security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
077041fef540b8dd56e0cee30cae659f601d016a
sigma-rules/rules/network/discovery_potential_network_sweep_detected.toml
T
Ruben Groenewoud 9b2e74b220 [Rule Tuning] Linux Rules (#3092) 
* [Rule Tuning] [WIP] Linux DR

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Fixed tag

* Added additional tuning

* unit test fix

* Additional tuning

* tuning

* added max signals

* Added max_signals=1 to brute force rules

* Cross-Platform Tuning

* Small fix

* new_terms conversion

* typo

* new_terms conversion

* Ransomware rule tuning

* performance tuning

* new_terms conversion for auditd_manager

* tune

* Need coffee

* kql/eql stuff

* formatting improvement

* new_terms sudo hijacking conversion

* exclusion

* Deprecations that were added last tuning

* Deprecations that were added last tuning

* Increased max timespan for brute force rules

* version bump

* added domain tag

* Two tunings

* More tuning

* Additional tuning

* updated_date bump

* query optimization

* Tuning

* Readded the exclusions for this one

* Changed int comparison

* Some tunings

* Update persistence_systemd_scheduled_timer_created.toml

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml

* Update rules/linux/command_and_control_cat_network_activity.toml

* Update persistence_message_of_the_day_execution.toml

* Changed max_signals

* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"

This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.

* Revertable merge

* Update defense_evasion_ld_preload_env_variable_process_injection.toml

* File name change

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 020fff3aea)
2023-10-23 14:34:55 +00:00

75 lines
2.3 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/05/17"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/22"
[rule]
author = ["Elastic"]
description = '''
This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target
network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and
weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized
access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts
from one source host to 10 or more destination hosts on commonly used network services.
'''
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*",]
language = "kuery"
license = "Elastic License v2"
max_signals = 5
name = "Potential Network Sweep Detected"
risk_score = 21
rule_id = "781f8746-2180-4691-890c-4c96d11ca91d"
severity = "low"
tags = ["Domain: Network",
"Tactic: Discovery",
"Tactic: Reconnaissance",
"Use Case: Network Security Monitoring"
]
type = "threshold"
query = '''
destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and
source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1595"
name = "Active Scanning"
reference = "https://attack.mitre.org/techniques/T1595/"
[[rule.threat.technique.subtechnique]]
id = "T1595.001"
name = "Scanning IP Blocks"
reference = "https://attack.mitre.org/techniques/T1595/001/"
[rule.threat.tactic]
id = "TA0043"
name = "Reconnaissance"
reference = "https://attack.mitre.org/tactics/TA0043/"
[rule.threshold]
field = ["source.ip"]
value = 1
[[rule.threshold.cardinality]]
field = "destination.ip"
value = 100
Reference in New Issue View Git Blame Copy Permalink