security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2f7471e74979bc589618d5d0125901dc8c19cb6d
sigma-rules/rules/network/discovery_potential_port_scan_detected.toml
T
Terrance DeJesus 2b22d066fd [Rule Tuning] Add filebeat Compatibility to Network Rules (#2925) 
* add beats compatability to NPC rules

* added filebeat compatibility to 'Accepted Default Telnet Port Connection'

* added filebeat compatibility to 'Cobalt Strike Command and Control Beacon'

* added filebeat compatibility to 'Default Cobalt Strike Team Server Certificate'

* added filebeat compatibility to 'Roshal Archive (RAR) or PowerShell File Downloaded from the Internet'

* added filebeat compatibility to 'Possible FIN7 DGA Command and Control Behavior'

* added filebeat compatibility to 'Halfbaked Command and Control Beacon'

* added filebeat compatibility to 'IPSEC NAT Traversal Port Activity'

* added filebeat compatibility to 'SMTP on Port 26/TCP'

* added filebeat compatibility to 'RDP (Remote Desktop Protocol) from the Internet'

* added filebeat compatibility to 'VNC (Virtual Network Computing) from the Internet'

* added filebeat compatibility to 'VNC (Virtual Network Computing) to the Internet'

* added filebeat compatibility to 'RPC (Remote Procedure Call) from the Internet'

* added filebeat compatibility to 'RPC (Remote Procedure Call) to the Internet'

* added filebeat compatibility to 'SMB (Windows File Sharing) Activity to the Internet'

* removed extra space in query

* added filebeat compatibility to 'Inbound Connection to an Unsecure Elasticsearch Node'

* added filebeat compatibility to 'Abnormally Large DNS Response'

* fixed missing ending parenthesis

* added auditbeat to compatible rules

* addressed feedback

* removed filebeat and auditbeat due to incompatibility

* Update rules/network/command_and_control_cobalt_strike_beacon.toml

* Update rules/network/command_and_control_accepted_default_telnet_port_connection.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit b8ae2218f8)
2023-10-03 19:11:07 +00:00

71 lines
2.3 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/05/17"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/31"
[rule]
author = ["Elastic"]
description = '''
This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a
target system or network for open ports, allowing them to identify available services and potential vulnerabilities.
By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining
unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further
exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts
from one source host to 20 or more destination ports.
'''
from = "now-9m"
index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Network Scan Detected"
risk_score = 21
rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b"
severity = "low"
tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"]
type = "threshold"
query = '''
destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1595"
name = "Active Scanning"
reference = "https://attack.mitre.org/techniques/T1595/"
[[rule.threat.technique.subtechnique]]
id = "T1595.001"
name = "Scanning IP Blocks"
reference = "https://attack.mitre.org/techniques/T1595/001/"
[rule.threat.tactic]
id = "TA0043"
name = "Reconnaissance"
reference = "https://attack.mitre.org/tactics/TA0043/"
[rule.threshold]
field = ["destination.ip", "source.ip"]
value = 1
[[rule.threshold.cardinality]]
field = "destination.port"
value = 250
Reference in New Issue View Git Blame Copy Permalink