security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Docs | Rule Tuning] Add blog references to rules (#4097)

Browse Source 
* [Docs | Rule Tuning] Add blog references to rules

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from code review

* Update google_workspace blog references

* add okta blog references

* Update dates

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
This commit is contained in:
Mika Ayenson
2024-09-25 15:19:20 -05:00
committed by GitHub
parent 0ed6b3f0a2
commit b80d8342d6
164 changed files with 970 additions and 499 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/persistence_git_hook_process_execution.toml
+11 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/06/26"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -17,7 +17,10 @@ index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Git Hook Child Process"
references = ["https://git-scm.com/docs/githooks/2.26.0"]
references = [
"https://git-scm.com/docs/githooks/2.26.0",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
]
risk_score = 21
rule_id = "7ce5e1c7-6a49-45e6-a101-0720d185667f"
setup = """## Setup
@@ -57,6 +60,7 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in (
"applypatch-msg", "commit-msg", "fsmonitor-watchman", "post-update", "post-checkout", "post-commit",
@@ -73,9 +77,9 @@ process where host.os.type == "linux" and event.type == "start" and event.action
) and not process.name in ("git", "dirname")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
@@ -86,29 +90,28 @@ id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -116,3 +119,4 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"