security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Back-porting Version Trimming (#3681)"

Browse Source 
This reverts commit 71d2c59b5c.
This commit is contained in:
Mika Ayenson
2024-05-22 13:51:46 -05:00
parent 71d2c59b5c
commit 2c3dbfc039
1036 changed files with 11405 additions and 12359 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/impact_potential_linux_ransomware_note_detected.toml
+13 -14
View File
@@ -2,16 +2,18 @@
creation_date = "2023/03/20"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/21"
[rule]
author = ["Elastic"]
description = """
This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a
file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of
This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with
a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of
malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the
decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a
new file extension is added to the file.
new file extension is added to the file.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -47,14 +49,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Impact",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Impact",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by process.entity_id, host.id with maxspan=1s
[file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*"
@@ -74,17 +75,15 @@ sequence by process.entity_id, host.id with maxspan=1s
]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1486"
name = "Data Encrypted for Impact"
reference = "https://attack.mitre.org/techniques/T1486/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"