security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Linux cross-platform DRs (#3346)

Browse Source
This commit is contained in:
Ruben Groenewoud
2024-01-08 10:44:03 +01:00
committed by GitHub
parent 6c91c1597d
commit 788e2b2823
4 changed files with 35 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/defense_evasion_timestomp_touch.toml
+12 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/19"
updated_date = "2023/12/18"
[rule]
author = ["Elastic"]
@@ -29,7 +29,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -37,7 +44,9 @@ query = '''
process where event.type == "start" and
process.name : "touch" and user.id != "0" and
process.args : ("-r", "-t", "-a*","-m*") and
not process.args : ("/usr/lib/go-*/bin/go", "/usr/lib/dracut/dracut-functions.sh", "/tmp/KSInstallAction.*/m/.patch/*")
not process.args : (
"/usr/lib/go-*/bin/go", "/usr/lib/dracut/dracut-functions.sh", "/tmp/KSInstallAction.*/m/.patch/*"
) and not process.parent.name in ("pmlogger_daily", "pmlogger_janitor", "systemd")
'''
rules/cross-platform/discovery_security_software_grep.toml
+8 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/19"
updated_date = "2023/12/18"
[rule]
author = ["Elastic"]
@@ -75,7 +75,7 @@ type = "eql"
query = '''
process where event.type == "start" and
process.name : "grep" and user.id != "0" and
not process.parent.executable : "/Library/Application Support/*" and
not process.parent.executable : ("/Library/Application Support/*", "/opt/McAfee/agent/scripts/ma") and
process.args :
("Little Snitch*",
"Avast*",
@@ -115,7 +115,12 @@ process.name : "grep" and user.id != "0" and
"grep -i McAfee Web Gateway Core version:",
"grep --color=auto ESET Command-line scanner, version %s -A2"
)
)
) or
(process.parent.command_line : (
"""sh -c printf "command_start_%s"*; perl -pe 's/[^ -~]/\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf "command_done_%s*""",
"""bash -c perl -pe 's/[^ -~]/\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1"""
)
)
)
'''
rules/cross-platform/execution_suspicious_jar_child_process.toml
+3 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/10/19"
updated_date = "2023/12/18"
[rule]
author = ["Elastic"]
@@ -104,8 +104,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.command_line"]
value = ["host.id", "process.command_line", "process.parent.command_line"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
value = "now-14d"
rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
+12 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/22"
updated_date = "2023/12/18"
[rule]
author = ["Elastic"]
@@ -20,12 +20,21 @@ name = "Sudoers File Modification"
risk_score = 47
rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)
event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) and
not process.name:(dpkg or platform-python or puppet or yum or dnf) and
not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)
'''
[[rule.threat]]