security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Back-porting Version Trimming (#3681)"

Browse Source 
This reverts commit 71d2c59b5c.
This commit is contained in:
Mika Ayenson
2024-05-22 13:51:46 -05:00
parent 71d2c59b5c
commit 2c3dbfc039
1036 changed files with 11405 additions and 12359 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_shell_via_meterpreter_linux.toml
+23 -23
View File
@@ -2,14 +2,16 @@
creation_date = "2023/08/10"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0"
min_stack_version = "8.6.0"
updated_date = "2024/02/19"
[rule]
author = ["Elastic"]
description = """
This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged
This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged
by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting
this pattern is indicative of a successful meterpreter shell connection.
this pattern is indicative of a successful meterpreter shell connection.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
@@ -58,15 +60,14 @@ However, if more advanced configuration is required to detect specific behavior,
"""
severity = "medium"
tags = [
"Data Source: Auditd Manager",
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
]
"Data Source: Auditd Manager",
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
sample by host.id, process.pid, user.id
[file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/etc/machine-id"]
@@ -76,34 +77,33 @@ sample by host.id, process.pid, user.id
[file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/proc/net/if_inet6"]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"