From a85c19db173ae6a6aed6b8cbcf5798de046e8691 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Tue, 13 Oct 2020 00:39:53 -0500 Subject: [PATCH] updating files to cover broader network discovery logic, renaming alert, adding recommended changes --- ...m.yml => lnx_system_network_discovery.yml} | 20 ++++++------- .../macos_system_net_disc_firewall_enum.yml | 24 --------------- .../linux/macos_system_network_discovery.yml | 30 +++++++++++++++++++ 3 files changed, 40 insertions(+), 34 deletions(-) rename rules/linux/{lnx_system_net_disc_firewall_enum.yml => lnx_system_network_discovery.yml} (61%) delete mode 100644 rules/linux/macos_system_net_disc_firewall_enum.yml create mode 100644 rules/linux/macos_system_network_discovery.yml diff --git a/rules/linux/lnx_system_net_disc_firewall_enum.yml b/rules/linux/lnx_system_network_discovery.yml similarity index 61% rename from rules/linux/lnx_system_net_disc_firewall_enum.yml rename to rules/linux/lnx_system_network_discovery.yml index a41bbabd6..35f8da72a 100644 --- a/rules/linux/lnx_system_net_disc_firewall_enum.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -1,4 +1,4 @@ -title: System Network Discovery - Firewall Enumeration +title: System Network Discovery - Linux id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c status: experimental description: Detects enumeration of firewall configuration @@ -11,18 +11,18 @@ logsource: product: unix detection: selection: - CommandLine|contains: - # Linux Only - - 'arp -a' - - 'ip' - - 'ss' - # macOS and Linux - - 'netstat' - - 'ifconfig' + ProcessName: + - '/usr/bin/firewall-cmd' + - '/usr/sbin/ufw' + - '/usr/sbin/iptables' + - '/usr/bin/netstat' + - '/usr/bin/ss' + - '/usr/sbin/ip' + - '/usr/sbin/ifconfig' condition: selection falsepositives: - Legitimate administration activities level: low tags: - attack.discovery - - attack.t1016 + - attack.t1016 \ No newline at end of file diff --git a/rules/linux/macos_system_net_disc_firewall_enum.yml b/rules/linux/macos_system_net_disc_firewall_enum.yml deleted file mode 100644 index cf7bd1db9..000000000 --- a/rules/linux/macos_system_net_disc_firewall_enum.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System Network Discovery - Firewall Enumeration -id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c -status: experimental -description: Detects enumeration of firewall configuration -author: remotephone, oscd.community -date: 2020/10/06 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md -logsource: - product: macos -detection: - selection: - ParentCommandLine|contains: - - 'netstat' - - 'ifconfig' - - 'defaults read /Library/Preferences/com.apple.alf' - - 'socketfilterfw' - condition: selection -falsepositives: - - Legitimate administration activities -level: low -tags: - - attack.discovery - - attack.t1016 diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos_system_network_discovery.yml new file mode 100644 index 000000000..fc24eabad --- /dev/null +++ b/rules/linux/macos_system_network_discovery.yml @@ -0,0 +1,30 @@ +title: System Network Discovery - macOS +id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c +status: experimental +description: Detects enumeration of firewall configuration +author: remotephone, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md +logsource: + product: macos + category: process_creation +detection: + selection1: + ProcessName: + - '/usr/sbin/netstat' + - '/sbin/ifconfig' + - '/usr/sbin/ipconfig' + - '/usr/libexec/ApplicationFirewall/socketfilterfw' + - '/usr/sbin/networksetup' + - '/usr/sbin/arp' + selection2: + ProcessName: '/usr/bin/defaults' + Commandline|contains: 'read /Library/Preferences/com.apple.alf' + condition: selection1 or selection2 +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1016