security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Security Software Discovery via Grep (#994)

Browse Source 
* [Rule Tuning] Security Software Discovery via Grep

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/discovery_security_software_grep.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
This commit is contained in:
Samirbous
2021-03-18 15:46:26 +01:00
committed by GitHub
parent 21290cc055
commit 04ea1a72c7
1 changed files with 44 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/discovery_security_software_grep.toml
+44 -36
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/12/20"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2021/03/08"
[rule]
author = ["Elastic"]
@@ -9,9 +9,10 @@ description = """
Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus
or Host Firewall details.
"""
false_positives = ["Endpoint Security installers, updaters and post installation verification scripts."]
from = "now-9m"
index = ["logs-endpoint.events.*", "auditbeat-*"]
language = "kuery"
language = "eql"
license = "Elastic License v2"
name = "Security Software Discovery via Grep"
risk_score = 47
@@ -19,41 +20,44 @@ rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery"]
timestamp_override = "event.ingested"
type = "query"
type = "eql"
query = '''
event.category : process and event.type : (start or process_started) and
process.name : grep and
process.args :
("Little Snitch" or
Avast* or
Avira* or
ESET* or
esets_* or
BlockBlock or
360* or
LuLu or
KnockKnock* or
kav or
KIS or
RTProtectionDaemon or
Malware* or
VShieldScanner or
WebProtection or
webinspectord or
McAfee* or
isecespd* or
macmnsvc* or
masvc or
kesl or
avscan or
guard or
rtvscand or
symcfgd or
scmdaemon or
symantec or
elastic-endpoint
)
process where event.type == "start" and
process.name : "grep" and user.id != "0" and
not process.parent.executable : "/Library/Application Support/*" and
process.args :
("Little Snitch*",
"Avast*",
"Avira*",
"ESET*",
"BlockBlock*",
"360Sec*",
"LuLu*",
"KnockKnock*",
"kav",
"KIS",
"RTProtectionDaemon*",
"Malware*",
"VShieldScanner*",
"WebProtection*",
"webinspectord*",
"McAfee*",
"isecespd*",
"macmnsvc*",
"masvc*",
"kesl*",
"avscan*",
"guard*",
"rtvscand*",
"symcfgd*",
"scmdaemon*",
"symantec*",
"sophos*",
"osquery*",
"elastic-endpoint*"
) and
not (process.args : "Avast" and process.args : "Passwords")
'''
@@ -63,10 +67,14 @@ framework = "MITRE ATT&CK"
id = "T1518"
name = "Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/"
[[rule.threat.technique.subtechnique]]
id = "T1518.001"
name = "Security Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/001/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"