security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0308e32ea00a8ba0dcc5d214b1fae6ec31ef1a82
sigma-rules/rules/linux/defense_evasion_hidden_file_dir_tmp.toml
T
Jonhnathan 063386829c [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>

(cherry picked from commit 4233fef238)
2023-09-05 18:28:40 +00:00

72 lines
2.4 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/04/29"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
description = """
Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name.
Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.
This rule looks for hidden files or folders in common writable directories.
"""
false_positives = [
"""
Certain tools may create hidden temporary files or directories upon installation or as part of their normal
behavior. These events can be filtered by the process arguments, username, or process name values.
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
max_signals = 33
name = "Creation of Hidden Files and Directories via CommandLine"
note = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
risk_score = 47
rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
not process.name in ("ls", "find", "grep", "git")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[[rule.threat.technique.subtechnique]]
id = "T1564.001"
name = "Hidden Files and Directories"
reference = "https://attack.mitre.org/techniques/T1564/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink