security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Linux DR Tuning - Part 11 (#3463)

Browse Source 
* [Tuning] Linux DR Tuning - Part 11

* Update persistence_message_of_the_day_creation.toml

* Update persistence_message_of_the_day_execution.toml

* Update rules/linux/persistence_message_of_the_day_execution.toml

* Update persistence_linux_user_added_to_privileged_group.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit ef66c57030)
This commit is contained in:
Ruben Groenewoud
2024-03-07 12:20:31 +01:00
committed by github-actions[bot]
parent 5506f1bb26
commit 3c1ecce6dc
5 changed files with 57 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/persistence_linux_shell_activity_via_web_server.toml
+19 -5
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
updated_date = "2024/02/21"
[transform]
[[transform.osquery]]
@@ -132,7 +132,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Tactic: Initial Access",
"Data Source: Elastic Endgame",
"Use Case: Vulnerability",
"Resources: Investigation Guide",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
@@ -148,9 +158,13 @@ event.action in ("exec", "exec_event") and process.parent.executable : (
"/usr/local/lsws/bin/lswsctrl",
"*/bin/catalina.sh"
) and
process.name : ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "tmux") and
process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") and
not process.name == "phpquery"
process.name : (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc",
"netcat", "ncat", "telnet", "awk", "socat"
) and process.args : (
"whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd", "ls", "cd", "python*", "php*", "perl",
"ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "socat"
) and not process.name == "phpquery"
'''
[[rule.threat]]