Samirbous
04ea1a72c7
* [Rule Tuning] Security Software Discovery via Grep * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
81 lines
2.1 KiB
TOML
81 lines
2.1 KiB
TOML
[metadata]
|
|
creation_date = "2020/12/20"
|
|
maturity = "production"
|
|
updated_date = "2021/03/08"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus
|
|
or Host Firewall details.
|
|
"""
|
|
false_positives = ["Endpoint Security installers, updaters and post installation verification scripts."]
|
|
from = "now-9m"
|
|
index = ["logs-endpoint.events.*", "auditbeat-*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Security Software Discovery via Grep"
|
|
risk_score = 47
|
|
rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655"
|
|
severity = "medium"
|
|
tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery"]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
process where event.type == "start" and
|
|
process.name : "grep" and user.id != "0" and
|
|
not process.parent.executable : "/Library/Application Support/*" and
|
|
process.args :
|
|
("Little Snitch*",
|
|
"Avast*",
|
|
"Avira*",
|
|
"ESET*",
|
|
"BlockBlock*",
|
|
"360Sec*",
|
|
"LuLu*",
|
|
"KnockKnock*",
|
|
"kav",
|
|
"KIS",
|
|
"RTProtectionDaemon*",
|
|
"Malware*",
|
|
"VShieldScanner*",
|
|
"WebProtection*",
|
|
"webinspectord*",
|
|
"McAfee*",
|
|
"isecespd*",
|
|
"macmnsvc*",
|
|
"masvc*",
|
|
"kesl*",
|
|
"avscan*",
|
|
"guard*",
|
|
"rtvscand*",
|
|
"symcfgd*",
|
|
"scmdaemon*",
|
|
"symantec*",
|
|
"sophos*",
|
|
"osquery*",
|
|
"elastic-endpoint*"
|
|
) and
|
|
not (process.args : "Avast" and process.args : "Passwords")
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1518"
|
|
name = "Software Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1518/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1518.001"
|
|
name = "Security Software Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1518/001/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0007"
|
|
name = "Discovery"
|
|
reference = "https://attack.mitre.org/tactics/TA0007/"
|