Max Altgelt
6f05e33feb
Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.
37 lines
1.0 KiB
YAML
37 lines
1.0 KiB
YAML
title: 'System Shutdown/Reboot'
|
|
id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f
|
|
status: experimental
|
|
description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.'
|
|
# For this rule to work execve auditing must be configured
|
|
# Example config (place it at the bottom of audit.rules)
|
|
# -a always,exit -F arch=b32 -S execve -k execve
|
|
# -a always,exit -F arch=b64 -S execve -k execve
|
|
author: 'Igor Fits, oscd.community'
|
|
date: 2020/10/15
|
|
references:
|
|
- hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
|
|
logsource:
|
|
product: linux
|
|
service: auditd
|
|
detection:
|
|
execve:
|
|
type: 'EXECVE'
|
|
shutdowncmd:
|
|
- 'shutdown'
|
|
- 'reboot'
|
|
- 'halt'
|
|
- 'poweroff'
|
|
init:
|
|
- 'init'
|
|
- 'telinit'
|
|
initselection:
|
|
- '0'
|
|
- '6'
|
|
condition: execve and (shutdowncmd or (init and initselection))
|
|
falsepositives:
|
|
- 'Legitimate administrative activity'
|
|
level: informational
|
|
tags:
|
|
- attack.impact
|
|
- attack.t1529
|