security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Tag Categorization Updates (#380)

Browse Source 
* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100
This commit is contained in:
seth-goodwin
2020-10-26 13:50:45 -05:00
committed by GitHub
parent 2e422f7159
commit 2065af89b1
326 changed files with 751 additions and 699 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/credential_access_tcpdump_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -25,7 +25,7 @@ name = "Network Sniffing via Tcpdump"
risk_score = 21
rule_id = "7a137d76-ce3d-48e2-947d-2747796a78c0"
severity = "low"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"]
type = "query"
query = '''
rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/24"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -18,7 +18,7 @@ name = "Attempt to Disable IPTables or Firewall"
risk_score = 47
rule_id = "125417b8-d3df-479f-8418-12d7e034fee3"
severity = "medium"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
type = "query"
query = '''
rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/27"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -18,7 +18,7 @@ name = "Attempt to Disable Syslog Service"
risk_score = 47
rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194"
severity = "medium"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
type = "query"
query = '''
rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/17"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ name = "Base16 or Base32 Encoding/Decoding Activity"
risk_score = 21
rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795"
severity = "low"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
type = "query"
query = '''
rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/17"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ name = "Base64 Encoding/Decoding Activity"
risk_score = 21
rule_id = "97f22dab-84e8-409d-955e-dacd1d31670b"
severity = "low"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
type = "query"
query = '''
rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/04"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -18,7 +18,7 @@ name = "Deletion of Bash Command Line History"
risk_score = 47
rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
severity = "medium"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
type = "query"
query = '''
rules/linux/defense_evasion_disable_selinux_attempt.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/22"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ name = "Potential Disabling of SELinux"
risk_score = 47
rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e"
severity = "medium"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
type = "query"
query = '''
rules/linux/defense_evasion_file_deletion_via_shred.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/27"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ name = "File Deletion via Shred"
risk_score = 21
rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4"
severity = "low"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
type = "query"
query = '''
rules/linux/defense_evasion_file_mod_writable_dir.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/21"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -24,7 +24,7 @@ name = "File Permission Modification in Writable Directory"
risk_score = 21
rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4"
severity = "low"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
type = "query"
query = '''
rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/17"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ name = "Hex Encoding/Decoding Activity"
risk_score = 21
rule_id = "a9198571-b135-4a76-b055-e3e5a476fd83"
severity = "low"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
type = "query"
query = '''
rules/linux/defense_evasion_hidden_file_dir_tmp.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/29"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -26,7 +26,7 @@ name = "Creation of Hidden Files and Directories"
risk_score = 47
rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae"
severity = "medium"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
type = "query"
query = '''
rules/linux/defense_evasion_kernel_module_removal.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/24"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -26,7 +26,7 @@ references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"]
risk_score = 73
rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef"
severity = "high"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
type = "query"
query = '''
rules/linux/discovery_kernel_module_enumeration.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/23"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -25,7 +25,7 @@ name = "Enumeration of Kernel Modules"
risk_score = 47
rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504"
severity = "medium"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
type = "query"
query = '''
rules/linux/discovery_virtual_machine_fingerprinting.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/27"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -25,7 +25,7 @@ name = "Virtual Machine Fingerprinting"
risk_score = 73
rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba"
severity = "high"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
type = "query"
query = '''
rules/linux/discovery_whoami_commmand.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -24,7 +24,7 @@ name = "User Discovery via Whoami"
risk_score = 21
rule_id = "120559c6-5e24-49f4-9e30-8ffe697df6b9"
severity = "low"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
type = "query"
query = '''
rules/linux/execution_perl_tty_shell.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/16"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -18,7 +18,7 @@ name = "Interactive Terminal Spawned via Perl"
risk_score = 73
rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3"
severity = "high"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
type = "query"
query = '''
rules/linux/execution_python_tty_shell.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/15"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -18,7 +18,7 @@ name = "Interactive Terminal Spawned via Python"
risk_score = 73
rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f"
severity = "high"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
type = "query"
query = '''
rules/linux/lateral_movement_telnet_network_activity_external.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/23"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -26,7 +26,7 @@ name = "Connection to External Network via Telnet"
risk_score = 47
rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362"
severity = "medium"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"]
type = "query"
query = '''
rules/linux/lateral_movement_telnet_network_activity_internal.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/23"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -26,7 +26,7 @@ name = "Connection to Internal Network via Telnet"
risk_score = 47
rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973"
severity = "medium"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"]
type = "query"
query = '''
rules/linux/linux_hping_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -25,7 +25,7 @@ references = ["https://en.wikipedia.org/wiki/Hping"]
risk_score = 73
rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52"
severity = "high"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
type = "query"
query = '''
rules/linux/linux_iodine_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -25,7 +25,7 @@ references = ["https://code.kryo.se/iodine/"]
risk_score = 73
rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2"
severity = "high"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
type = "query"
query = '''
rules/linux/linux_mknod_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/09/09"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -27,7 +27,7 @@ references = [
risk_score = 21
rule_id = "61c31c14-507f-4627-8c31-072556b89a9c"
severity = "low"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
type = "query"
query = '''
rules/linux/linux_netcat_network_connection.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
risk_score = 47
rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f"
severity = "medium"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
type = "query"
query = '''
rules/linux/linux_nmap_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/Nmap"]
risk_score = 21
rule_id = "c87fca17-b3a9-4e83-b545-f30746c53920"
severity = "low"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
type = "query"
query = '''
rules/linux/linux_nping_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -25,7 +25,7 @@ references = ["https://en.wikipedia.org/wiki/Nmap"]
risk_score = 47
rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77"
severity = "medium"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
type = "query"
query = '''
rules/linux/linux_process_started_in_temp_directory.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ name = "Unusual Process Execution - Temp"
risk_score = 47
rule_id = "df959768-b0c9-4d45-988c-5606a2be8e5a"
severity = "medium"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
type = "query"
query = '''
rules/linux/linux_socat_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -26,7 +26,7 @@ references = ["https://blog.ropnop.com/upgrading-simple-shells-to-fully-interact
risk_score = 47
rule_id = "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126"
severity = "medium"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
type = "query"
query = '''
rules/linux/linux_strace_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -25,7 +25,7 @@ references = ["https://en.wikipedia.org/wiki/Strace"]
risk_score = 21
rule_id = "d6450d4e-81c6-46a3-bd94-079886318ed5"
severity = "low"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
type = "query"
query = '''
rules/linux/persistence_kernel_module_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -24,7 +24,7 @@ references = [
risk_score = 21
rule_id = "81cc58f5-8062-49a2-ba84-5cc4b4d31c40"
severity = "low"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"]
type = "query"
query = '''
rules/linux/persistence_shell_activity_by_web_server.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -22,7 +22,7 @@ references = ["https://pentestlab.blog/tag/web-shell/"]
risk_score = 47
rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb"
severity = "medium"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"]
type = "query"
query = '''
rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/23"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ name = "Setgid Bit Set via chmod"
risk_score = 21
rule_id = "3a86e085-094c-412d-97ff-2439731e59cb"
severity = "low"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
type = "query"
query = '''
rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/23"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ name = "Setuid Bit Set via chmod"
risk_score = 21
rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
severity = "low"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
type = "query"
query = '''
rules/linux/privilege_escalation_sudoers_file_mod.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/13"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
@@ -18,7 +18,7 @@ name = "Sudoers File Modification"
risk_score = 21
rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
severity = "low"
tags = ["Elastic", "Linux"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
type = "query"
query = '''