security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Linux DR Tuning - Part 1 (#3452)

Browse Source 
* [Tuning] Linux DR Tuning - Part 1

* Update command_and_control_linux_tunneling_and_port_forwarding.toml

* Update command_and_control_cat_network_activity.toml
This commit is contained in:
Ruben Groenewoud
2024-02-20 14:38:19 +01:00
committed by GitHub
parent 0e48747aa6
commit 1dc7fd6a42
5 changed files with 66 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml
+10 -7
View File
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint"]
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
updated_date = "2024/02/19"
[transform]
[[transform.osquery]]
@@ -40,7 +40,7 @@ restricted resources. Attackers can exploit the ProxyChains utility to hide thei
and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Utility Launched via ProxyChains"
@@ -139,16 +139,19 @@ tags = [
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend"
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.name == "proxychains" and process.args : (
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed") and
event.type == "start" and process.name == "proxychains" and process.args : (
"ssh", "sshd", "sshuttle", "socat", "iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng",
"ssf", "3proxy", "ngrok", "gost", "pivotnacci", "chisel*", "nmap", "ping", "python*", "php*", "perl", "ruby",
"lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", "ftp", "curl", "wget")
"lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", "ftp", "curl", "wget"
)
'''
[[rule.threat]]