security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

RTA For Linux DR and ER Rules (#2904)

Browse Source
This commit is contained in:
shashank-elastic
2023-07-04 18:46:28 +05:30
committed by GitHub
parent 78055bbeee
commit d8969f8df1
3 changed files with 142 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rta/kernel_module_removal_execution.py
+46
View File
@@ -0,0 +1,46 @@
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
from pathlib import Path
from . import common
from . import RtaMetadata
metadata = RtaMetadata(
uuid="900e8599-1d5f-4522-9aed-6eab82de2bad",
platforms=["linux"],
endpoint=[
{
"rule_name": "Kernel Module Removal",
"rule_id": "e80ba5e4-b6c6-4534-87b0-8c0f4e1d97e7",
}
],
siem=[
{
"rule_name": "Kernel Module Removal",
"rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef"
}
],
techniques=["T1562", "T1562.001", "T1547", "T1547.006"],
)
@common.requires_os(metadata.platforms)
def main():
masquerade = "/tmp/rmmod"
source = common.get_path("bin", "linux.ditto_and_spawn")
common.copy_file(source, masquerade)
# Execute command
common.log("Launching fake commands to remove Kernel Module")
common.execute([masquerade], timeout=10, kill=True)
# cleanup
common.remove_file(masquerade)
if __name__ == "__main__":
exit(main())
rta/mimipenguin_execution.py
+50
View File
@@ -0,0 +1,50 @@
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
from pathlib import Path
from . import common
from . import RtaMetadata
metadata = RtaMetadata(
uuid="e5a98cc9-1f15-4d14-baf2-96bebb932ae9",
platforms=["linux"],
endpoint=[
{
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
"rule_id": "508226f9-4030-4e86-86cd-63321b7164bc",
}
],
siem=[
{
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
"rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311"
}
],
techniques=["T1212", "T1003", "T1003.007"],
)
@common.requires_os(metadata.platforms)
def main():
masquerade = "/tmp/ps"
masquerade2 = "/tmp/strings"
source = common.get_path("bin", "linux.ditto_and_spawn")
common.copy_file(source, masquerade)
common.copy_file(source,masquerade2)
# Execute command
common.log("Launching fake commands to dump credential via proc")
common.execute([masquerade, "-eo", "pid", "command"], timeout=10, kill=True)
common.execute([masquerade2, "/tmp/test"], timeout=10, kill=True)
# cleanup
common.remove_file(masquerade)
common.remove_file(masquerade2)
if __name__ == "__main__":
exit(main())
rta/unshadow_execution.py
+46
View File
@@ -0,0 +1,46 @@
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
from pathlib import Path
from . import common
from . import RtaMetadata
metadata = RtaMetadata(
uuid="c5cecd6d-a7c4-4e3b-970d-6ca5cfc5c662",
platforms=["linux"],
endpoint=[
{
"rule_name": "Potential Linux Credential Dumping via Unshadow",
"rule_id": "05f95917-6942-4aab-a904-37c6db906503",
}
],
siem=[
{
"rule_name": "Potential Linux Credential Dumping via Unshadow",
"rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c"
}
],
techniques=["T1003", "T1003.008"],
)
@common.requires_os(metadata.platforms)
def main():
masquerade = "/tmp/unshadow"
source = common.get_path("bin", "linux.ditto_and_spawn")
common.copy_file(source, masquerade)
# Execute command
common.log("Launching fake commands to dump credential via unshadow")
common.execute([masquerade, "/etc/passwd /etc/shadow"], timeout=10, kill=True)
# cleanup
common.remove_file(masquerade)
if __name__ == "__main__":
exit(main())