security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Feedback from 7.12 Kibana PR (#942)

Browse Source
This commit is contained in:
Justin Ibarra
2021-02-11 13:32:58 -09:00
committed by GitHub
parent 190b4ea67e
commit 4e6ff388fc
11 changed files with 40 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/execution_suspicious_jar_child_process.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/01/19"
maturity = "production"
updated_date = "2021/01/19"
updated_date = "2021/02/11"
[rule]
author = ["Elastic"]
@@ -26,7 +26,7 @@ process where event.type in ("start", "process_started") and
process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget") and
process.args : "-jar" and process.args : "*.jar" and
/* Add any FP's here */
not process.executable : "/Users/*/.sdkman/*" and
not process.executable : ("/Users/*/.sdkman/*", "/Library/Java/JavaVirtualMachines/*") and
not process.args : ("/usr/local/*", "/Users/*/github.com/*", "/Users/*/src/*")
'''
rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/02/03"
maturity = "production"
updated_date = "2021/02/04"
updated_date = "2021/02/11"
[rule]
author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies the attempted use of a heap-based buffer overflow vulnerability for t
"""
false_positives = [
"""
This rule could generate false positives if the process arguments leveraged by the expoit are shared by custom
This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom
scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are
affected; if those versions are not present on the endpoint, this could be a false positive.
""",
rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
+5 -5
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/05/04"
maturity = "production"
updated_date = "2021/02/04"
updated_date = "2021/02/11"
[rule]
author = ["Elastic"]
@@ -23,11 +23,11 @@ type = "eql"
query = '''
process where event.type in ("start", "process_started") and
(
(process.name : ("rm", "echo") and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history")) or
(process.args : ("rm", "echo") and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history")) or
(process.name : "history" and process.args : "-c") or
(process.name : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
(process.name : "unset" and process.args : "HISTFILE") or
(process.name : "set" and process.args : "history" and process.args : "+o")
(process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
(process.args : "unset" and process.args : "HISTFILE") or
(process.args : "set" and process.args : "history" and process.args : "+o")
)
'''
rules/macos/credential_access_access_to_browser_credentials_procargs.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/01/04"
maturity = "production"
updated_date = "2020/01/04"
updated_date = "2020/02/11"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License"
name = "Browser Credential File Access"
name = "Access of Stored Browser Credentials"
references = ["https://securelist.com/calisto-trojan-for-macos/86543/"]
risk_score = 73
rule_id = "20457e4f-d1de-4b92-ae69-142e27a4342a"
rules/macos/credential_access_systemkey_dumping.toml
+3 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/01/07"
maturity = "production"
updated_date = "2020/01/07"
updated_date = "2020/02/11"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "SystemKey Access via Hexdump"
name = "SystemKey Access via Command Line"
references = ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"]
risk_score = 73
rule_id = "d75991f2-b989-419d-b797-ac1e54ec2d61"
@@ -24,7 +24,7 @@ type = "query"
query = '''
event.category:process and event.type:(start or process_started) and
process.name:hexdump and process.args:"/private/var/db/SystemKey"
process.args:"/private/var/db/SystemKey"
'''
rules/macos/defense_evasion_install_root_certificate.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/01/13"
maturity = "production"
updated_date = "2021/01/13"
updated_date = "2021/02/11"
[rule]
author = ["Elastic"]
@@ -11,7 +11,7 @@ and control servers. Root certificates are used in public key cryptography to id
(CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of
trust that have been signed by the root certificate.
"""
false_positives = ["Trusted Root Certificate Install"]
false_positives = ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
rules/macos/persistence_directory_services_plugins_modification.toml
+1 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/01/13"
maturity = "production"
updated_date = "2021/01/13"
updated_date = "2021/02/11"
[rule]
author = ["Elastic"]
@@ -10,7 +10,6 @@ Identifies the creation or modification of a DirectoryService PlugIns (dsplug) f
on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the
DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.
"""
false_positives = ["Trusted DirectoryService PlugIns"]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
+1 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/12/23"
maturity = "production"
updated_date = "2020/12/23"
updated_date = "2020/02/11"
[rule]
author = ["Elastic"]
@@ -9,7 +9,6 @@ description = """
Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time
the Sublime application is started.
"""
false_positives = ["Legitimate Sublime plugins or application updates"]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
rules/macos/privilege_escalation_root_crontab_filemod.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/01/27"
maturity = "production"
updated_date = "2021/01/27"
updated_date = "2021/02/11"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Potential Privilege Escalation via Root Crontab File Modification"
name = "Privilege Escalation via Root Crontab File Modification"
references = [
"https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc",
"https://www.exploit-db.com/exploits/42146",
rules/windows/credential_access_dump_registry_hives.toml
+2 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/23"
maturity = "production"
updated_date = "2020/01/28"
updated_date = "2020/02/11"
[rule]
author = ["Elastic"]
@@ -24,8 +24,7 @@ query = '''
process where event.type in ("start", "process_started") and
process.pe.original_file_name == "reg.exe" and
process.args : ("save", "export") and
process.args : ("hklm\\sam", "hklm\\security") and
not process.parent.executable : "C:\\Program Files*\\Rapid7\\Insight Agent\\components\\insight_agent\\*\\ir_agent.exe"
process.args : ("hklm\\sam", "hklm\\security")
'''
rules/windows/discovery_file_dir_discovery.toml
+18 -5
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/12/04"
maturity = "production"
updated_date = "2020/01/28"
updated_date = "2020/02/11"
[rule]
author = ["Elastic"]
@@ -9,6 +9,13 @@ description = """
Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan
follow-on activity.
"""
false_positives = [
"""
Enumeration of files and directories may not be inherently malicious and noise may come from scripts, automation
tools, or normal command line usage. It's important to baseline your environment to determine the amount of expected
noise and exclude any known FP's from the rule.
""",
]
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License"
@@ -20,9 +27,16 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"]
type = "eql"
query = '''
process where event.type in ("start", "process_started") and
(process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and
process.args : ("dir", "tree")
sequence by agent.id, user.name with maxspan=1m
[process where event.type in ("start", "process_started") and
((process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : "dir") or
process.name : "tree.com"]
[process where event.type in ("start", "process_started") and
((process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : "dir") or
process.name : "tree.com"]
[process where event.type in ("start", "process_started") and
((process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : "dir") or
process.name : "tree.com"]
'''
@@ -38,4 +52,3 @@ reference = "https://attack.mitre.org/techniques/T1083/"
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"