security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dfef597794d4daf07eb4e8ebccd78bb64db930d4
sigma-rules/rules/cross-platform/impact_hosts_file_modified.toml
T
Mika Ayenson a52751494e 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
2022-07-18 15:41:32 -04:00

74 lines
2.7 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/07/07"
maturity = "production"
updated_date = "2022/03/31"
min_stack_comments = "Comprehensive timeline templates only available in 8.2+"
min_stack_version = "8.2"
[rule]
author = ["Elastic"]
description = """
The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first
point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic
to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or
RHEL) and macOS systems.
"""
from = "now-9m"
index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Hosts File Modified"
note = """## Setup
For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"]
risk_score = 47
rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Impact"]
timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c"
timeline_title = "Comprehensive File Timeline"
timestamp_override = "event.ingested"
type = "eql"
query = '''
any where
/* file events for creation; file change events are not captured by some of the included sources for linux and so may
miss this, which is the purpose of the process + command line args logic below */
(
event.category == "file" and event.type in ("change", "creation") and
file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts")
)
or
/* process events for change targeting linux only */
(
event.category == "process" and event.type in ("start") and
process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and
process.args : ("/etc/hosts")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1565"
reference = "https://attack.mitre.org/techniques/T1565/"
name = "Data Manipulation"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
reference = "https://attack.mitre.org/techniques/T1565/001/"
name = "Stored Data Manipulation"
[rule.threat.tactic]
id = "TA0040"
reference = "https://attack.mitre.org/tactics/TA0040/"
name = "Impact"
Reference in New Issue View Git Blame Copy Permalink