forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
a1716bd
commit d21ed24
Showing
5 changed files
with
241 additions
and
0 deletions.
There are no files selected for viewing
49 changes: 49 additions & 0 deletions
49
rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| [metadata] | ||
| creation_date = "2023/08/23" | ||
| integration = ["endpoint"] | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2023/08/23" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| building_block_type = "default" | ||
| description = """ | ||
| Identify activity related where adversaries can add the 'hidden' flag to files to hide | ||
| them from the user in an attempt to evade detection. | ||
| """ | ||
| from = "now-119m" | ||
| interval = "60m" | ||
| index = ["logs-endpoint.events.*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Hidden Files and Directories via Hidden Flag" | ||
| risk_score = 21 | ||
| rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97" | ||
| severity = "low" | ||
| tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
| query = ''' | ||
| file where event.type : "creation" and process.name : "chflags" | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1564" | ||
| name = "Hide Artifacts" | ||
| reference = "https://attack.mitre.org/techniques/T1564/" | ||
|
|
||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1564.001" | ||
| name = "Hidden Files and Directories" | ||
| reference = "https://attack.mitre.org/techniques/T1564/001/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0005" | ||
| name = "Defense Evasion" | ||
| reference = "https://attack.mitre.org/tactics/TA0005/" |
49 changes: 49 additions & 0 deletions
49
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| [metadata] | ||
| creation_date = "2023/08/24" | ||
| integration = ["endpoint"] | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2023/08/24" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| building_block_type = "default" | ||
| description = """ | ||
| Identify instances where adversaries include trailing space characters to mimic regular files, disguising their | ||
| activity to evade default file handling mechanisms. | ||
| """ | ||
| from = "now-119m" | ||
| interval = "60m" | ||
| index = ["logs-endpoint.events.*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Processes with Trailing Spaces" | ||
| risk_score = 21 | ||
| rule_id = "0c093569-dff9-42b6-87b1-0242d9f7d9b4" | ||
| severity = "low" | ||
| tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
| query = ''' | ||
| process where event.type in ("start", "process_started") and process.name : "* " | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1036" | ||
| name = "Masquerading" | ||
| reference = "https://attack.mitre.org/techniques/T1036/" | ||
|
|
||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1036.006" | ||
| name = "Space after Filename" | ||
| reference = "https://attack.mitre.org/techniques/T1036/006/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0005" | ||
| name = "Defense Evasion" | ||
| reference = "https://attack.mitre.org/tactics/TA0005/" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| [metadata] | ||
| creation_date = "2023/08/23" | ||
| integration = ["endpoint"] | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2023/08/23" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| building_block_type = "default" | ||
| description = """ | ||
| Identifies the execution of Linux built-in commands related to account or group enumeration. | ||
| Adversaries may use account and group information to orient themselves before deciding how to act.""" | ||
| from = "now-119m" | ||
| interval = "60m" | ||
| index = ["auditbeat-*", "logs-endpoint.events.*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Discovery of Domain Groups" | ||
| risk_score = 21 | ||
| rule_id = "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc" | ||
| severity = "low" | ||
| tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
| query = ''' | ||
| process where event.type : ("start", "process_started") and host.os.type == "linux" and | ||
| ( process.name : ("ldapsearch", "dscacheutil") or | ||
| (process.name : "dscl" and process.args : "*-list*") | ||
| ) | ||
| ''' | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1069" | ||
| name = "Permission Groups Discovery" | ||
| reference = "https://attack.mitre.org/techniques/T1069/" | ||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0007" | ||
| name = "Discovery" | ||
| reference = "https://attack.mitre.org/tactics/TA0007/" | ||
|
|
49 changes: 49 additions & 0 deletions
49
rules_building_block/persistence_creation_of_kernel_module.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| [metadata] | ||
| creation_date = "2023/08/23" | ||
| integration = ["endpoint"] | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2023/08/23" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| building_block_type = "default" | ||
| description = """ | ||
| Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory. | ||
| """ | ||
| from = "now-119m" | ||
| interval = "60m" | ||
| index = ["auditbeat-*", "logs-endpoint.events.*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Creation of Kernel Module" | ||
| risk_score = 21 | ||
| rule_id = "947827c6-9ed6-4dec-903e-c856c86e72f3" | ||
| severity = "low" | ||
| tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Rule Type: BBR"] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
| query = ''' | ||
| file where event.type in ("change", "creation") and host.os.type == "linux" and | ||
| file.path : "/lib/modules/*" and file.name : "*.ko" | ||
| ''' | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1547" | ||
| name = "Boot or Logon Autostart Execution" | ||
| reference = "https://attack.mitre.org/techniques/T1547/" | ||
|
|
||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1547.006" | ||
| name = "Kernel Modules and Extensions" | ||
| reference = "https://attack.mitre.org/techniques/T1547/006/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0003" | ||
| name = "Persistence" | ||
| reference = "https://attack.mitre.org/tactics/TA0003/" | ||
|
|
49 changes: 49 additions & 0 deletions
49
rules_building_block/privilege_escalation_trap_execution.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| [metadata] | ||
| creation_date = "2023/08/24" | ||
| integration = ["endpoint"] | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2023/08/24" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| building_block_type = "default" | ||
| description = """ | ||
| Identify activity related where adversaries can include a trap command which then allows programs and shells to specify | ||
| commands that will be executed upon receiving interrupt signals. | ||
| """ | ||
| from = "now-119m" | ||
| interval = "60m" | ||
| index = ["logs-endpoint.events.*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Trap Signals Execution" | ||
| risk_score = 21 | ||
| rule_id = "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e" | ||
| severity = "low" | ||
| tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR"] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
| query = ''' | ||
| process where event.type : ("start", "process_started") and process.name : "trap" and process.args : "SIG*" | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1546" | ||
| name = "Event Triggered Execution" | ||
| reference = "https://attack.mitre.org/techniques/T1546/" | ||
|
|
||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1546.005" | ||
| name = "Trap" | ||
| reference = "https://attack.mitre.org/techniques/T1546/005/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0004" | ||
| name = "Privilege Escalation" | ||
| reference = "https://attack.mitre.org/tactics/TA0004/" |