Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 7 additions & 24 deletions rules/linux/bruteforce_attack.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.1
# Rule version v1.0.2

dataTypes:
- "linux"
Expand All @@ -15,35 +15,18 @@ description: "Identifies multiple SSH login failures followed by a successful on
references:
- "https://attack.mitre.org/tactics/TA0006/"
- "https://attack.mitre.org/techniques/T1110/"
where: equals("action", "system.auth") && regexMatch("log.message", "([Ss]ession opened)") && exists("origin.user") && exists("log.hostId")
where: |
contains("log.message", "Failed password") || (equals("action", "USER_AUTH") && contains("log.userauth.result", "fail"))
afterEvents:
- indexPattern: v11-log-linux-*
with:
- field: origin.user
- field: dataSource.keyword
operator: filter_term
value: '{{.origin.user}}'
- field: log.hostId
operator: filter_term
value: '{{.log.hostId}}'
value: '{{.dataSource}}'
- field: log.message
operator: filter_match
value: 'Failed password'
within: 15m
count: 10
or:
- indexPattern: v11-log-linux-*
with:
- field: origin.user
operator: filter_term
value: '{{.origin.user}}'
- field: log.hostId
operator: filter_term
value: '{{.log.hostId}}'
- field: log.message
operator: filter_match
value: 'authentication failure'
within: 15m
count: 10
groupBy:
- origin.ip
- origin.user
deduplicateBy:
- dataSource
16 changes: 4 additions & 12 deletions rules/linux/debian_family/crontab_persistence.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.0
# Rule version v1.0.1

dataTypes:
- linux
Expand All @@ -24,14 +24,6 @@ description: |
5. Review other persistence mechanisms on the host
6. If unauthorized, remove the cron entry and investigate the source of compromise
where: |
(contains("log.process", "crontab") || contains("log.process", "cron") || contains("log.process", "atd")) &&
(contains("log.message", "REPLACE") ||
contains("log.message", "INSTALL") ||
contains("log.message", "cron.d") ||
contains("log.message", "crontab") ||
contains("log.message", "at job") ||
(contains("log.message", "EDIT") && contains("log.message", "crontab")) ||
(contains("log.message", "BEGIN EDIT") || contains("log.message", "END EDIT")))
groupBy:
- origin.host
- origin.user
contains("origin.process", "crontab") && (contains("log.message", "REPLACE") || contains("log.message", "INSTALL") || contains("log.message", "LIST") || contains("log.message", "EDIT"))
deduplicateBy:
- dataSource
34 changes: 4 additions & 30 deletions rules/linux/debian_family/debian_specific_rootkits.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.0
# Rule version v1.0.1

dataTypes:
- linux
Expand Down Expand Up @@ -27,32 +27,6 @@ description: |
7. Analyze network connections for command and control communications
8. Update security tools and perform full system scan
where: |
(contains("log.file_path", "/usr/bin/passwd") &&
equals("log.event_type", "file_modify") &&
!equals("log.process_name", "dpkg")) ||
(contains("log.file_path", "/etc/ld.so.preload") &&
oneOf("log.event_type", ["file_create", "file_modify"])) ||
(oneOf("log.process_name", ["reptile", "bdvl", "azazel", "jynx", "xorddos"]) ||
contains("log.file_path", "reptile") ||
contains("log.file_path", "bdvl")) ||
(contains("log.command_line", "insmod") &&
(contains("log.command_line", "rootkit") ||
contains("log.command_line", "hide") ||
contains("log.command_line", "backdoor"))) ||
(contains("log.file_path", "/proc/") &&
contains("log.file_path", "/maps") &&
contains("log.message", "deleted")) ||
(oneOf("log.network_port", [31337, 12345, 6666]) &&
equals("log.event_type", "network_listen")) ||
(contains("log.file_path", "/dev/ptmx") &&
equals("log.event_type", "file_create") &&
!equals("log.user", "root")) ||
(contains("log.message", "LKM") &&
(contains("log.message", "rootkit") ||
contains("log.message", "hiding"))) ||
(regexMatch("log.file_path", "/lib/modules/.*/.*\\.ko") &&
equals("log.event_type", "file_create") &&
!equals("log.process_name", "dpkg"))
groupBy:
- lastEvent.log.process_name
- origin.host
regexMatch("origin.process", "/(reptile|bdvl|azazel|jynx|xorddos)") || (contains("origin.command", "insmod") && regexMatch("origin.command", "(rootkit|hide|backdoor)")) || (contains("origin.command", "ld.so.preload") && regexMatch("origin.command", "(>>|tee|echo)"))
deduplicateBy:
- dataSource
17 changes: 4 additions & 13 deletions rules/linux/debian_family/ebpf_rootkit_detection.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.0
# Rule version v1.0.1

dataTypes:
- linux
Expand All @@ -24,15 +24,6 @@ description: |
5. Investigate for signs of process hiding or network traffic manipulation
6. If malicious, reboot the system and perform forensic analysis
where: |
(contains("log.message", "bpf(") || contains("log.message", "BPF") ||
contains("log.message", "ebpf") || contains("log.message", "bpftool")) &&
(contains("log.message", "PROG_LOAD") || contains("log.message", "prog_load") ||
contains("log.message", "BPF_PROG_TYPE_TRACING") ||
contains("log.message", "BPF_PROG_TYPE_KPROBE") ||
contains("log.message", "BPF_PROG_TYPE_XDP") ||
contains("log.message", "attached") || contains("log.message", "loaded")) &&
!(contains("log.process", "systemd") || contains("log.process", "cilium") ||
contains("log.process", "falco") || contains("log.process", "bpftrace"))
groupBy:
- origin.host
- origin.user
regexMatch("origin.command", "bpftool .*(prog|map).*(load|loadall|attach)") && !regexMatch("origin.command", "(cilium|falco|bpftrace)")
deduplicateBy:
- dataSource
14 changes: 4 additions & 10 deletions rules/linux/debian_family/ld_preload_hijacking.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.0
# Rule version v1.0.1

dataTypes:
- linux
Expand All @@ -25,12 +25,6 @@ description: |
6. Remove the malicious preload entry and the shared library
7. Audit all running processes for injected libraries
where: |
(contains("log.message", "ld.so.preload") ||
contains("log.message", "LD_PRELOAD") ||
contains("log.message", "ld.so.conf")) &&
(contains("log.message", "modified") || contains("log.message", "write") ||
contains("log.message", "opened") || contains("log.message", "export") ||
contains("log.message", "changed"))
groupBy:
- origin.host
- origin.user
(contains("origin.command", "ld.so.preload") || contains("origin.command", "LD_PRELOAD") || contains("origin.command", "ld.so.conf")) && regexMatch("origin.command", "(>>|tee|echo|sed |cp |mv )")
deduplicateBy:
- dataSource
13 changes: 4 additions & 9 deletions rules/linux/debian_family/process_masquerading.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.0
# Rule version v1.0.1

dataTypes:
- linux
Expand All @@ -23,11 +23,6 @@ description: |
5. If confirmed malicious, terminate the process and remove the binary
6. Check for other masquerading processes on the system
where: |
(contains("log.message", "/proc/self/comm") ||
contains("log.message", "/proc/self/exe") ||
contains("log.message", "prctl") && contains("log.message", "PR_SET_NAME")) &&
(contains("log.message", "write") || contains("log.message", "modified") ||
contains("log.message", "open"))
groupBy:
- origin.host
- origin.user
regexMatch("log.execve.a0", "^\\[(kworker|kthreadd|ksoftirqd|migration|rcu_|kswapd|watchdog|kdevtmpfs|kauditd|kcompactd|kintegrityd|khugepaged|kblockd|kthrotld)")
deduplicateBy:
- dataSource
18 changes: 4 additions & 14 deletions rules/linux/debian_family/reverse_shell_detection.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.0
# Rule version v1.0.1

dataTypes:
- linux
Expand All @@ -25,16 +25,6 @@ description: |
6. Perform full incident response on the compromised host
7. Block the C2 IP address at the network perimeter
where: |
regexMatch("log.message", "(?i)bash\\s+-i\\s+>&\\s+/dev/tcp/") ||
regexMatch("log.message", "(?i)python[23]?\\s+-c\\s+.*socket.*connect") ||
regexMatch("log.message", "(?i)nc\\s+(-e|--exec|-c)\\s+") ||
regexMatch("log.message", "(?i)ncat\\s+(-e|--exec)\\s+") ||
regexMatch("log.message", "(?i)socat\\s+.*exec.*tcp") ||
regexMatch("log.message", "(?i)perl\\s+-e\\s+.*socket.*INET") ||
regexMatch("log.message", "(?i)php\\s+-r\\s+.*fsockopen") ||
regexMatch("log.message", "(?i)ruby\\s+-rsocket\\s+-e") ||
regexMatch("log.message", "(?i)mkfifo\\s+.*nc\\s+") ||
regexMatch("log.message", "(?i)\\b0<&\\d+-;exec\\s+\\d+<>/dev/tcp/")
groupBy:
- origin.host
- origin.ip
regexMatch("origin.command", "(bash -i.*/dev/tcp|python.* -c .*socket.*connect|nc .*-e|ncat .*-e|socat.*exec.*tcp|perl.*-e.*socket|php.*-r.*fsockopen|ruby.*-rsocket)")
deduplicateBy:
- dataSource
14 changes: 4 additions & 10 deletions rules/linux/debian_family/shell_rc_file_modification.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.0
# Rule version v1.0.1

dataTypes:
- linux
Expand All @@ -23,12 +23,6 @@ description: |
5. Review all shell RC files for the affected user and system-wide profiles
6. Remove malicious entries and investigate the compromise vector
where: |
(contains("log.message", ".bashrc") || contains("log.message", ".bash_profile") ||
contains("log.message", ".profile") || contains("log.message", "/etc/profile.d/") ||
contains("log.message", ".zshrc") || contains("log.message", ".zprofile") ||
contains("log.message", "/etc/bash.bashrc") || contains("log.message", "/etc/profile")) &&
(contains("log.message", "modified") || contains("log.message", "opened for writing") ||
contains("log.message", "write") || contains("log.message", "changed"))
groupBy:
- origin.host
- origin.user
regexMatch("origin.command", "(tee|>>|cp |sed |vi |vim |nano |echo).*(.bashrc|.bash_profile|.zshrc|.profile|/etc/profile)")
deduplicateBy:
- dataSource
12 changes: 4 additions & 8 deletions rules/linux/debian_family/ssh_authorized_keys_modification.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.0
# Rule version v1.0.1

dataTypes:
- linux
Expand All @@ -25,10 +25,6 @@ description: |
6. Remove unauthorized keys and rotate affected credentials
7. Monitor for subsequent SSH connections from unknown sources
where: |
(contains("log.message", "authorized_keys") || contains("log.message", "authorized_keys2")) &&
(contains("log.message", "modified") || contains("log.message", "opened for writing") ||
contains("log.message", "changed") || contains("log.process", "sshd") ||
contains("log.message", ".ssh") && contains("log.message", "write"))
groupBy:
- origin.host
- origin.user
contains("origin.command", "authorized_keys")
deduplicateBy:
- dataSource
16 changes: 4 additions & 12 deletions rules/linux/debian_family/ssh_tunneling_port_forwarding.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.0
# Rule version v1.0.1

dataTypes:
- linux
Expand All @@ -24,14 +24,6 @@ description: |
5. If unauthorized, terminate the SSH session and block the connection
6. Review SSH configuration to restrict port forwarding if not needed
where: |
contains("log.process", "sshd") &&
(regexMatch("log.message", "(?i)ssh\\s+.*-[LRD]\\s+") ||
contains("log.message", "port forwarding") ||
contains("log.message", "Local forwarding") ||
contains("log.message", "Remote forwarding") ||
contains("log.message", "Dynamic forwarding") ||
contains("log.message", "tunnel") ||
regexMatch("log.message", "(?i)open forward.*port"))
groupBy:
- origin.host
- origin.ip
regexMatch("origin.command", "ssh .*-[LRD] ")
deduplicateBy:
- dataSource
16 changes: 4 additions & 12 deletions rules/linux/debian_family/suspicious_binary_in_tmp.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.0
# Rule version v1.0.1

dataTypes:
- linux
Expand All @@ -24,14 +24,6 @@ description: |
6. Remove the binary and investigate the initial access vector
7. Scan the system for additional indicators of compromise
where: |
(regexMatch("log.message", "(?i)(exec|run|start|command|process).*(/tmp/|/dev/shm/|/var/tmp/)") ||
regexMatch("log.message", "(?i)(/tmp/|/dev/shm/|/var/tmp/)[^ ]+\\s+(started|executed|running)") ||
(contains("log.message", "EXECVE") &&
(contains("log.message", "/tmp/") || contains("log.message", "/dev/shm/") ||
contains("log.message", "/var/tmp/")))) &&
!(contains("log.process", "apt") || contains("log.process", "dpkg") ||
contains("log.process", "yum") || contains("log.process", "dnf") ||
contains("log.process", "pip"))
groupBy:
- origin.host
- origin.user
regexMatch("origin.process", "^/(tmp|dev/shm|var/tmp)/") && !regexMatch("origin.process", "(apt|dpkg|yum|dnf|pip)")
deduplicateBy:
- dataSource
13 changes: 4 additions & 9 deletions rules/linux/debian_family/systemd_timer_persistence.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.0
# Rule version v1.0.1

dataTypes:
- linux
Expand All @@ -24,11 +24,6 @@ description: |
5. Compare against baseline of known legitimate timers
6. If unauthorized, disable the timer and investigate
where: |
(contains("log.process", "systemctl") || contains("log.process", "systemd")) &&
contains("log.message", ".timer") &&
(contains("log.message", "Created symlink") || contains("log.message", "enable") ||
contains("log.message", "started") || contains("log.message", "Reloading") ||
contains("log.message", "loaded"))
groupBy:
- origin.host
- origin.user
contains("origin.command", "systemctl") && contains("origin.command", ".timer") && regexMatch("origin.command", "(enable|reenable|start|link)")
deduplicateBy:
- dataSource
12 changes: 6 additions & 6 deletions rules/linux/file_transfer_or_listener_established_via_netcat.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.1
# Rule version v1.0.2

dataTypes:
- "linux"
Expand All @@ -9,14 +9,14 @@ impact:
availability: 3
category: "Execution"
technique: "T1059.004 - Command and Scripting Interpreter"
adversary: target
adversary: origin
description: "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by
exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data
exfiltration."
references:
- "https://attack.mitre.org/tactics/TA0002/"
- "https://attack.mitre.org/techniques/T1059/004/"
where: regexMatch("log.message", "((nc|ncat|netcat|netcat.openbsd|netcat.traditional) (-l|-p|-lp|(-e)(.+)(\\/bin\\/bash|\\/bin\\/sh)|(\\/bin\\/bash|\\/bin\\/sh)(.+)(-e)))")
groupBy:
- target.ip
- target.user
where: |
regexMatch("origin.command", "(nc|ncat|netcat|netcat.openbsd|netcat.traditional) (-l|-lp|-p|-e)")
deduplicateBy:
- dataSource
10 changes: 5 additions & 5 deletions rules/linux/kde_autostart_modification.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.1
# Rule version v1.0.2

dataTypes:
- "linux"
Expand All @@ -15,7 +15,7 @@ description: "Identifies the creation or modification of a K Desktop Environment
references:
- "https://attack.mitre.org/tactics/TA0003/"
- "https://attack.mitre.org/techniques/T1547/"
where: regexMatch("log.message", "sh,desktop") && regexMatch("log.message", "(/home/(.+)/.config/autostart/|/root/.config/autostart/|/home/(.+)/.kde/Autostart/|/root/.kde/Autostart/|/home/(.+)/.kde4/Autostart/|/root/.kde4/Autostart/|/home/(.+)/.kde/share/autostart/|/root/.kde/share/autostart/|/home/(.+)/.kde4/share/autostart/|/root/.kde4/share/autostart/|/home/(.+)/.local/share/autostart/|/root/.local/share/autostart/|/home/(.+)/.config/autostart-scripts/|/root/.config/autostart-scripts/|/etc/xdg/autostart/|/usr/share/autostart/)") && !regexMatch("log.message", "(yum|dpkg|install|dnf|teams|yum-cron|dnf-automatic)")
groupBy:
- origin.ip
- origin.user
where: |
regexMatch("origin.command", "(.config/autostart/|.local/share/autostart/|/etc/xdg/autostart/|.config/autostart-scripts/)") && !regexMatch("origin.command", "(dpkg|apt|dnf|yum)")
deduplicateBy:
- dataSource
10 changes: 5 additions & 5 deletions rules/linux/kernel_module_removal.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.1
# Rule version v1.0.2

dataTypes:
- "linux"
Expand All @@ -15,7 +15,7 @@ description: "Kernel modules are pieces of code that can be loaded and unloaded
references:
- "https://attack.mitre.org/tactics/TA0005/"
- "https://attack.mitre.org/techniques/T1562/001/"
where: regexMatch("log.message", "(modprobe(.+)sudo(.+)(-r|--remove)|modprobe(.+)(-r|--remove)(.+)sudo|sudo(.+)modprobe(.+)(-r|--remove)|sudo(.+)(-r|--remove)(.+)modprobe|(-r|--remove)modprobe(.+)sudo|(-r|--remove)(.+)sudo(.+)modprobe)")
groupBy:
- origin.ip
- origin.user
where: |
regexMatch("origin.command", "modprobe .*(-r|--remove)")
deduplicateBy:
- dataSource
10 changes: 5 additions & 5 deletions rules/linux/modify_ssh_binaries.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rule version v1.0.0
# Rule version v1.0.1

dataTypes:
- linux
Expand All @@ -15,7 +15,7 @@ description: "Adversaries may modify SSH related binaries for persistence or cre
references:
- "https://attack.mitre.org/tactics/TA0003/"
- "https://attack.mitre.org/techniques/T1543/"
where: regexMatch("log.message", "libkeyutils.so") && !regexMatch("log.message", "(dpkg|yum|dnf|dnf-automatic)") && regexMatch("log.message", "(/usr/sbin/sshd|/usr/bin/ssh|/usr/bin/sftp|/usr/bin/scp)")
groupBy:
- origin.ip
- origin.user
where: |
contains("origin.command", "libkeyutils.so") || (regexMatch("origin.command", "(/usr/sbin/sshd|/usr/bin/ssh|/usr/bin/sftp|/usr/bin/scp)") && regexMatch("origin.command", "(cp |mv |install |tee |>>|dd )"))
deduplicateBy:
- dataSource
Loading
Loading