index d1a21338a..6738c4134 100644
--- a/rules/linux/macos_remote_system_discovery.yml
+++ b/rules/linux/macos_remote_system_discovery.yml
@@ -13,11 +13,32 @@ detection:
   selection_1:
     ProcessName|endswith:
       - '/arp'
-    CommandLine|contains|all:
+    CommandLine|contains:
       - '-a'
   selection_2:
     ProcessName|endswith:
       - '/ping'
+    CommandLine|contains:
+      - '10.' #10.0.0.0/8
+      - '192.168.' #192.168.0.0/16
+      - '172.16.' #172.16.0.0/12
+      - '172.17.'
+      - '172.18.'
+      - '172.19.'
+      - '172.20.'
+      - '172.21.'
+      - '172.22.'
+      - '172.23.'
+      - '172.24.'
+      - '172.25.'
+      - '172.26.'
+      - '172.27.'
+      - '172.28.'
+      - '172.29.'
+      - '172.30.'
+      - '172.31.'
+      - '127.' #127.0.0.0/8
+      - '169.254.' #169.254.0.0/16
   condition: 1 of them
 falsepositives:
   - Legitimate administration activities

From 80b1a192466e3d45456af1fa9daff01763b73919 Mon Sep 17 00:00:00 2001
From: Alejandro Ortuno <alejandro.ortuno@auth0.com>
Date: Wed, 28 Oct 2020 10:16:29 +0100
Subject: [PATCH 3/7] Added the space at the beginning of the IP ranges.

---
 rules/linux/lnx_remote_system_discovery.yml   | 40 +++++++++----------
 rules/linux/macos_remote_system_discovery.yml | 40 +++++++++----------
 2 files changed, 40 insertions(+), 40 deletions(-)

diff --git a/rules/linux/lnx_remote_system_discovery.yml b/rules/linux/lnx_remote_system_discovery.yml
index 96209f7b8..d0c5bbef8 100644
--- a/rules/linux/lnx_remote_system_discovery.yml
+++ b/rules/linux/lnx_remote_system_discovery.yml
@@ -19,26 +19,26 @@ detection:
     ProcessName|endswith:
       - '/ping'
     CommandLine|contains:
-      - '10.' #10.0.0.0/8
-      - '192.168.' #192.168.0.0/16
-      - '172.16.' #172.16.0.0/12
-      - '172.17.'
-      - '172.18.'
-      - '172.19.'
-      - '172.20.'
-      - '172.21.'
-      - '172.22.'
-      - '172.23.'
-      - '172.24.'
-      - '172.25.'
-      - '172.26.'
-      - '172.27.'
-      - '172.28.'
-      - '172.29.'
-      - '172.30.'
-      - '172.31.'
-      - '127.' #127.0.0.0/8
-      - '169.254.' #169.254.0.0/16
+      - ' 10.' #10.0.0.0/8
+      - ' 192.168.' #192.168.0.0/16
+      - ' 172.16.' #172.16.0.0/12
+      - ' 172.17.'
+      - ' 172.18.'
+      - ' 172.19.'
+      - ' 172.20.'
+      - ' 172.21.'
+      - ' 172.22.'
+      - ' 172.23.'
+      - ' 172.24.'
+      - ' 172.25.'
+      - ' 172.26.'
+      - ' 172.27.'
+      - ' 172.28.'
+      - ' 172.29.'
+      - ' 172.30.'
+      - ' 172.31.'
+      - ' 127.' #127.0.0.0/8
+      - ' 169.254.' #169.254.0.0/16
   condition: 1 of them
 falsepositives:
   - Legitimate administration activities
diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml
index 6738c4134..c715313f1 100644
--- a/rules/linux/macos_remote_system_discovery.yml
+++ b/rules/linux/macos_remote_system_discovery.yml
@@ -19,26 +19,26 @@ detection:
     ProcessName|endswith:
       - '/ping'
     CommandLine|contains:
-      - '10.' #10.0.0.0/8
-      - '192.168.' #192.168.0.0/16
-      - '172.16.' #172.16.0.0/12
-      - '172.17.'
-      - '172.18.'
-      - '172.19.'
-      - '172.20.'
-      - '172.21.'
-      - '172.22.'
-      - '172.23.'
-      - '172.24.'
-      - '172.25.'
-      - '172.26.'
-      - '172.27.'
-      - '172.28.'
-      - '172.29.'
-      - '172.30.'
-      - '172.31.'
-      - '127.' #127.0.0.0/8
-      - '169.254.' #169.254.0.0/16
+      - ' 10.' #10.0.0.0/8
+      - ' 192.168.' #192.168.0.0/16
+      - ' 172.16.' #172.16.0.0/12
+      - ' 172.17.'
+      - ' 172.18.'
+      - ' 172.19.'
+      - ' 172.20.'
+      - ' 172.21.'
+      - ' 172.22.'
+      - ' 172.23.'
+      - ' 172.24.'
+      - ' 172.25.'
+      - ' 172.26.'
+      - ' 172.27.'
+      - ' 172.28.'
+      - ' 172.29.'
+      - ' 172.30.'
+      - ' 172.31.'
+      - ' 127.' #127.0.0.0/8
+      - ' 169.254.' #169.254.0.0/16
   condition: 1 of them
 falsepositives:
   - Legitimate administration activities

From 81f6f24155b146f878bcace7aa29dcc5d56783ab Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Thu, 29 Oct 2020 02:06:20 +0100
Subject: [PATCH 4/7] Update lnx_remote_system_discovery.yml

---
 rules/linux/lnx_remote_system_discovery.yml | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/rules/linux/lnx_remote_system_discovery.yml b/rules/linux/lnx_remote_system_discovery.yml
index d0c5bbef8..b48af1122 100644
--- a/rules/linux/lnx_remote_system_discovery.yml
+++ b/rules/linux/lnx_remote_system_discovery.yml
@@ -11,13 +11,10 @@ logsource:
   product: linux
 detection:
   selection_1:
-    ProcessName|endswith:
-      - '/arp'
-    CommandLine|contains:
-      - '-a'
+    ProcessName|endswith: '/arp'
+    CommandLine|contains: '-a'
   selection_2:
-    ProcessName|endswith:
-      - '/ping'
+    ProcessName|endswith: '/ping'
     CommandLine|contains:
       - ' 10.' #10.0.0.0/8
       - ' 192.168.' #192.168.0.0/16
@@ -42,7 +39,7 @@ detection:
   condition: 1 of them
 falsepositives:
   - Legitimate administration activities
-level: medium
+level: low
 tags:
   - attack.discovery
   - attack.t1018

From 167e9745cd92f4f937b43356c23f5ac66d12b835 Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Thu, 29 Oct 2020 02:06:45 +0100
Subject: [PATCH 5/7] Update macos_remote_system_discovery.yml

---
 rules/linux/macos_remote_system_discovery.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml
index c715313f1..daf24f52e 100644
--- a/rules/linux/macos_remote_system_discovery.yml
+++ b/rules/linux/macos_remote_system_discovery.yml
@@ -42,7 +42,7 @@ detection:
   condition: 1 of them
 falsepositives:
   - Legitimate administration activities
-level: medium
+level: low
 tags:
   - attack.discovery
   - attack.t1018

From e3b310438cea36e2c54efee9e5625b20e5ded748 Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Mon, 2 Nov 2020 22:57:01 +0100
Subject: [PATCH 6/7] Removed ES query tests

---
 .github/workflows/sigma-test.yml | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml
index 8703e1bfd..d451debbd 100644
--- a/.github/workflows/sigma-test.yml
+++ b/.github/workflows/sigma-test.yml
@@ -23,18 +23,9 @@ jobs:
       run: |
         python -m pip install --upgrade pip
         pip install -r tools/requirements.txt -r tools/requirements-devel.txt
-        wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
-        sudo apt install -y apt-transport-https
-        echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list
-        sudo apt update
-        sudo apt install -y elasticsearch
-        sudo systemctl start elasticsearch
     - name: Test Sigma Tools and Rules
       run: |
         make test
-    - name: Test Generated Elasticsearch Query Strings
-      run: |
-        make test-backend-es-qs
     - name: Test SQL(ite) Backend
       run: |
         make test-backend-sql

From 000c038edeaf3bd74b8fdfce4add774d5e98263d Mon Sep 17 00:00:00 2001
From: Alejandro Ortuno <alejandro.omanzanera@gmail.com>
Date: Fri, 20 Nov 2020 09:30:43 +0100
Subject: [PATCH 7/7] Retrigger tests

---
 rules/linux/macos_remote_system_discovery.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml
index daf24f52e..6ec947914 100644
--- a/rules/linux/macos_remote_system_discovery.yml
+++ b/rules/linux/macos_remote_system_discovery.yml
@@ -40,7 +40,7 @@ detection:
       - ' 127.' #127.0.0.0/8
       - ' 169.254.' #169.254.0.0/16
   condition: 1 of them
-falsepositives:
+falsepositives: 
   - Legitimate administration activities
 level: low
 tags: