security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Q2 Linux DR Tuning - Part 4 (#4165)

Browse Source
This commit is contained in:
Ruben Groenewoud
2024-10-18 17:13:44 +02:00
committed by GitHub
parent b309bcb7ae
commit 42f6c8f9a5
10 changed files with 69 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/persistence_credential_access_modify_ssh_binaries.toml
+12 -9
View File
@@ -2,7 +2,7 @@
creation_date = "2020/12/21"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/17"
[transform]
[[transform.osquery]]
@@ -166,59 +166,62 @@ event.category:file and host.os.type:linux and event.type:change and
/usr/bin/ssh or
/usr/sbin/sshd) or
file.name:libkeyutils.so) and
not process.executable:/usr/share/elasticsearch/*
not (
process.executable:/usr/share/elasticsearch/* or
process.name : (apk or ansible-admin or systemd or dnf or python*)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[[rule.threat.technique.subtechnique]]
id = "T1021.004"
name = "SSH"
reference = "https://attack.mitre.org/techniques/T1021/004/"
[[rule.threat.technique]]
id = "T1563"
name = "Remote Service Session Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/"
[[rule.threat.technique.subtechnique]]
id = "T1563.001"
name = "SSH Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/001/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"