security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
724e34ba95ffb48d13e18a91c547800986164572
sigma-rules/rules_building_block/discovery_internet_capabilities.toml
T
Ruben Groenewoud 4cdf52129a [Tuning] Windows Discovery Rule Tuning for UEBA (#3097) 
* [Tuning] Win DR Tuning for UEBA

* Need to get used to Windows formatting

* Added additional content

* Updated min stack

* Added additional tuning

* Fixed unit testing for KQL optimization

* Update rules_building_block/discovery_internet_capabilities.toml

* Additional tuning

* Kuery optimization

* Additional tuning

* Additional tuning

* Additional tuning

* Additional tuning

* Unit testing optimization fix

* optimization

* tuning

* Optimization

* Update rules/windows/discovery_privileged_localgroup_membership.toml

* Added feedback

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* added host.id as additional new_terms field

* Reworked a lot.

* kibana.alert.rule.rule_id to non-ecs-schema.json

* Fixed index by adding a dot

* fixed typo

* Added host.os.type:windows for signals

* Added additional tag

* Added Higher-Order Rule tag

* Stripped down signal rules down to two

* revert

* Update rules/windows/discovery_admin_recon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_generic_registry_query.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update discovery_generic_registry_query.toml

* Readded exclusions

* Added trailing wildcards for KQL

* Update discovery_privileged_localgroup_membership.toml

* Update rules_building_block/discovery_signal_unusual_user_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Formatting fix

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2023-10-11 09:43:26 +02:00

67 lines
2.0 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/07/12"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/20"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies the use of built-in tools attackers can use to check for Internet connectivity on compromised systems. These
results may be used to determine communication capabilities with C2 servers, or to identify routes, redirectors, and
proxy servers.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Discovery of Internet Capabilities via Built-in Tools"
risk_score = 21
rule_id = "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db"
severity = "low"
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:windows and event.category:process and event.type:start and
process.name.caseless:("ping.exe" or "tracert.exe" or "pathping.exe") and
not process.args:("127.0.0.1" or "0.0.0.0" or "localhost" or "1.1.1.1" or "1.2.3.4" or "::1")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1016"
name = "System Network Configuration Discovery"
reference = "https://attack.mitre.org/techniques/T1016/"
[[rule.threat.technique.subtechnique]]
id = "T1016.001"
name = "Internet Connection Discovery"
reference = "https://attack.mitre.org/techniques/T1016/001/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "user.id", "process.command_line"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
Reference in New Issue View Git Blame Copy Permalink