security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Post Exploitation Public IP Reconnaissance (#270)

Browse Source
This commit is contained in:
Andrew Pease
2020-09-30 18:36:22 -05:00
committed by GitHub
parent e753162fe2
commit 5ba848552a
1 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml
+53
View File
@@ -0,0 +1,53 @@
[metadata]
creation_date = "2020/09/04"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/09/04"
[rule]
author = ["Elastic"]
description = """
Identifies domains commonly used by adversaries for post-exploitation IP reconnaissance. It is common for adversaries to
test for Internet access and acquire their public IP address after they have gained access to a system. Among others,
this has been observed in campaigns leveraging the information stealer, Trickbot.
"""
false_positives = [
"""
If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those
events. Validate that this is expected activity and tune the rule to fit your environment variables.
""",
]
index = ["packetbeat-*"]
language = "lucene"
license = "Elastic License"
name = "Public IP Reconnaissance Activity"
note = "This rule takes HTTP redirects and HTTP referrer's into account, however neither HTTP redirect status codes nor HTTP referrer's are visible with TLS traffic which can lead to multiple events per alert."
references = [
"https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation",
"https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
]
risk_score = 21
rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511"
severity = "low"
tags = ["Elastic", "Network", "Threat Detection, Preventing and Hunting", "Post-Execution"]
type = "query"
query = '''
event.category:network AND event.type:connection AND server.domain:(ipecho.net OR ipinfo.io OR ifconfig.co OR
ifconfig.me OR icanhazip.com OR myexternalip.com OR api.ipify.org OR bot.whatismyipaddress.com OR ip.anysrc.net OR
wtfismyip.com) AND NOT http.response.status_code:302 AND status:OK AND NOT _exists_:http.request.referrer
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1016"
name = "System Network Configuration Discovery"
reference = "https://attack.mitre.org/techniques/T1016/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"