mirror of
https://github.com/socfortress/Wazuh-Rules.git
synced 2025-10-23 08:12:16 +00:00
640 lines
25 KiB
XML
640 lines
25 KiB
XML
<group name="osquery,">
|
|
<!--
|
|
<rule id="200220" level="1">
|
|
<if_sid>1002</if_sid>
|
|
<decoded_as>json</decoded_as>
|
|
<description>Osquery Messages grouped.</description>
|
|
</rule>
|
|
-->
|
|
<rule id="200221" level="3">
|
|
<decoded_as>json</decoded_as>
|
|
<field name="name">bpf_socket_events</field>
|
|
<description>osquery: $(columns.path) socket started.</description>
|
|
<options>no_full_log</options>
|
|
<group>bpf_socket_events,</group>
|
|
</rule>
|
|
<rule id="200222" level="3">
|
|
<decoded_as>json</decoded_as>
|
|
<field name="name">list_processes_with_hash</field>
|
|
<description>osquery: $(columns.path) process started.</description>
|
|
<options>no_full_log</options>
|
|
<group>list_processes_with_hash,</group>
|
|
</rule>
|
|
<rule id="200223" level="3">
|
|
<decoded_as>json</decoded_as>
|
|
<field name="name">bpf_process_events|es_process_events</field>
|
|
<description>osquery: $(columns.path) process started.</description>
|
|
<options>no_full_log</options>
|
|
<group>process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml -->
|
|
<rule id="200240" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">.bashrc|.bash_profile|.profile|/etc/profile|/etc/shells|/etc/bashrc|/etc/csh.cshrc|/etc/csh.login</field>
|
|
<description>Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1546</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_audio_capture.yml -->
|
|
<rule id="200241" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">arecord -vv -fdat</field>
|
|
<description>Detects attempts to record audio with arecord utility.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1123</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_binary_padding.yml -->
|
|
<rule id="200242" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">truncate -s</field>
|
|
<description>Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1027</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<rule id="200243" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">dd if=</field>
|
|
<description>Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1027</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml -->
|
|
<rule id="200244" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">/var/run/haldrund.pid|/var/run/xinetd.lock|/var/run/kdevrund.pid</field>
|
|
<description>Detects BPFDoor .lock and .pid files access in temporary file storage facility.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1059</id>
|
|
<id>T1106</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml -->
|
|
<rule id="200245" level="1">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">iptables -t nat</field>
|
|
<description>All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1562</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<rule id="200246" level="12">
|
|
<if_sid>200245</if_sid>
|
|
<field name="columns.cmdline">--to-ports 42|--to-ports 43</field>
|
|
<description>All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1562</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml -->
|
|
<rule id="200247" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">getcap -r /</field>
|
|
<description>Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1123</id>
|
|
<id>T1548</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml -->
|
|
<rule id="200248" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">touch -t|touch -acmr|touch -d|touch -r</field>
|
|
<description>Detect file time attribute change to hide new or changes to existing files.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1070</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml -->
|
|
<rule id="200249" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">chattr -i</field>
|
|
<description>Detects removing immutable file attribute.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1222</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml -->
|
|
<rule id="200250" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">xclip -selection - clip|xclip -sel - clip</field>
|
|
<description>Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1115</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_coinminer.yml -->
|
|
<rule id="200251" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">--cpu-priority</field>
|
|
<description>Detects command line parameter very often used with coin miners.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1068</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml -->
|
|
<rule id="200252" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">sudoedit -s -s -s -s</field>
|
|
<description>Detects exploitation attempt of vulnerability described in CVE-2021-3156.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1068</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<rule id="200253" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">sudoedit \\ \\ \\ \\ </field>
|
|
<description>Detects exploitation attempt of vulnerability described in CVE-2021-3156.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1068</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_data_compressed.yml -->
|
|
<rule id="200254" level="10">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">zip|gzip -f|tar -c</field>
|
|
<description>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1560</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml -->
|
|
<rule id="200255" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">wget --post-file=</field>
|
|
<description>Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1048</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_dd_delete_file.yml -->
|
|
<rule id="200256" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">dd if=/dev/null|dd if=/dev/zero</field>
|
|
<description>Detects overwriting (effectively wiping/deleting) of a file.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1485</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_debugfs_usage.yml -->
|
|
<rule id="200257" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">debugfs</field>
|
|
<description>Detects access to a raw disk on a host to evade detection by security products.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1006</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml -->
|
|
<rule id="200258" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">systemctl disable firewalld|systemctl disable iptables|systemctl disable ufw</field>
|
|
<description>Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1562</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml -->
|
|
<rule id="200259" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">chmod|chown</field>
|
|
<description>Detects file and folder permission changes.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1222</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml -->
|
|
<rule id="200260" level="1">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">grep|cut|cat</field>
|
|
<description>Detecting attempts to extract passwords.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1552</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<rule id="200261" level="9">
|
|
<if_sid>200260</if_sid>
|
|
<field name="columns.cmdline">password</field>
|
|
<description>Detecting attempts to extract passwords with grep.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1552</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml -->
|
|
<rule id="200262" level="1">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">mkdir|touch|vim|nano|vi</field>
|
|
<description>Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1564</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<rule id="200263" level="8">
|
|
<if_sid>200262</if_sid>
|
|
<field name="columns.cmdline">/.|^.</field>
|
|
<description>Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1564</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml -->
|
|
<rule id="200264" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">cat</field>
|
|
<field name="columns.cmdline">.jpg|.png</field>
|
|
<field name="columns.cmdline">.zip</field>
|
|
<description>Detects appending of zip file to image.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1027</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml -->
|
|
<rule id="200265" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">/etc/ld.so.preload</field>
|
|
<description>Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1574</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml -->
|
|
<rule id="200266" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">insmod</field>
|
|
<field name="columns.path">/usr/bin/kmod</field>
|
|
<description>Detects loading of kernel modules with insmod command.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1547</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_logging_config_change.yml -->
|
|
<rule id="200267" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">/etc/syslog.conf|/etc/rsyslog.conf|/etc/syslog-ng/syslog-ng.conf</field>
|
|
<description>Detect changes of syslog daemons configuration files.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1562</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_masquerading_crond.yml -->
|
|
<rule id="200268" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">cp</field>
|
|
<field name="columns.cmdline">-i</field>
|
|
<field name="columns.cmdline">/bin/sh</field>
|
|
<field name="columns.cmdline">/crond</field>
|
|
<description>Masquerading as Linux Crond Process.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1036</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_network_service_scanning.yml -->
|
|
<rule id="200269" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.path">/telnet$|/nmap$|/netcat$|/nc$</field>
|
|
<description>Detects enumeration of local or remote network services.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1046</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_network_sniffing.yml -->
|
|
<rule id="200270" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">tcpdump|tshark</field>
|
|
<field name="columns.cmdline">-c</field>
|
|
<field name="columns.cmdline">-i</field>
|
|
<description>Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1040</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml -->
|
|
<rule id="200271" level="8">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">/etc/pam.d/common-password|/etc/security/pwquality.conf|/etc/pam.d/system-auth|/etc/login.defs</field>
|
|
<description>Detects password policy discovery commands.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1201</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<rule id="200272" level="10">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">chage|passwd</field>
|
|
<field name="columns.cmdline">--list|-l|-S|--status</field>
|
|
<field name="columns.cmdline">-i</field>
|
|
<description>Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1201</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml -->
|
|
<rule id="200273" level="9">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">systemctl</field>
|
|
<field name="columns.cmdline">daemon-reload|start</field>
|
|
<description>Detects a reload or a start of a service.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1543</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml -->
|
|
<rule id="200274" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">import</field>
|
|
<field name="columns.cmdline">-window</field>
|
|
<field name="columns.cmdline">root</field>
|
|
<field name="columns.cmdline">.png$|.jpg$|.jpeg$</field>
|
|
<description>Detects adversary creating screen capture of a desktop with Import Tool.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1113</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<rule id="200275" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">import</field>
|
|
<field name="columns.cmdline">.png$|.jpg$|.jpeg$</field>
|
|
<description>Detects adversary creating screen capture of a desktop with Import Tool.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1113</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml -->
|
|
<rule id="200276" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">xwd</field>
|
|
<field name="columns.cmdline">-root</field>
|
|
<field name="columns.cmdline">-out</field>
|
|
<field name="columns.cmdline">.xwd$</field>
|
|
<description>Detects adversary creating screen capture of a full with xwd.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1113</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<rule id="200277" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">xwd</field>
|
|
<field name="columns.cmdline">-out</field>
|
|
<field name="columns.cmdline">.xwd$</field>
|
|
<description>Detects adversary creating screen capture of a full with xwd.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1113</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml -->
|
|
<rule id="200278" level="9">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline" type="pcre2">split(?=\s)</field>
|
|
<description>Detection use of the command "split" to split files into parts and possible transfer.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1030</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml -->
|
|
<rule id="200279" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">steghide</field>
|
|
<field name="columns.cmdline">embed</field>
|
|
<field name="columns.cmdline">-cf|-ef</field>
|
|
<field name="columns.cmdline">-cf|-ef</field>
|
|
<description>Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1027</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml -->
|
|
<rule id="200280" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">steghide</field>
|
|
<field name="columns.cmdline">extract</field>
|
|
<field name="columns.cmdline">-sf</field>
|
|
<field name="columns.cmdline">.jpg$|.png$</field>
|
|
<description>Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1027</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_susp_cmds.yml -->
|
|
<rule id="200281" level="10">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">chmod|cp</field>
|
|
<field name="columns.cmdline">777|u\ps|/bin/ksh|/bin/sh</field>
|
|
<description>Detects relevant commands often related to malware or hacking activity.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1059</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml -->
|
|
<rule id="200282" level="10">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.path">^/tmp/|^/var/www/|^/home/\.*/public_html/|^/usr/local/apache2/|^/usr/local/httpd/|^/var/apache/|^/srv/www/|^/home/httpd/html/|^/srv/http/|^/usr/share/nginx/html/|^/var/lib/pgsql/data/|^/usr/local/mysql/data/|^/var/lib/mysql/|^/var/vsftpd/|^/etc/bind/|^/var/named/</field>
|
|
<description>Detects program executions in suspicious non-program folders related to malware or hacking activity.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1587</id>
|
|
<id>T1584</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml -->
|
|
<rule id="200283" level="10">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">.bash_history|.zsh_history|.zhistory|.history|.sh_history|fish_history</field>
|
|
<description>Detects commandline operations on shell history files.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1552</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_system_info_discovery.yml -->
|
|
<rule id="200284" level="10">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">/etc/lsb-release|/etc/redhat-release|/etc/issue|/sys/class/dmi/id/bios_version|/sys/class/dmi/id/product_name|/sys/class/dmi/id/chassis_vendor|/proc/scsi/scsi|/proc/ide/hd0/model|/proc/version</field>
|
|
<description>Detects System Information Discovery commands.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1082</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<rule id="200285" level="10">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">uname|uptime</field>
|
|
<description>Detects System Information Discovery commands.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1082</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml -->
|
|
<rule id="200286" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">unzip</field>
|
|
<field name="columns.cmdline">.jpg$|.png$</field>
|
|
<description>Detects extracting of zip file from image file.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1027</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_user_discovery.yml -->
|
|
<rule id="200287" level="10">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">^users$|^w$|^who$</field>
|
|
<description>Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1033</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
|
|
<rule id="200288" level="12">
|
|
<if_sid>200223</if_sid>
|
|
<field name="columns.cmdline">^curl -F</field>
|
|
<description>Detects a curl process start on linux, which indicates a file pushed to a remote server.</description>
|
|
<options>no_full_log</options>
|
|
<mitre>
|
|
<id>T1048</id>
|
|
</mitre>
|
|
<group>bpf_process_events,</group>
|
|
</rule>
|
|
</group>
|