Revert "Back-porting Version Trimming (#3681)"
This reverts commit 71d2c59b5c.
This commit is contained in:
Mika Ayenson
@@ -2,7 +2,9 @@
|
||||
creation_date = "2023/08/23"
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/03/08"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -29,15 +31,13 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
|
||||
label = "Osquery - Retrieve Process Info"
|
||||
query = "SELECT name, cmdline, parent, path, uid FROM processes"
|
||||
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool
|
||||
that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to
|
||||
restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade
|
||||
detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and
|
||||
intentions.
|
||||
restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection,
|
||||
and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
@@ -137,17 +137,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
"""
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Command and Control",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Auditd Manager",
|
||||
]
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Command and Control",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
|
||||
and process.name == "proxychains" and process.args : (
|
||||
@@ -157,17 +156,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1572"
|
||||
name = "Protocol Tunneling"
|
||||
reference = "https://attack.mitre.org/techniques/T1572/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0011"
|
||||
name = "Command and Control"
|
||||
reference = "https://attack.mitre.org/tactics/TA0011/"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user