security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
21b559c97f2b53bf28345c337bfa187ed29f5535
sigma-rules/rules_building_block/discovery_suspicious_which_command_execution.toml
T
Ruben Groenewoud 84824c67fd [Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254) 
* [Rule Tuning & New Rule] Linux Reverse Shell

* [Tuning & New Rule] Linux Reverse Shells

* Name change

* Update rules/linux/execution_shell_via_child_tcp_utility_linux.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_shell_via_child_tcp_utility_linux.toml

* Update execution_shell_via_background_process.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
2023-12-18 09:36:21 +01:00

59 lines
1.8 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/08/30"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/22"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage
the which command to enumerate the system for useful installed utilities that may be used after compromising a system to
escalate privileges or move latteraly across the network.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious which Enumeration"
risk_score = 21
rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "eql"
building_block_type = "default"
query = '''
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem"
/* potential tuning if rule would turn out to be noisy
and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and
process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
*/
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
Reference in New Issue View Git Blame Copy Permalink