security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cb1a76552489aeadcf2cfcbca021ae53b26bedbf
sigma-rules/rules/cross-platform/impact_hosts_file_modified.toml
T
Adrian Serrano f656c7bc25 Fix Windows path causing emoji to be rendered in Kibana (#1585) 
In impact_hosts_file_modified rule, the `note` field contains a Windows
path that causes a confused-face-emoji to be rendered in the
Investigation Guide tab.

Surrounding the path in backticks fixes it.

(cherry picked from commit aa219710a1)
2021-11-03 16:02:33 +00:00

67 lines
2.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/07/07"
maturity = "production"
updated_date = "2021/10/27"
[rule]
author = ["Elastic"]
description = """
The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first
point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic
to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or
RHEL) and macOS systems.
"""
from = "now-9m"
index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Hosts File Modified"
note = """## Config
For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml."""
references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"]
risk_score = 47
rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Impact"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
any where
/* file events for creation; file change events are not captured by some of the included sources for linux and so may
miss this, which is the purpose of the process + command line args logic below */
(
event.category == "file" and event.type in ("change", "creation") and
file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts")
)
or
/* process events for change targeting linux only */
(
event.category == "process" and event.type in ("start") and
process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and
process.args : ("/etc/hosts")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1565"
reference = "https://attack.mitre.org/techniques/T1565/"
name = "Data Manipulation"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
reference = "https://attack.mitre.org/techniques/T1565/001/"
name = "Stored Data Manipulation"
[rule.threat.tactic]
id = "TA0040"
reference = "https://attack.mitre.org/tactics/TA0040/"
name = "Impact"
Reference in New Issue View Git Blame Copy Permalink