security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] System Log File Deletion (#2362)

Browse Source 
* [Rule Tuning] Indicator Removal on Host

-adding subtechnique
-adding additional log files (boot.log, kern.log)

* Update defense_evasion_log_files_deleted.toml

update subtechnique name after failed test
This commit is contained in:
Isai
2022-10-18 09:11:27 -04:00
committed by GitHub
parent 642992b1df
commit 8478d959f4
1 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/defense_evasion_log_files_deleted.toml
+8 -3
View File
@@ -3,7 +3,7 @@ creation_date = "2020/11/03"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/08/24"
updated_date = "2022/10/17"
[rule]
author = ["Elastic"]
@@ -42,7 +42,9 @@ file where event.type == "deletion" and
"/var/log/syslog",
"/var/log/messages",
"/var/log/secure",
"/var/log/auth.log"
"/var/log/auth.log",
"/var/log/boot.log",
"/var/log/kern.log"
) and
not process.name : ("gzip")
'''
@@ -54,7 +56,10 @@ framework = "MITRE ATT&CK"
id = "T1070"
name = "Indicator Removal on Host"
reference = "https://attack.mitre.org/techniques/T1070/"
[[rule.threat.technique.subtechnique]]
id = "T1070.002"
name = "Clear Linux or Mac System Logs"
reference = "https://attack.mitre.org/techniques/T1070/002/"
[rule.threat.tactic]
id = "TA0005"