security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905)

Browse Source 
* [Rule Tuning] Misc. DR Rule Tuning - Part 2

* ++

* Update privilege_escalation_suspicious_uid_guid_elevation.toml

* Update rules/linux/persistence_systemd_service_creation.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2024-07-19 15:21:35 +02:00
committed by GitHub
parent 76fdd549a3
commit a71bbe0cf8
12 changed files with 92 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
+9 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2023/07/28"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/07/18"
[rule]
author = ["Elastic"]
@@ -61,35 +61,37 @@ sequence by host.id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
(process.name == "tar" and process.args : "--checkpoint=*" and process.args : "--checkpoint-action=*") or
(process.name == "rsync" and process.args : "-e*") or
(process.name == "zip" and process.args == "--unzip-command") )] by process.entity_id
(process.name == "zip" and process.args == "--unzip-command")
) and not process.executable : "/tmp/newroot/*"
] by process.entity_id
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.parent.name : ("tar", "rsync", "zip") and
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
] by process.parent.entity_id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"