security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] SSH Authorized Keys File Modified Inside a Container (#2792)

Browse Source 
* [New Rule] SSH Authorized Keys File Modified Inside a Container

new rule toml

* toml file name change

changed duplicate toml file name

* Update persistence_ssh_authorized_keys_modification_inside_a_container.toml

added time intervals

* removed redundant event.type

removed event.type fields

* added back event.type and removed event.action per reviewer suggestion

removed redundant event.action fields
This commit is contained in:
Isai
2023-05-16 16:30:17 -04:00
committed by GitHub
parent 648dd8b3ed
commit 515d393828
1 changed files with 77 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml
+77
View File
@@ -0,0 +1,77 @@
[metadata]
creation_date = "2023/05/12"
integration = ["cloud_defend"]
maturity = "production"
min_stack_comments = "New Integration: Cloud Defend"
min_stack_version = "8.8.0"
updated_date = "2023/05/16"
[rule]
author = ["Elastic"]
description = """
This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container.
The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication.
Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).
Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated.
"""
from = "now-6m"
index = ["logs-cloud_defend*"]
interval = "5m"
language = "eql"
license = "Elastic License v2"
name = "SSH Authorized Keys File Modified Inside a Container"
risk_score = 73
rule_id = "f7769104-e8f9-4931-94a2-68fc04eadec3"
severity = "high"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Lateral Movement", "Container"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where container.id:"*" and
event.type in ("change", "creation") and file.name: ("authorized_keys", "authorized_keys2", "sshd_config")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.004"
name = "SSH Authorized Keys"
reference = "https://attack.mitre.org/techniques/T1098/004/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1563"
name = "Remote Service Session Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/"
[[rule.threat.technique.subtechnique]]
id = "T1563.001"
name = "SSH Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/001/"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[[rule.threat.technique.subtechnique]]
id = "T1021.004"
name = "SSH"
reference = "https://attack.mitre.org/techniques/T1021/004/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"