security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New BBR] Suspicious Clipboard Activity (#2970)

Browse Source 
* [New BBR] Suspicious Clipboard Activity

* Added new line to end of file

* Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2023-08-03 15:41:23 +02:00
committed by GitHub
parent a7ff449fbc
commit ef1fa94c52
1 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules_building_block/collection_linux_suspicious_clipboard_activity.toml
+52
View File
@@ -0,0 +1,52 @@
[metadata]
creation_date = "2023/07/27"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/07/27"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group
leader. Adversaries may collect data stored in the clipboard from users copying information within or between
applications.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Suspicious Clipboard Activity Detected"
risk_score = 21
rule_id = "884e87cc-c67b-4c90-a4ed-e1e24a940c82"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Rule Type: BBR"]
type = "new_terms"
building_block_type = "default"
query = '''
event.category:process and host.os.type:"linux" and event.action:"exec" and event.type:"start" and
process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1115"
name = "Clipboard Data"
reference = "https://attack.mitre.org/techniques/T1115/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.group_leader.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"