security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updation of Mitre Tactic and Threats (#1850)

Browse Source 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
shashank-elastic
2022-03-18 15:06:24 +05:30
committed by GitHub
parent 22dd7f0ada
commit 7feebc2c10
10 changed files with 105 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/defense_evasion_apt_binary.toml → rules/linux/execution_apt_binary.toml
+14 -16
View File
@@ -1,27 +1,25 @@
[metadata]
creation_date = "2022/02/24"
maturity = "production"
updated_date = "2022/02/24"
updated_date = "2022/03/17"
[rule]
author = ["Elastic"]
description = """
Identifies Linux binary apt/apt-get abuse to breakout out of restricted shells or environments by spawning an
interactive system shell. This activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their access.
interactive system shell. This activity is not standard use with this binary for a user or system administrator. It
indicates a potentially malicious actor attempting to improve the capabilities or stability of their access.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape"
references = [
"https://gtfobins.github.io/gtfobins/apt/",
"https://gtfobins.github.io/gtfobins/apt-get/"
]
references = ["https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/"]
risk_score = 47
rule_id = "8fed8450-847e-43bd-874c-3bbf0cd425f3"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
timestamp_override = "event.ingested"
type = "eql"
@@ -36,18 +34,18 @@ sequence by host.id, process.pid with maxspan=1m
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1548.004"
name = "Elevated Execution with Prompt"
reference = "https://attack.mitre.org/techniques/T1548/004/"
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/defense_evasion_awk_binary_shell.toml → rules/linux/execution_awk_binary_shell.toml
+16 -15
View File
@@ -1,25 +1,25 @@
[metadata]
creation_date = "2022/02/24"
maturity = "production"
updated_date = "2022/02/24"
updated_date = "2022/03/17"
[rule]
author = ["Elastic"]
description = """
Identifies Linux binary awk abuse to breakout out of restricted shells or environments by spawning an
interactive system shell. This activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their access.
Identifies Linux binary awk abuse to breakout out of restricted shells or environments by spawning an interactive system
shell. This activity is not standard use with this binary for a user or system administrator. It indicates a potentially
malicious actor attempting to improve the capabilities or stability of their access.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Linux Restricted Shell Breakout via awk Commands"
references = ["https://gtfobins.github.io/gtfobins/nawk/",
"https://gtfobins.github.io/gtfobins/mawk/"]
references = ["https://gtfobins.github.io/gtfobins/nawk/", "https://gtfobins.github.io/gtfobins/mawk/"]
risk_score = 47
rule_id = "10754992-28c7-4472-be5b-f3770fd04f2d"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
timestamp_override = "event.ingested"
type = "eql"
@@ -33,17 +33,18 @@ sequence by host.id, process.pid with maxspan=1m
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1548.004"
name = "Elevated Execution with Prompt"
reference = "https://attack.mitre.org/techniques/T1548/004/"
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/defense_evasion_env_binary.toml → rules/linux/execution_env_binary.toml
+11 -11
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/02/24"
maturity = "production"
updated_date = "2022/03/04"
updated_date = "2022/03/17"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/env/"]
risk_score = 47
rule_id = "72d33577-f155-457d-aad3-379f9b750c97"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
timestamp_override = "event.ingested"
type = "eql"
@@ -31,18 +31,18 @@ process where event.type == "start" and process.name : "env" and process.args_co
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1548.004"
name = "Elevated Execution with Prompt"
reference = "https://attack.mitre.org/techniques/T1548/004/"
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/defense_evasion_expect_binary.toml → rules/linux/execution_expect_binary.toml
+2 -19
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/03/07"
maturity = "development"
updated_date = "2022/03/07"
updated_date = "2022/03/17"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/expect/"]
risk_score = 47
rule_id = "fd3fc25e-7c7c-4613-8209-97942ac609f6"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
timestamp_override = "event.ingested"
type = "eql"
@@ -30,23 +30,6 @@ sequence by host.id, process.pid with maxspan=1m
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.004"
name = "Elevated Execution with Prompt"
reference = "https://attack.mitre.org/techniques/T1548/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
rules/linux/defense_evasion_find_binary.toml → rules/linux/execution_find_binary.toml
+16 -12
View File
@@ -1,11 +1,15 @@
[metadata]
creation_date = "2022/02/28"
maturity = "production"
updated_date = "2022/02/28"
updated_date = "2022/03/17"
[rule]
author = ["Elastic"]
description = "Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell. This activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their access."
description = """
Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell.
This activity is not standard use with this binary for a user or system administrator. It indicates a potentially
malicious actor attempting to improve the capabilities or stability of their access.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
@@ -15,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/find/"]
risk_score = 47
rule_id = "6f683345-bb10-47a7-86a7-71e9c24fb358"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
timestamp_override = "event.ingested"
type = "eql"
@@ -29,18 +33,18 @@ sequence by host.id, process.pid with maxspan=1m
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1548.004"
name = "Elevated Execution with Prompt"
reference = "https://attack.mitre.org/techniques/T1548/004/"
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/defense_evasion_gcc_binary.toml → rules/linux/execution_gcc_binary.toml
+11 -11
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/03/09"
maturity = "production"
updated_date = "2022/03/09"
updated_date = "2022/03/17"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/gcc/"]
risk_score = 47
rule_id = "da986d2c-ffbf-4fd6-af96-a88dbf68f386"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
timestamp_override = "event.ingested"
type = "eql"
@@ -33,18 +33,18 @@ sequence by host.id, process.pid with maxspan=1m
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1548.004"
name = "Elevated Execution with Prompt"
reference = "https://attack.mitre.org/techniques/T1548/004/"
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/defense_evasion_mysql_binary.toml → rules/linux/execution_mysql_binary.toml
+11 -11
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/03/09"
maturity = "production"
updated_date = "2022/03/09"
updated_date = "2022/03/17"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/mysql/"]
risk_score = 47
rule_id = "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
timestamp_override = "event.ingested"
type = "eql"
@@ -33,18 +33,18 @@ sequence by host.id, process.pid with maxspan=1m
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1548.004"
name = "Elevated Execution with Prompt"
reference = "https://attack.mitre.org/techniques/T1548/004/"
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/defense_evasion_nice_binary.toml → rules/linux/execution_nice_binary.toml
+11 -11
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/03/07"
maturity = "development"
updated_date = "2022/03/07"
updated_date = "2022/03/17"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/nice/"]
risk_score = 47
rule_id = "22755f7f-1e1e-4528-a75f-bb3f4026d1b9"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
timestamp_override = "event.ingested"
type = "eql"
@@ -33,18 +33,18 @@ sequence by host.id, process.pid with maxspan=1m
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1548.004"
name = "Elevated Execution with Prompt"
reference = "https://attack.mitre.org/techniques/T1548/004/"
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/defense_evasion_ssh_binary.toml → rules/linux/execution_ssh_binary.toml
+11 -11
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/03/10"
maturity = "production"
updated_date = "2022/03/10"
updated_date = "2022/03/17"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/ssh/"]
risk_score = 47
rule_id = "97da359b-2b61-4a40-b2e4-8fc48cf7a294"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
timestamp_override = "event.ingested"
type = "eql"
@@ -33,18 +33,18 @@ sequence by host.id, process.pid with maxspan=1m
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1548.004"
name = "Elevated Execution with Prompt"
reference = "https://attack.mitre.org/techniques/T1548/004/"
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/defense_evasion_vi_binary.toml → rules/linux/execution_vi_binary.toml
+2 -19
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/03/03"
maturity = "production"
updated_date = "2022/03/03"
updated_date = "2022/03/17"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/vi/"]
risk_score = 47
rule_id = "89583d1b-3c2e-4606-8b74-0a9fd2248e88"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
timestamp_override = "event.ingested"
type = "eql"
@@ -30,23 +30,6 @@ sequence by host.id,process.pid with maxspan=1m
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.004"
name = "Elevated Execution with Prompt"
reference = "https://attack.mitre.org/techniques/T1548/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]