-
Notifications
You must be signed in to change notification settings - Fork 114
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
837c8c8
commit 75291d8
Showing
100 changed files
with
2,298 additions
and
238 deletions.
There are no files selected for viewing
51 changes: 51 additions & 0 deletions
51
...es/linux/command_and_control_hidden_process_execution_followed_by_network_connection.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
[rule] | ||
description = """ | ||
Detects when a hidden process is executed, and initiates an outbound network connection. Threat actors may drop hidden | ||
payloads that will later be used to download additional payload stages or tools. | ||
""" | ||
id = "04ec0ec4-86c4-47e3-8c7b-8dad5f97532c" | ||
license = "Elastic License v2" | ||
name = "Hidden Process Execution followed by Network Connection" | ||
os_list = ["linux"] | ||
version = "1.0.3" | ||
|
||
query = ''' | ||
sequence by process.entity_id with maxspan=30s | ||
[process where event.action == "exec" and event.type == "start" and | ||
process.executable: ("/tmp/.*", "/var/tmp/.*", "/dev/shm/.*")] | ||
[network where event.action in ("connection_attempted", "connection_accepted") and event.type == "start" and | ||
process.name : ".*"] | ||
''' | ||
|
||
min_endpoint_version = "7.15.0" | ||
optional_actions = [] | ||
[[actions]] | ||
action = "kill_process" | ||
field = "process.entity_id" | ||
state = 0 | ||
|
||
[[threat]] | ||
framework = "MITRE ATT&CK" | ||
[[threat.technique]] | ||
id = "T1071" | ||
name = "Application Layer Protocol" | ||
reference = "https://attack.mitre.org/techniques/T1071/" | ||
[[threat.technique.subtechnique]] | ||
id = "T1071.001" | ||
name = "Web Protocols" | ||
reference = "https://attack.mitre.org/techniques/T1071/001/" | ||
|
||
|
||
[[threat.technique]] | ||
id = "T1105" | ||
name = "Ingress Tool Transfer" | ||
reference = "https://attack.mitre.org/techniques/T1105/" | ||
|
||
|
||
[threat.tactic] | ||
id = "TA0011" | ||
name = "Command and Control" | ||
reference = "https://attack.mitre.org/tactics/TA0011/" | ||
|
||
[internal] | ||
min_endpoint_version = "7.15.0" |
57 changes: 0 additions & 57 deletions
57
...r/rules/linux/defense_evasion_attempt_to_disable_linux_security_and_logging_controls.toml
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
57 changes: 57 additions & 0 deletions
57
behavior/rules/linux/defense_evasion_defense_evasion_via_bind_mount.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
[rule] | ||
description = """ | ||
Identifies the use of the `mount` command to bind mount a directory to `/proc` in order to hide files or processes from | ||
detection. This technique is used in the wild by malware samples to evade detection by hiding files or processes from | ||
security tools that rely on `/proc` to gather information about running processes. | ||
""" | ||
id = "69b41dec-033a-4629-9b1d-dd2c54b507b9" | ||
license = "Elastic License v2" | ||
name = "Defense Evasion via Bind Mount" | ||
os_list = ["linux"] | ||
reference = ["https://dfir.ch/posts/slash-proc/"] | ||
version = "1.0.1" | ||
|
||
query = ''' | ||
process where event.type == "start" and event.action == "exec" and process.name == "mount" and | ||
process.args == "-o" and process.args : "/proc/*" and process.args_count >= 5 and not process.args : "/proc/*/*" | ||
''' | ||
|
||
min_endpoint_version = "7.15.0" | ||
optional_actions = [] | ||
[[actions]] | ||
action = "kill_process" | ||
field = "process.entity_id" | ||
state = 0 | ||
|
||
[[threat]] | ||
framework = "MITRE ATT&CK" | ||
[[threat.technique]] | ||
id = "T1059" | ||
name = "Command and Scripting Interpreter" | ||
reference = "https://attack.mitre.org/techniques/T1059/" | ||
[[threat.technique.subtechnique]] | ||
id = "T1059.004" | ||
name = "Unix Shell" | ||
reference = "https://attack.mitre.org/techniques/T1059/004/" | ||
|
||
|
||
|
||
[threat.tactic] | ||
id = "TA0002" | ||
name = "Execution" | ||
reference = "https://attack.mitre.org/tactics/TA0002/" | ||
[[threat]] | ||
framework = "MITRE ATT&CK" | ||
[[threat.technique]] | ||
id = "T1564" | ||
name = "Hide Artifacts" | ||
reference = "https://attack.mitre.org/techniques/T1564/" | ||
|
||
|
||
[threat.tactic] | ||
id = "TA0005" | ||
name = "Defense Evasion" | ||
reference = "https://attack.mitre.org/tactics/TA0005/" | ||
|
||
[internal] | ||
min_endpoint_version = "7.15.0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
75 changes: 75 additions & 0 deletions
75
...x/defense_evasion_linux_decoded_or_decrypted_payload_written_to_suspicious_directory.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
[rule] | ||
description = """ | ||
Identifies when the openssl utility is used to decode and/or decrypt a payload and write it to an abnormal or suspicious | ||
directory. Malware authors may attempt to evade detection by encoding and/or encrypting their payload. | ||
""" | ||
id = "a0fce633-b6ee-4e4c-b6c7-ba46b8561e9e" | ||
license = "Elastic License v2" | ||
name = "Linux Decoded or Decrypted Payload Written to Suspicious Directory" | ||
os_list = ["linux"] | ||
reference = ["https://attack.mitre.org/software/S0482/"] | ||
version = "1.0.4" | ||
|
||
query = ''' | ||
process where event.action == "exec" and event.type == "start" and ( | ||
(process.name == "openssl" and process.args : "-out" and process.args : "enc" and process.args : ("-d", "-base64") and | ||
process.args : ("/var/tmp/*", "/dev/shm*", "/var/www/*")) or | ||
(process.name == "base64" and process.args : "-d" and | ||
process.args : ("/var/tmp/*", "/dev/shm*", "/var/www/*")) | ||
) and not process.parent.args : "*/var/lib/waagent/*" and not process.parent.name == "platform-python" | ||
''' | ||
|
||
min_endpoint_version = "7.15.0" | ||
optional_actions = [] | ||
[[actions]] | ||
action = "kill_process" | ||
field = "process.entity_id" | ||
state = 0 | ||
|
||
[[threat]] | ||
framework = "MITRE ATT&CK" | ||
[[threat.technique]] | ||
id = "T1059" | ||
name = "Command and Scripting Interpreter" | ||
reference = "https://attack.mitre.org/techniques/T1059/" | ||
[[threat.technique.subtechnique]] | ||
id = "T1059.004" | ||
name = "Unix Shell" | ||
reference = "https://attack.mitre.org/techniques/T1059/004/" | ||
|
||
|
||
[[threat.technique]] | ||
id = "T1204" | ||
name = "User Execution" | ||
reference = "https://attack.mitre.org/techniques/T1204/" | ||
[[threat.technique.subtechnique]] | ||
id = "T1204.002" | ||
name = "Malicious File" | ||
reference = "https://attack.mitre.org/techniques/T1204/002/" | ||
|
||
|
||
|
||
[threat.tactic] | ||
id = "TA0002" | ||
name = "Execution" | ||
reference = "https://attack.mitre.org/tactics/TA0002/" | ||
[[threat]] | ||
framework = "MITRE ATT&CK" | ||
[[threat.technique]] | ||
id = "T1027" | ||
name = "Obfuscated Files or Information" | ||
reference = "https://attack.mitre.org/techniques/T1027/" | ||
|
||
[[threat.technique]] | ||
id = "T1140" | ||
name = "Deobfuscate/Decode Files or Information" | ||
reference = "https://attack.mitre.org/techniques/T1140/" | ||
|
||
|
||
[threat.tactic] | ||
id = "TA0005" | ||
name = "Defense Evasion" | ||
reference = "https://attack.mitre.org/tactics/TA0005/" | ||
|
||
[internal] | ||
min_endpoint_version = "7.15.0" |
62 changes: 62 additions & 0 deletions
62
behavior/rules/linux/defense_evasion_linux_execution_of_a_file_dropped_by_openssl.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
[rule] | ||
description = """ | ||
Identifies when the OpenSSL utility create a file followed by its execution. Malware authors may attempt to evade | ||
detection and trick users into executing malicious code by encoding and encrypting their payload. | ||
""" | ||
id = "7032dd32-8a51-4545-94d0-5997051f4610" | ||
license = "Elastic License v2" | ||
name = "Linux Execution of a File Dropped by OpenSSL" | ||
os_list = ["linux"] | ||
reference = ["https://attack.mitre.org/software/S0482/", "https://attack.mitre.org/software/S0402/"] | ||
version = "1.0.3" | ||
|
||
query = ''' | ||
sequence with maxspan=1m | ||
[file where event.action != "deletion" and process.name == "openssl"] by file.path | ||
[process where event.action == "exec" and event.type == "start"] by process.executable | ||
''' | ||
|
||
min_endpoint_version = "7.15.0" | ||
optional_actions = [] | ||
[[actions]] | ||
action = "kill_process" | ||
field = "process.entity_id" | ||
state = 0 | ||
|
||
[[threat]] | ||
framework = "MITRE ATT&CK" | ||
[[threat.technique]] | ||
id = "T1204" | ||
name = "User Execution" | ||
reference = "https://attack.mitre.org/techniques/T1204/" | ||
[[threat.technique.subtechnique]] | ||
id = "T1204.002" | ||
name = "Malicious File" | ||
reference = "https://attack.mitre.org/techniques/T1204/002/" | ||
|
||
|
||
|
||
[threat.tactic] | ||
id = "TA0002" | ||
name = "Execution" | ||
reference = "https://attack.mitre.org/tactics/TA0002/" | ||
[[threat]] | ||
framework = "MITRE ATT&CK" | ||
[[threat.technique]] | ||
id = "T1027" | ||
name = "Obfuscated Files or Information" | ||
reference = "https://attack.mitre.org/techniques/T1027/" | ||
|
||
[[threat.technique]] | ||
id = "T1140" | ||
name = "Deobfuscate/Decode Files or Information" | ||
reference = "https://attack.mitre.org/techniques/T1140/" | ||
|
||
|
||
[threat.tactic] | ||
id = "TA0005" | ||
name = "Defense Evasion" | ||
reference = "https://attack.mitre.org/tactics/TA0005/" | ||
|
||
[internal] | ||
min_endpoint_version = "7.15.0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.