security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a4f9cf4616096254e61c6cef875c1814c977517d
sigma-rules/rules/linux/execution_potential_hack_tool_executed.toml
T
Ruben Groenewoud 3855dd06d8 [New Rule] Potential Linux Hack Tool Launched (#3125) 
* [New Rule] Potential Linux Hack Tool Launched

* changed description slightly

* Updated description

* Update rules/linux/execution_potential_hack_tool_executed.toml

* Update rules/linux/execution_potential_hack_tool_executed.toml
2023-10-23 21:35:43 +02:00

61 lines
2.0 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/09/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2023/09/22"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
[rule]
author = ["Elastic"]
description = """
Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from
this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as
well.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Linux Hack Tool Launched"
risk_score = 47
rule_id = "1df1152b-610a-4f48-9d7a-504f6ee5d9da"
severity = "medium"
timestamp_override = "event.ingested"
tags = ["Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
process.name in (
// exploitation frameworks
"crackmapexec", "msfconsole", "msfvenom", "sliver-client", "sliver-server", "havoc",
// network scanners (nmap left out to reduce noise)
"zenmap", "nuclei", "netdiscover", "legion",
// web enumeration
"gobuster", "dirbuster", "dirb", "wfuzz", "ffuf", "whatweb", "eyewitness",
// web vulnerability scanning
"wpscan", "joomscan", "droopescan", "nikto",
// exploitation tools
"sqlmap", "commix", "yersinia",
// cracking and brute forcing
"john", "hashcat", "hydra", "ncrack", "cewl", "fcrackzip", "rainbowcrack",
// host and network
"linenum.sh", "linpeas.sh", "pspy32", "pspy32s", "pspy64", "pspy64s", "binwalk", "evil-winrm"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink