Revert "Back-porting Version Trimming (#3681)"
This reverts commit 71d2c59b5c.
This commit is contained in:
Mika Ayenson
@@ -2,20 +2,33 @@
|
||||
creation_date = "2023/06/09"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
label = "Osquery - Retrieve File Listing Information"
|
||||
query = "SELECT * FROM file WHERE path = {{file.path}}\n"
|
||||
|
||||
query = """
|
||||
SELECT * FROM file WHERE path = {{file.path}}
|
||||
"""
|
||||
[[transform.osquery]]
|
||||
label = "Osquery - Retrieve Additional File Listing Information"
|
||||
query = """
|
||||
SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS
|
||||
file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS
|
||||
file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT
|
||||
JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}}
|
||||
SELECT
|
||||
f.path,
|
||||
u.username AS file_owner,
|
||||
g.groupname AS group_owner,
|
||||
datetime(f.atime, 'unixepoch') AS file_last_access_time,
|
||||
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
|
||||
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
|
||||
datetime(f.btime, 'unixepoch') AS file_created_time,
|
||||
f.size AS size_bytes
|
||||
FROM
|
||||
file f
|
||||
LEFT JOIN users u ON f.uid = u.uid
|
||||
LEFT JOIN groups g ON f.gid = g.gid
|
||||
WHERE path = {{file.path}}
|
||||
"""
|
||||
|
||||
[[transform.osquery]]
|
||||
@@ -42,7 +55,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}"
|
||||
label = "Osquery - Investigate the Account Authentication Status"
|
||||
query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
|
||||
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
@@ -155,11 +167,10 @@ tags = [
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Persistence",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
]
|
||||
"Data Source: Elastic Defend"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and
|
||||
file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (
|
||||
@@ -169,20 +180,19 @@ file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* an
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1574"
|
||||
name = "Hijack Execution Flow"
|
||||
reference = "https://attack.mitre.org/techniques/T1574/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1574.006"
|
||||
name = "Dynamic Linker Hijacking"
|
||||
reference = "https://attack.mitre.org/techniques/T1574/006/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
@@ -191,8 +201,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["host.id", "file.path", "process.executable"]
|
||||
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
value = "now-10d"
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user