From cde0020d309c332db1799a848eb5fb9f3676cbb7 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 7 Oct 2020 22:09:15 -0500 Subject: [PATCH 01/14] T1016 detection rules --- rules/linux/lnx_firewall_enumeration.yml | 30 ++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/linux/lnx_firewall_enumeration.yml diff --git a/rules/linux/lnx_firewall_enumeration.yml b/rules/linux/lnx_firewall_enumeration.yml new file mode 100644 index 000000000..7bb4edf32 --- /dev/null +++ b/rules/linux/lnx_firewall_enumeration.yml @@ -0,0 +1,30 @@ +title: System Network Discovery - Firewall Enumeration +status: experimental +description: Detects enumeration of firewall configuration +author: remotephone, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md + - https://attack.mitre.org/techniques/T1016 +logsource: + product: unix +detection: + keywords: + # Linux Only + - 'arp -a' + - 'ip' + - 'ss' + # macOS and Linux + - 'netstat' + - 'ifconfig' + # macOS only + - 'defaults read /Library/Preferences/com.apple.alf' + - 'socketfilterfw' + condition: keywords +falsepositives: + - Legitimate administration activities + - Redirecting output of echo command to a path that contains the word "cron" +level: low +tags: + - attack.discovery + - attack.t1016 \ No newline at end of file From 4486c3ffc9093efbea63500a52eee3d3dfe15055 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 7 Oct 2020 22:11:05 -0500 Subject: [PATCH 02/14] adding new line at end of file --- rules/linux/lnx_firewall_enumeration.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_firewall_enumeration.yml b/rules/linux/lnx_firewall_enumeration.yml index 7bb4edf32..5b503e858 100644 --- a/rules/linux/lnx_firewall_enumeration.yml +++ b/rules/linux/lnx_firewall_enumeration.yml @@ -27,4 +27,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1016 \ No newline at end of file + - attack.t1016 From 83ed39f95c4f03c263fcd5be90b13209e6567a46 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 7 Oct 2020 22:25:54 -0500 Subject: [PATCH 03/14] adding UID, renaming --- ...all_enumeration.yml => lnx_system_net_disc_firewall_enum.yml} | 1 + 1 file changed, 1 insertion(+) rename rules/linux/{lnx_firewall_enumeration.yml => lnx_system_net_disc_firewall_enum.yml} (92%) diff --git a/rules/linux/lnx_firewall_enumeration.yml b/rules/linux/lnx_system_net_disc_firewall_enum.yml similarity index 92% rename from rules/linux/lnx_firewall_enumeration.yml rename to rules/linux/lnx_system_net_disc_firewall_enum.yml index 5b503e858..268215542 100644 --- a/rules/linux/lnx_firewall_enumeration.yml +++ b/rules/linux/lnx_system_net_disc_firewall_enum.yml @@ -1,5 +1,6 @@ title: System Network Discovery - Firewall Enumeration status: experimental +id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c description: Detects enumeration of firewall configuration author: remotephone, oscd.community date: 2020/10/06 From ff2ba5f876a135e38db4e4300f060afc249d95c1 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 7 Oct 2020 22:43:38 -0500 Subject: [PATCH 04/14] double checking new line characters --- rules/linux/lnx_system_net_disc_firewall_enum.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_net_disc_firewall_enum.yml b/rules/linux/lnx_system_net_disc_firewall_enum.yml index 268215542..83057d004 100644 --- a/rules/linux/lnx_system_net_disc_firewall_enum.yml +++ b/rules/linux/lnx_system_net_disc_firewall_enum.yml @@ -1,4 +1,4 @@ -title: System Network Discovery - Firewall Enumeration +title: System Network Discovery Firewall Enumeration status: experimental id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c description: Detects enumeration of firewall configuration From 9802704a2b9f2b6e3ee539b9462e8ee4a354e818 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 7 Oct 2020 22:54:31 -0500 Subject: [PATCH 05/14] not sure why i'm failing the tests on a line I didn't change. copying format from another file --- rules/linux/lnx_system_net_disc_firewall_enum.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_net_disc_firewall_enum.yml b/rules/linux/lnx_system_net_disc_firewall_enum.yml index 83057d004..da346706e 100644 --- a/rules/linux/lnx_system_net_disc_firewall_enum.yml +++ b/rules/linux/lnx_system_net_disc_firewall_enum.yml @@ -1,6 +1,6 @@ title: System Network Discovery Firewall Enumeration -status: experimental id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c +status: experimental description: Detects enumeration of firewall configuration author: remotephone, oscd.community date: 2020/10/06 From e967cce211090e48d8eab02d65a9a3d723a4eea2 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Wed, 7 Oct 2020 23:02:03 -0500 Subject: [PATCH 06/14] change new lines to LF instead of CLRF --- .../lnx_system_net_disc_firewall_enum.yml | 62 +++++++++---------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/rules/linux/lnx_system_net_disc_firewall_enum.yml b/rules/linux/lnx_system_net_disc_firewall_enum.yml index da346706e..f148f5db7 100644 --- a/rules/linux/lnx_system_net_disc_firewall_enum.yml +++ b/rules/linux/lnx_system_net_disc_firewall_enum.yml @@ -1,31 +1,31 @@ -title: System Network Discovery Firewall Enumeration -id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c -status: experimental -description: Detects enumeration of firewall configuration -author: remotephone, oscd.community -date: 2020/10/06 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md - - https://attack.mitre.org/techniques/T1016 -logsource: - product: unix -detection: - keywords: - # Linux Only - - 'arp -a' - - 'ip' - - 'ss' - # macOS and Linux - - 'netstat' - - 'ifconfig' - # macOS only - - 'defaults read /Library/Preferences/com.apple.alf' - - 'socketfilterfw' - condition: keywords -falsepositives: - - Legitimate administration activities - - Redirecting output of echo command to a path that contains the word "cron" -level: low -tags: - - attack.discovery - - attack.t1016 +title: System Network Discovery - Firewall Enumeration +id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c +status: experimental +description: Detects enumeration of firewall configuration +author: remotephone, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md + - https://attack.mitre.org/techniques/T1016 +logsource: + product: unix +detection: + keywords: + # Linux Only + - 'arp -a' + - 'ip' + - 'ss' + # macOS and Linux + - 'netstat' + - 'ifconfig' + # macOS only + - 'defaults read /Library/Preferences/com.apple.alf' + - 'socketfilterfw' + condition: keywords +falsepositives: + - Legitimate administration activities + - Redirecting output of echo command to a path that contains the word "cron" +level: low +tags: + - attack.discovery + - attack.t1016 From 48edc674bdfdc3c3e1d29f4a1de30dd9f7175ede Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Sun, 11 Oct 2020 22:43:28 -0500 Subject: [PATCH 07/14] updating keywords to CommandLine|contains and splitting rule into two --- .../lnx_system_net_disc_firewall_enum.yml | 24 ++++++++---------- .../macos_system_net_disc_firewall_enum.yml | 25 +++++++++++++++++++ 2 files changed, 36 insertions(+), 13 deletions(-) create mode 100644 rules/linux/macos_system_net_disc_firewall_enum.yml diff --git a/rules/linux/lnx_system_net_disc_firewall_enum.yml b/rules/linux/lnx_system_net_disc_firewall_enum.yml index f148f5db7..228fbb866 100644 --- a/rules/linux/lnx_system_net_disc_firewall_enum.yml +++ b/rules/linux/lnx_system_net_disc_firewall_enum.yml @@ -6,22 +6,20 @@ author: remotephone, oscd.community date: 2020/10/06 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md - - https://attack.mitre.org/techniques/T1016 logsource: + category: process_creation product: unix detection: - keywords: - # Linux Only - - 'arp -a' - - 'ip' - - 'ss' - # macOS and Linux - - 'netstat' - - 'ifconfig' - # macOS only - - 'defaults read /Library/Preferences/com.apple.alf' - - 'socketfilterfw' - condition: keywords + selection: + CommandLine|contains: + # Linux Only + - 'arp -a' + - 'ip' + - 'ss' + # macOS and Linux + - 'netstat' + - 'ifconfig' + condition: selection falsepositives: - Legitimate administration activities - Redirecting output of echo command to a path that contains the word "cron" diff --git a/rules/linux/macos_system_net_disc_firewall_enum.yml b/rules/linux/macos_system_net_disc_firewall_enum.yml new file mode 100644 index 000000000..d72735e8a --- /dev/null +++ b/rules/linux/macos_system_net_disc_firewall_enum.yml @@ -0,0 +1,25 @@ +title: System Network Discovery - Firewall Enumeration +id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c +status: experimental +description: Detects enumeration of firewall configuration +author: remotephone, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md +logsource: + product: macos +detection: + selection: + CommandLine|contains: + - 'netstat' + - 'ifconfig' + - 'defaults read /Library/Preferences/com.apple.alf' + - 'socketfilterfw' + condition: selection +falsepositives: + - Legitimate administration activities + - Redirecting output of echo command to a path that contains the word "cron" +level: low +tags: + - attack.discovery + - attack.t1016 From 781c7ce6dc042f90468887edf73e71ee49309734 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Sun, 11 Oct 2020 23:52:47 -0500 Subject: [PATCH 08/14] Cleaning up falsepositives section of both rules --- rules/linux/lnx_system_net_disc_firewall_enum.yml | 1 - rules/linux/macos_system_net_disc_firewall_enum.yml | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/linux/lnx_system_net_disc_firewall_enum.yml b/rules/linux/lnx_system_net_disc_firewall_enum.yml index 228fbb866..a41bbabd6 100644 --- a/rules/linux/lnx_system_net_disc_firewall_enum.yml +++ b/rules/linux/lnx_system_net_disc_firewall_enum.yml @@ -22,7 +22,6 @@ detection: condition: selection falsepositives: - Legitimate administration activities - - Redirecting output of echo command to a path that contains the word "cron" level: low tags: - attack.discovery diff --git a/rules/linux/macos_system_net_disc_firewall_enum.yml b/rules/linux/macos_system_net_disc_firewall_enum.yml index d72735e8a..cf7bd1db9 100644 --- a/rules/linux/macos_system_net_disc_firewall_enum.yml +++ b/rules/linux/macos_system_net_disc_firewall_enum.yml @@ -10,7 +10,7 @@ logsource: product: macos detection: selection: - CommandLine|contains: + ParentCommandLine|contains: - 'netstat' - 'ifconfig' - 'defaults read /Library/Preferences/com.apple.alf' @@ -18,7 +18,6 @@ detection: condition: selection falsepositives: - Legitimate administration activities - - Redirecting output of echo command to a path that contains the word "cron" level: low tags: - attack.discovery From a85c19db173ae6a6aed6b8cbcf5798de046e8691 Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Tue, 13 Oct 2020 00:39:53 -0500 Subject: [PATCH 09/14] updating files to cover broader network discovery logic, renaming alert, adding recommended changes --- ...m.yml => lnx_system_network_discovery.yml} | 20 ++++++------- .../macos_system_net_disc_firewall_enum.yml | 24 --------------- .../linux/macos_system_network_discovery.yml | 30 +++++++++++++++++++ 3 files changed, 40 insertions(+), 34 deletions(-) rename rules/linux/{lnx_system_net_disc_firewall_enum.yml => lnx_system_network_discovery.yml} (61%) delete mode 100644 rules/linux/macos_system_net_disc_firewall_enum.yml create mode 100644 rules/linux/macos_system_network_discovery.yml diff --git a/rules/linux/lnx_system_net_disc_firewall_enum.yml b/rules/linux/lnx_system_network_discovery.yml similarity index 61% rename from rules/linux/lnx_system_net_disc_firewall_enum.yml rename to rules/linux/lnx_system_network_discovery.yml index a41bbabd6..35f8da72a 100644 --- a/rules/linux/lnx_system_net_disc_firewall_enum.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -1,4 +1,4 @@ -title: System Network Discovery - Firewall Enumeration +title: System Network Discovery - Linux id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c status: experimental description: Detects enumeration of firewall configuration @@ -11,18 +11,18 @@ logsource: product: unix detection: selection: - CommandLine|contains: - # Linux Only - - 'arp -a' - - 'ip' - - 'ss' - # macOS and Linux - - 'netstat' - - 'ifconfig' + ProcessName: + - '/usr/bin/firewall-cmd' + - '/usr/sbin/ufw' + - '/usr/sbin/iptables' + - '/usr/bin/netstat' + - '/usr/bin/ss' + - '/usr/sbin/ip' + - '/usr/sbin/ifconfig' condition: selection falsepositives: - Legitimate administration activities level: low tags: - attack.discovery - - attack.t1016 + - attack.t1016 \ No newline at end of file diff --git a/rules/linux/macos_system_net_disc_firewall_enum.yml b/rules/linux/macos_system_net_disc_firewall_enum.yml deleted file mode 100644 index cf7bd1db9..000000000 --- a/rules/linux/macos_system_net_disc_firewall_enum.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: System Network Discovery - Firewall Enumeration -id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c -status: experimental -description: Detects enumeration of firewall configuration -author: remotephone, oscd.community -date: 2020/10/06 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md -logsource: - product: macos -detection: - selection: - ParentCommandLine|contains: - - 'netstat' - - 'ifconfig' - - 'defaults read /Library/Preferences/com.apple.alf' - - 'socketfilterfw' - condition: selection -falsepositives: - - Legitimate administration activities -level: low -tags: - - attack.discovery - - attack.t1016 diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos_system_network_discovery.yml new file mode 100644 index 000000000..fc24eabad --- /dev/null +++ b/rules/linux/macos_system_network_discovery.yml @@ -0,0 +1,30 @@ +title: System Network Discovery - macOS +id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c +status: experimental +description: Detects enumeration of firewall configuration +author: remotephone, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md +logsource: + product: macos + category: process_creation +detection: + selection1: + ProcessName: + - '/usr/sbin/netstat' + - '/sbin/ifconfig' + - '/usr/sbin/ipconfig' + - '/usr/libexec/ApplicationFirewall/socketfilterfw' + - '/usr/sbin/networksetup' + - '/usr/sbin/arp' + selection2: + ProcessName: '/usr/bin/defaults' + Commandline|contains: 'read /Library/Preferences/com.apple.alf' + condition: selection1 or selection2 +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1016 From 56952ecdd45e7a92e1a156b6412fc7c95b25fd7f Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Tue, 13 Oct 2020 22:09:37 -0500 Subject: [PATCH 10/14] updating to select commandline arguments correctly for macos rule, and cleaning up description across both rules --- rules/linux/lnx_system_network_discovery.yml | 4 ++-- rules/linux/macos_system_network_discovery.yml | 8 +++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml index 35f8da72a..9e52dd26f 100644 --- a/rules/linux/lnx_system_network_discovery.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -1,7 +1,7 @@ title: System Network Discovery - Linux -id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c +id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa status: experimental -description: Detects enumeration of firewall configuration +description: Detects enumeration of local network configuration author: remotephone, oscd.community date: 2020/10/06 references: diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos_system_network_discovery.yml index fc24eabad..2bf068e4e 100644 --- a/rules/linux/macos_system_network_discovery.yml +++ b/rules/linux/macos_system_network_discovery.yml @@ -1,7 +1,7 @@ title: System Network Discovery - macOS -id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c +id: 58800443-f9fc-4d55-ae0c-98a3966dfb97 status: experimental -description: Detects enumeration of firewall configuration +description: Detects enumeration of local network configuration author: remotephone, oscd.community date: 2020/10/06 references: @@ -20,7 +20,9 @@ detection: - '/usr/sbin/arp' selection2: ProcessName: '/usr/bin/defaults' - Commandline|contains: 'read /Library/Preferences/com.apple.alf' + Commandline|contains|all: + - 'read' + - '/Library/Preferences/com.apple.alf' condition: selection1 or selection2 falsepositives: - Legitimate administration activities From df20d2a5d283ac1779056c8fe2a044c0992d371d Mon Sep 17 00:00:00 2001 From: "remotephone@gmail.com" Date: Tue, 13 Oct 2020 22:44:02 -0500 Subject: [PATCH 11/14] adding new line at end of file --- rules/linux/lnx_system_network_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml index 9e52dd26f..937ab7509 100644 --- a/rules/linux/lnx_system_network_discovery.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -25,4 +25,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1016 \ No newline at end of file + - attack.t1016 From ffde8b020828ba9d149884b674788db3074c201f Mon Sep 17 00:00:00 2001 From: remotephone Date: Fri, 16 Oct 2020 21:54:41 -0500 Subject: [PATCH 12/14] Update to handle different file locations --- rules/linux/lnx_system_network_discovery.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml index 937ab7509..a19cecb73 100644 --- a/rules/linux/lnx_system_network_discovery.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -11,14 +11,14 @@ logsource: product: unix detection: selection: - ProcessName: - - '/usr/bin/firewall-cmd' - - '/usr/sbin/ufw' - - '/usr/sbin/iptables' - - '/usr/bin/netstat' - - '/usr/bin/ss' - - '/usr/sbin/ip' - - '/usr/sbin/ifconfig' + ProcessName|endswith: + - '/firewall-cmd' + - '/ufw' + - '/iptables' + - '/netstat' + - '/ss' + - '/ip' + - '/ifconfig' condition: selection falsepositives: - Legitimate administration activities From 8f6ce25bab4cb137d469e63339ec1a8616a01f06 Mon Sep 17 00:00:00 2001 From: remotephone Date: Fri, 16 Oct 2020 22:01:44 -0500 Subject: [PATCH 13/14] Merge changes from pull 1084 with this one https://github.com/Neo23x0/sigma/pull/1084 includes some commands I missed. This merges both and creates an OR selection condition to match both possible conditions. --- rules/linux/lnx_system_network_discovery.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml index a19cecb73..cc7a1cf4b 100644 --- a/rules/linux/lnx_system_network_discovery.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -10,7 +10,7 @@ logsource: category: process_creation product: unix detection: - selection: + selection1: ProcessName|endswith: - '/firewall-cmd' - '/ufw' @@ -19,7 +19,11 @@ detection: - '/ss' - '/ip' - '/ifconfig' - condition: selection + - '/systemd-resolve' + - '/route' + selection2: + CommandLine|contains: '/etc/resolv.conf' + condition: selection1 or selection2 falsepositives: - Legitimate administration activities level: low From 48cabeafe5ca5a05ec89bd54324504243b88cac9 Mon Sep 17 00:00:00 2001 From: remotephone Date: Fri, 16 Oct 2020 22:02:58 -0500 Subject: [PATCH 14/14] Updated author section --- rules/linux/lnx_system_network_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml index cc7a1cf4b..af22539c4 100644 --- a/rules/linux/lnx_system_network_discovery.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -2,7 +2,7 @@ title: System Network Discovery - Linux id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa status: experimental description: Detects enumeration of local network configuration -author: remotephone, oscd.community +author: Ömer Günal and remotephone, oscd.community date: 2020/10/06 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md