From 55eec46932d99c18baf8c0aed86d4bf470ef1f6e Mon Sep 17 00:00:00 2001 From: gamma37 Date: Mon, 18 May 2020 11:25:18 +0200 Subject: [PATCH 1/3] Create a rule for "suspicious activities" --- .../auditd/lnx_auditd_susp_C2_commands.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_susp_C2_commands.yml diff --git a/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml new file mode 100644 index 000000000..2ba6f3b70 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml @@ -0,0 +1,26 @@ +title: Suspicious C2 Activities +id: f7158a64-6204-4d6d-868a-6e6378b467e0 +status: experimental +description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. + This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap + These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; + Application Layer Protocol (T1071) + Non-Application Layer Protocol (T1095) + Data Encoding (T1132) +references: + - 'https://github.com/Neo23x0/auditd' +date: 2020/05/18 +tags: + - attack.command_and_control +author: Marie Euler +logsource: + product: linux + service: auditd +detection: + selection: + key : + - 'susp_activity' + condition: selection +falsepositives: + - Admin or User activity +level: medium From 71c507d8a95b43e45d435c1e70a51f964655f12c Mon Sep 17 00:00:00 2001 From: gamma37 Date: Mon, 18 May 2020 11:34:53 +0200 Subject: [PATCH 2/3] remove space bedore colon --- rules/linux/auditd/lnx_auditd_susp_C2_commands.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml index 2ba6f3b70..ead90e0b4 100644 --- a/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml +++ b/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml @@ -18,7 +18,7 @@ logsource: service: auditd detection: selection: - key : + key: - 'susp_activity' condition: selection falsepositives: From e1a05dfc1cfdb5b0925932a66c43706102ffbccb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 23 May 2020 16:49:03 +0200 Subject: [PATCH 3/3] Update lnx_auditd_susp_C2_commands.yml --- rules/linux/auditd/lnx_auditd_susp_C2_commands.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml index ead90e0b4..77971d06a 100644 --- a/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml +++ b/rules/linux/auditd/lnx_auditd_susp_C2_commands.yml @@ -1,12 +1,7 @@ title: Suspicious C2 Activities id: f7158a64-6204-4d6d-868a-6e6378b467e0 status: experimental -description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. - This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap - These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; - Application Layer Protocol (T1071) - Non-Application Layer Protocol (T1095) - Data Encoding (T1132) +description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132) references: - 'https://github.com/Neo23x0/auditd' date: 2020/05/18