security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2eda02c10e1f4cecb9b9155773e1082bb44d0b83
sigma-rules/rules/cross-platform/persistence_shell_profile_modification.toml
T
Terrance DeJesus 4312d8c958 [FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429) 
* initial commit

* addressing flake errors

* added apm to _get_packagted_integrations logic

* addressed flake errors

* adjusted integration schema and updated rules to be a list

* updated several rules and removed a unit test

* updated rules with logs-* only index patterns

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* addressed flake errors

* integration is none is windows, endpoint or apm

* adding rules with accepted incoming changes from main

* fixed tag and tactic alignment errors from unit testing

* adjusted unit testing logic for integration tags; added more exclusion rules

* adjusted test_integration logic to be rule resistent and skip if -8.3

* adjusted comments for unit test skip

* fixed merge conflicts from main

* changing test_integration_tag to remove logic for rule version comparisons

* added integration tag to new rule

* adjusted rules updated_date value

* ignore guided onboarding rule in unit tests

* added integration tag to new rule

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
2023-01-04 09:30:07 -05:00

77 lines
2.6 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2021/01/19"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
[rule]
author = ["Elastic"]
description = """
Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files
are executed in a user's context, either interactively or non-interactively, when a user logs in so that their
environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content
triggered by a users shell.
"""
false_positives = ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."]
from = "now-9m"
index = ["logs-endpoint.events.*", "auditbeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "Bash Shell Profile Modification"
references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"]
risk_score = 47
rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Persistence"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:file and event.type:change and
process.name:(* and not (sudo or
vim or
zsh or
env or
nano or
bash or
Terminal or
xpcproxy or
login or
cat or
cp or
launchctl or
java)) and
not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and
file.path:(/private/etc/rc.local or
/etc/rc.local or
/home/*/.profile or
/home/*/.profile1 or
/home/*/.bash_profile or
/home/*/.bash_profile1 or
/home/*/.bashrc or
/Users/*/.bash_profile or
/Users/*/.zshenv)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.004"
name = "Unix Shell Configuration Modification"
reference = "https://attack.mitre.org/techniques/T1546/004/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink