security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Back-porting Version Trimming (#3704)

Browse Source
This commit is contained in:
shashank-elastic
2024-05-23 00:45:10 +05:30
committed by GitHub
parent 2c3dbfc039
commit 63e91c2f12
1016 changed files with 12005 additions and 11259 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_linux_proxychains_activity.toml
+17 -15
View File
@@ -2,9 +2,7 @@
creation_date = "2023/08/23"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
updated_date = "2024/05/21"
[transform]
[[transform.osquery]]
@@ -31,12 +29,13 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the
routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted
resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and
This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the
routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted
resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and
perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
"""
from = "now-9m"
@@ -112,30 +111,33 @@ risk_score = 21
rule_id = "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name == "proxychains"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"