security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Back-porting Version Trimming (#3681)

Browse Source
This commit is contained in:
shashank-elastic
2024-05-23 00:11:50 +05:30
committed by GitHub
parent 58ba0713fe
commit 71d2c59b5c
1036 changed files with 12346 additions and 11392 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_shell_evasion_linux_binary.toml
+16 -8
View File
@@ -2,15 +2,13 @@
creation_date = "2022/05/06"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive
system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator,
Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive
system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator,
and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.
"""
from = "now-9m"
@@ -127,9 +125,17 @@ Session View uses process data collected by the Elastic Defend integration, but
For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
(
@@ -184,20 +190,22 @@ process where host.os.type == "linux" and event.type == "start" and
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"