security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 3 (#4343)

Browse Source 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 3

* .

* Update rules/linux/command_and_control_ip_forwarding_activity.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2025-01-09 10:35:58 -03:00
committed by GitHub
parent d6ceb88558
commit 0fc83fe815
10 changed files with 70 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_linux_proxychains_activity.toml
+8 -4
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint", "auditd_manager"]
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/06"
[transform]
[[transform.osquery]]
@@ -39,7 +41,7 @@ resources. Attackers can exploit the ProxyChains utility to hide their true sour
perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "ProxyChains Activity"
@@ -118,12 +120,14 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started")
and process.name == "proxychains"
'''