Max Altgelt
6f05e33feb
Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.
43 lines
1.4 KiB
YAML
43 lines
1.4 KiB
YAML
title: 'Suspicious History File Operations'
|
|
id: eae8ce9f-bde9-47a6-8e79-f20d18419910
|
|
status: experimental
|
|
description: 'Detects commandline operations on shell history files'
|
|
# Rule detects presence of various shell history files in process commandline
|
|
# Normally user expected to view own history with dedicated 'history' command and not some other tools
|
|
# There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared)
|
|
# For this rule to work execve auditing must be configured
|
|
# Example config (place it at the bottom of audit.rules)
|
|
# -a always,exit -F arch=b32 -S execve -k execve
|
|
# -a always,exit -F arch=b64 -S execve -k execve
|
|
author: 'Mikhail Larin, oscd.community'
|
|
date: 2020/10/17
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
|
|
logsource:
|
|
product: linux
|
|
service: auditd
|
|
detection:
|
|
execve:
|
|
type: EXECVE
|
|
history:
|
|
- '.bash_history'
|
|
- '.zsh_history'
|
|
- '.zhistory'
|
|
- '.history'
|
|
- '.sh_history'
|
|
- 'fish_history'
|
|
condition: execve and history
|
|
fields:
|
|
- a0
|
|
- a1
|
|
- a2
|
|
- a3
|
|
- key
|
|
falsepositives:
|
|
- 'Legitimate administrative activity'
|
|
- 'Ligitimate software, cleaning hist file'
|
|
level: medium
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1552.003
|