security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Back-porting Version Trimming (#3681)"

Browse Source 
This reverts commit 71d2c59b5c.
This commit is contained in:
Mika Ayenson
2024-05-22 13:51:46 -05:00
parent 71d2c59b5c
commit 2c3dbfc039
1036 changed files with 11405 additions and 12359 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_linux_proxychains_activity.toml
+15 -17
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/23"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[transform]
[[transform.osquery]]
@@ -29,13 +31,12 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the
routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted
resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and
This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the
routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted
resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and
perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
"""
from = "now-9m"
@@ -111,33 +112,30 @@ risk_score = 21
rule_id = "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name == "proxychains"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"