security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b4f8fc3290862d0d564cedff8d278b56bb5593fd
sigma-rules/rules/network/discovery_potential_network_sweep_detected.toml
T
Terrance DeJesus b8ae2218f8 [Rule Tuning] Add filebeat Compatibility to Network Rules (#2925) 
* add beats compatability to NPC rules

* added filebeat compatibility to 'Accepted Default Telnet Port Connection'

* added filebeat compatibility to 'Cobalt Strike Command and Control Beacon'

* added filebeat compatibility to 'Default Cobalt Strike Team Server Certificate'

* added filebeat compatibility to 'Roshal Archive (RAR) or PowerShell File Downloaded from the Internet'

* added filebeat compatibility to 'Possible FIN7 DGA Command and Control Behavior'

* added filebeat compatibility to 'Halfbaked Command and Control Beacon'

* added filebeat compatibility to 'IPSEC NAT Traversal Port Activity'

* added filebeat compatibility to 'SMTP on Port 26/TCP'

* added filebeat compatibility to 'RDP (Remote Desktop Protocol) from the Internet'

* added filebeat compatibility to 'VNC (Virtual Network Computing) from the Internet'

* added filebeat compatibility to 'VNC (Virtual Network Computing) to the Internet'

* added filebeat compatibility to 'RPC (Remote Procedure Call) from the Internet'

* added filebeat compatibility to 'RPC (Remote Procedure Call) to the Internet'

* added filebeat compatibility to 'SMB (Windows File Sharing) Activity to the Internet'

* removed extra space in query

* added filebeat compatibility to 'Inbound Connection to an Unsecure Elasticsearch Node'

* added filebeat compatibility to 'Abnormally Large DNS Response'

* fixed missing ending parenthesis

* added auditbeat to compatible rules

* addressed feedback

* removed filebeat and auditbeat due to incompatibility

* Update rules/network/command_and_control_cobalt_strike_beacon.toml

* Update rules/network/command_and_control_accepted_default_telnet_port_connection.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
2023-10-03 15:05:41 -04:00

70 lines
2.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/05/17"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/31"
[rule]
author = ["Elastic"]
description = '''
This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target
network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and
weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized
access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts
from one source host to 10 or more destination hosts on commonly used network services.
'''
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*",]
language = "kuery"
license = "Elastic License v2"
name = "Potential Network Sweep Detected"
risk_score = 21
rule_id = "781f8746-2180-4691-890c-4c96d11ca91d"
severity = "low"
tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"]
type = "threshold"
query = '''
destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and
source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1595"
name = "Active Scanning"
reference = "https://attack.mitre.org/techniques/T1595/"
[[rule.threat.technique.subtechnique]]
id = "T1595.001"
name = "Scanning IP Blocks"
reference = "https://attack.mitre.org/techniques/T1595/001/"
[rule.threat.tactic]
id = "TA0043"
name = "Reconnaissance"
reference = "https://attack.mitre.org/tactics/TA0043/"
[rule.threshold]
field = ["source.ip"]
value = 1
[[rule.threshold.cardinality]]
field = "destination.ip"
value = 100
Reference in New Issue View Git Blame Copy Permalink