security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
98cef59a5bbc569f57ea6d3ce7a55b333f45e9aa
sigma-rules/rules/linux/discovery_suspicious_which_command_execution.toml
T
Jonhnathan e66bca73e0 [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 7 (#4349) 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 7

* Update rules/linux/discovery_process_capabilities.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
2025-01-09 11:28:21 -03:00

62 lines
2.0 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/08/30"
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/07"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may
leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a
system to escalate privileges or move latteraly across the network.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious which Enumeration"
risk_score = 21
rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start") and
process.name == "which" and process.args_count >= 10 and not (
process.parent.name == "jem" or
process.parent.executable like ("/vz/root/*", "/var/lib/docker/*") or
process.args == "--tty-only"
)
/* potential tuning if rule would turn out to be noisy
and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and
process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
*/
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
Reference in New Issue View Git Blame Copy Permalink