security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ec791fa67a4e597ef5013fbd2972508fc522ec4d
sigma-rules/rules/cross-platform/discovery_security_software_grep.toml
T
Colson Wilhoit 43d3f3b467 [New] Endpoint Rule Conversion PR (#5658) 
* update

* [New] Endpoint Rule Conversion PR

* fix: replace invalid rule_ids with valid UUIDs

* fix: remove malformed TOML in docker_outbound_connection rule

* fix: rename Security Software Discovery rule to avoid name collision

* fix: remove rule using unsupported 'as event' alias syntax

* fix: add timestamp_override, investigation guides, and fix MITRE mapping

- Added timestamp_override = 'event.ingested' to 15 non-sequence EQL rules
- Added '## Triage and analysis' investigation guides to 19 high-severity rules
- Fixed T1176 technique name from 'Browser Extensions' to 'Software Extensions'

* Enhance investigation guides for 19 high-severity macOS SIEM rules

Enhanced investigation guides to align with existing SIEM rule format:
- Added detailed context paragraphs explaining the threat and detection logic
- Expanded investigation steps to 6-7 items with specific field references
- Enhanced false positive analysis with 4-5 items and exclusion guidance
- Added comprehensive response and remediation steps (6-7 items)

Rules enhanced:
- Defense Evasion: dylib_injection, gatekeeper_override, tcc_access
- Persistence: shell_profile, hidden_plist, chromium_extension, startup_item,
  pkg_install_script, launch_agent_daemon
- Execution: unusual_library_python
- Lateral Movement: jamf_endpoint
- Command and Control: google_calendar_c2, oast_domain, etherhiding,
  curl_from_app, curl_google_script, unsigned_binary
- Collection: pbpaste, sensitive_file_compression

* Fix investigation guide tests: add Resources tag and fix OAST title

- Added 'Resources: Investigation Guide' tag to all 19 rules with investigation guides
- Fixed OAST rule investigation guide title to match rule name exactly:
  'Network Connection to OAST Domain via Script Interpreter'

* Remove duplicate detection_rules 2 folder from PR

* Address Samir's PR feedback: consolidate rules, convert to ES|QL, fix Gatekeeper rule

Changes:
- Convert AWS S3 connection rule to ES|QL with aggregation
- Consolidate Python + Node non-standard port rules into single script interpreter rule
- Fix Gatekeeper rule to use correct gatekeeper_override event
- Simplify Gatekeeper rule to single event per Samir's suggestion
- Convert TCC access rule to ES|QL with COUNT_DISTINCT
- Tune cross-platform security software grep rule (add egrep, pgrep, more tools)
- Add node to system/network config check rule

Deleted duplicates (covered by existing cross-platform rules):
- Docker suspicious TLD rule (covered by unusual_connection_to_suspicious_top_level_domain)
- Security software via grep (tuned cross-platform version instead)
- VM fingerprinting via grep (duplicate of cross-platform version)

* fix: ESQL formatting and wildcard versioning patterns

- Add Esql. prefix to computed fields in ESQL rules
- Add KEEP statements to ESQL rules for proper field visibility
- Add perl* wildcard to OAST domain rule for version consistency
- Add ruby* wildcard to Etherhiding C2 rule for version consistency
- Fix regex pattern in TCC rule (perl.*/ruby.* for versioning)

* fix: remove duplicate Script Interpreter rule

Delete command_and_control_suspicious_outbound_python_network.toml which
is an exact duplicate of command_and_control_script_interpreter_connection_to_non_standard_port.toml
(same rule_id: aa1e007a-2997-4247-b048-dd9344742560)

* fix: add timestamp_override to Pbpaste and Gatekeeper rules

- collection_pbpaste_execution_via_unusual_parent.toml
- defense_evasion_gatekeeper_override_and_execution.toml

EQL/KQL rules require timestamp_override: event.ingested

* fix: remove perl from Script Interpreter rule

Perl is covered by the broader perl_outbound_network_connection rule which
catches perl → any external IP (not just non-standard ports). Perl network
connections on macOS are rare and inherently suspicious regardless of port.

* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/defense_evasion_suspicious_tcc_access_granted.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_manual_chromium_extension_loading.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_startup_item_plist_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Fix ESQL syntax error in AWS S3 connection rule

Remove trailing comma before BY clause in STATS command that caused a parsing_exception.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-06 10:53:44 -06:00

152 lines
6.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/12/20"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/02/03"
[rule]
author = ["Elastic"]
description = """
Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus
or Host Firewall details.
"""
false_positives = ["Endpoint Security installers, updaters and post installation verification scripts."]
from = "now-9m"
index = ["logs-endpoint.events.*", "auditbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Security Software Discovery via Grep"
note = """## Triage and analysis
### Investigating Security Software Discovery via Grep
After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.
This rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.
#### Possible investigation steps
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
- Investigate other alerts associated with the user/host during the past 48 hours.
- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.
- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.
- Inspect the host for suspicious or abnormal behavior in the alert timeframe.
- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.
### False positive analysis
- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved hosts to prevent further post-compromise behavior.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
risk_score = 47
rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: macOS",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type == "start" and
process.name : ("grep", "egrep", "pgrep") and user.id != "0" and
not process.parent.executable : ("/Library/Application Support/*", "/opt/McAfee/agent/scripts/ma") and
process.args :
("Little Snitch*",
"Avast*",
"Avira*",
"ESET*",
"BlockBlock*",
"360Sec*",
"LuLu*",
"KnockKnock*",
"kav",
"KIS",
"RTProtectionDaemon*",
"Malware*",
"VShieldScanner*",
"WebProtection*",
"webinspectord*",
"McAfee*",
"isecespd*",
"macmnsvc*",
"masvc*",
"kesl*",
"avscan*",
"guard*",
"rtvscand*",
"symcfgd*",
"scmdaemon*",
"symantec*",
"sophos*",
"osquery*",
"elastic-endpoint*",
"falcond*",
"SentinelOne*",
"CbOsxSensorService*",
"CbDefense*",
"WhatsYourSign*",
"reikey*",
"OverSight*",
"KextViewr*",
"Netiquette*",
"processmonitor*",
"filemonitor*"
) and
not (
(process.args : "Avast" and process.args : "Passwords") or
(process.args == "osquery.conf") or
(process.parent.args : "/opt/McAfee/agent/scripts/ma" and process.parent.args : "checkhealth") or
(process.command_line : (
"grep ESET Command-line scanner, version %s -A2",
"grep -i McAfee Web Gateway Core version:",
"grep --color=auto ESET Command-line scanner, version %s -A2"
)
) or
(process.parent.command_line : (
"""sh -c printf "command_start_%s"*; perl -pe 's/[^ -~]/\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf "command_done_%s*""",
"""bash -c perl -pe 's/[^ -~]/\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1"""
)
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1518"
name = "Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/"
[[rule.threat.technique.subtechnique]]
id = "T1518.001"
name = "Security Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/001/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
Reference in New Issue View Git Blame Copy Permalink