Mika Ayenson
a52751494e
* Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
86 lines
2.4 KiB
TOML
86 lines
2.4 KiB
TOML
[metadata]
|
|
creation_date = "2020/12/20"
|
|
maturity = "production"
|
|
updated_date = "2022/03/31"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus
|
|
or Host Firewall details.
|
|
"""
|
|
false_positives = ["Endpoint Security installers, updaters and post installation verification scripts."]
|
|
from = "now-9m"
|
|
index = ["logs-endpoint.events.*", "auditbeat-*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Security Software Discovery via Grep"
|
|
note = """## Setup
|
|
|
|
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
|
|
"""
|
|
risk_score = 47
|
|
rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655"
|
|
severity = "medium"
|
|
tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery"]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
process where event.type == "start" and
|
|
process.name : "grep" and user.id != "0" and
|
|
not process.parent.executable : "/Library/Application Support/*" and
|
|
process.args :
|
|
("Little Snitch*",
|
|
"Avast*",
|
|
"Avira*",
|
|
"ESET*",
|
|
"BlockBlock*",
|
|
"360Sec*",
|
|
"LuLu*",
|
|
"KnockKnock*",
|
|
"kav",
|
|
"KIS",
|
|
"RTProtectionDaemon*",
|
|
"Malware*",
|
|
"VShieldScanner*",
|
|
"WebProtection*",
|
|
"webinspectord*",
|
|
"McAfee*",
|
|
"isecespd*",
|
|
"macmnsvc*",
|
|
"masvc*",
|
|
"kesl*",
|
|
"avscan*",
|
|
"guard*",
|
|
"rtvscand*",
|
|
"symcfgd*",
|
|
"scmdaemon*",
|
|
"symantec*",
|
|
"sophos*",
|
|
"osquery*",
|
|
"elastic-endpoint*"
|
|
) and
|
|
not (process.args : "Avast" and process.args : "Passwords")
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1518"
|
|
name = "Software Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1518/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1518.001"
|
|
name = "Security Software Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1518/001/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0007"
|
|
name = "Discovery"
|
|
reference = "https://attack.mitre.org/tactics/TA0007/"
|
|
|