security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/rules_building_block/discovery_linux_system_information_discovery.toml
T
Ruben Groenewoud 38e2e4766f [Rule Tuning] Linux DR BBR Tuning (#5514) 
* [Rule Tuning] Linux DR BBR Tuning

* Update discovery_getconf_execution.toml

* Fix typo in process.args for dscl command

* Update persistence_web_server_sus_file_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
2026-01-07 16:52:40 +01:00

67 lines
2.1 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/07/10"
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/12/24"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
This rule identifies Linux system information discovery activity via built-in commands that read common
system files. Adversaries may use these commands to gather information about the operating system, installed
services, and hardware configuration to aid in further exploration and exploitation of the system.
"""
from = "now-119m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*",]
interval = "60m"
language = "kuery"
license = "Elastic License v2"
name = "Linux System Information Discovery"
risk_score = 21
rule_id = "b81bd314-db5b-4d97-82e8-88e3e5fc9de5"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event or start) and
process.name:("cat" or "more" or "less" or "nano" or "vi" or "vim" or "vim.basic" or "emacs") and
process.args:(
"/etc/issue" or "/etc/os-release" or "/proc/version" or "/etc/profile" or "/proc/cpuinfo" or "/etc/services" or
"/etc/lsb-release" or "/etc/redhat-release" or "/etc/debian_version" or "/etc/hostname"
) and
not process.parent.executable:("/usr/local/jamf/bin/jamf" or "/etc/cp/watchdog/cp-nano-watchdog")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["process.parent.executable", "process.command_line", "agent.id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-5d"
Reference in New Issue View Git Blame Copy Permalink