security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8e240f9e793d7c24942e4bbe9c8bfceca8d03136
sigma-rules/rules/cross-platform/impact_hosts_file_modified.toml
T
Justin Ibarra 46d5e37b76 min_stack all rules to 8.3 (#2259) 
* min_stack all rules to 8.3

* bump date

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
2022-08-24 10:38:49 -06:00

74 lines
2.7 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/07/07"
maturity = "production"
updated_date = "2022/08/24"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
[rule]
author = ["Elastic"]
description = """
The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first
point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic
to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or
RHEL) and macOS systems.
"""
from = "now-9m"
index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Hosts File Modified"
note = """## Setup
For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"]
risk_score = 47
rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Impact"]
timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c"
timeline_title = "Comprehensive File Timeline"
timestamp_override = "event.ingested"
type = "eql"
query = '''
any where
/* file events for creation; file change events are not captured by some of the included sources for linux and so may
miss this, which is the purpose of the process + command line args logic below */
(
event.category == "file" and event.type in ("change", "creation") and
file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts")
)
or
/* process events for change targeting linux only */
(
event.category == "process" and event.type in ("start") and
process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and
process.args : ("/etc/hosts")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1565"
reference = "https://attack.mitre.org/techniques/T1565/"
name = "Data Manipulation"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
reference = "https://attack.mitre.org/techniques/T1565/001/"
name = "Stored Data Manipulation"
[rule.threat.tactic]
id = "TA0040"
reference = "https://attack.mitre.org/tactics/TA0040/"
name = "Impact"
Reference in New Issue View Git Blame Copy Permalink