security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Agent Spoofing (#3729)

Browse Source
This commit is contained in:
Ruben Groenewoud
2024-06-03 19:28:24 +02:00
committed by GitHub
parent f09a640ddf
commit 90bb8b53d8
1 changed files with 5 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
+5 -7
View File
@@ -1,13 +1,13 @@
[metadata]
creation_date = "2021/07/14"
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/05/31"
[rule]
author = ["Elastic"]
description = """
Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch" occurs when the
expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch/mismatch" occurs when
the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
attempts to spoof events in order to masquerade actual activity to evade detection.
"""
false_positives = [
@@ -29,20 +29,18 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.agent_id_status:agent_id_mismatch
event.agent_id_status:(agent_id_mismatch or mismatch)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"