-
Notifications
You must be signed in to change notification settings - Fork 55
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
a02231d
commit 3d0f9ac
Showing
51 changed files
with
1,252 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # Pulsar Security Rules | ||
| Pulsar Security Rules offer a robust set of rules designed to be used with Pulsar Rule Engine module to enforce effective security policies for most common use cases. | ||
|
|
||
| Rules are organized into folders based on the MITRE ATT&CK framework, allowing users to easily identify and select rules based on their specific security requirements. | ||
|
|
||
| ## Features | ||
| Each security rule within the Pulsar Security Rules comprises the following key elements: | ||
| - **Title**: A concise description providing a quick overview of the rule | ||
| - **Category**: Classification of the rule based on the MITRE ATT&CK framework, ensuring a standardized approach to rule organization | ||
| - **Severity**: An indication of the rule's severity level, allowing users to prioritize and address security concerns accordingly | ||
| - **Description**:A comprehensive and detailed explanation of the rule, offering insights into its purpose and implications | ||
| - **MITRE ATT&CK Tactic**: Alignment with the MITRE ATT&CK framework's tactics, highlighting the broader strategic context of the rule | ||
| - **MITRE ATT&CK Technique**: Association with specific MITRE ATT&CK techniques, providing users with additional context and reference points | ||
|
|
||
| ## Contribution | ||
| We welcome contributions from the community to enhance the Pulsar Security Rules. If you have identified new security patterns, want to improve existing rules, or have suggestions for additional features, please consider contributing to the project. | ||
|
|
||
| ## Acknowledgements | ||
| The Pulsar Security Rules are built upon the foundation of the [Elastic Detection Rules](https://github.com/elastic/detection-rules). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| # Title: Cat Network Activity | ||
|
|
||
| # Creation date: 2023/09/04 | ||
|
|
||
| # Category: Command and control | ||
|
|
||
| # Severity: Medium | ||
|
|
||
| # Description: This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat | ||
| # is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. | ||
| # This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools | ||
| # or files to another host in the network or exfiltrate data while attempting to evade detection in the process. | ||
|
|
||
| # MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ | ||
|
|
||
| # MITRE ATT&CK Technique: - - | ||
|
|
||
| - name: Shell executing suspicious binary | ||
| type: Exec | ||
| condition: payload.filename ENDS_WITH "cat" | ||
| AND | ||
| (header.image ENDS_WITH "/bash" OR header.image ENDS_WITH "/dash" OR header.image ENDS_WITH "/sh" OR header.image ENDS_WITH "/tcsh" | ||
| OR header.image ENDS_WITH "/csh" OR header.image ENDS_WITH "/zsh" OR header.image ENDS_WITH "/ksh" OR header.image ENDS_WITH "/fish") | ||
|
|
||
|
|
29 changes: 29 additions & 0 deletions
29
rules /command_and_control/linux_chisel_client_activity.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| # Title: Linux Chisel Client Activity | ||
|
|
||
| # Creation date: 2023/08/23 | ||
|
|
||
| # Category: Command and control | ||
|
|
||
| # Severity: Medium | ||
|
|
||
| # Description: This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. | ||
| # Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure | ||
| # communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass | ||
| # network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal | ||
| # systems. | ||
|
|
||
| # MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ | ||
|
|
||
| # MITRE ATT&CK Technique: T1572 - Protocol Tunneling - https://attack.mitre.org/techniques/T1572/ | ||
|
|
||
| - name: Shell executing suspicious binary with specific arguments | ||
| type: Exec | ||
| condition: payload.filename ENDS_WITH "client" | ||
| AND | ||
| (payload.argv CONTAINS "R*" OR payload.argv CONTAINS "*:*" OR payload.argv CONTAINS "*socks*" OR payload.argv CONTAINS "*.*") | ||
| AND | ||
| payload.argc >= 4 | ||
| AND | ||
| (header.image ENDS_WITH "bash" OR header.image ENDS_WITH "dash" OR header.image ENDS_WITH "ash" OR header.image ENDS_WITH "sh" OR header.image ENDS_WITH "tcsh" OR header.image ENDS_WITH "csh" OR header.image ENDS_WITH "zsh" OR header.image ENDS_WITH "ksh" OR header.image ENDS_WITH "fish") | ||
|
|
||
|
|
32 changes: 32 additions & 0 deletions
32
rules /command_and_control/linux_chisel_server_activity.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| # Title: Linux Chisel Server Activity | ||
|
|
||
| # Creation date: 2023/08/23 | ||
|
|
||
| # Category: Command and control | ||
|
|
||
| # Severity: Medium | ||
|
|
||
| # Description: This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection | ||
| # within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, | ||
| # enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish | ||
| # covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that | ||
| # allow unauthorized access to internal systems. | ||
|
|
||
| # MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ | ||
|
|
||
| # MITRE ATT&CK Technique: T1572 - Protocol Tunneling - https://attack.mitre.org/techniques/T1572/ | ||
|
|
||
| - name: Shell executing suspicious server command | ||
| type: Exec | ||
| condition: payload.argc >= 3 | ||
| AND ( | ||
| payload.argv CONTAINS "server" | ||
| OR payload.argv CONTAINS "--port" | ||
| OR payload.argv CONTAINS "-p" | ||
| OR payload.argv CONTAINS "--reverse" | ||
| OR payload.argv CONTAINS "--backend" | ||
| OR payload.argv CONTAINS "--socks5" | ||
| ) | ||
| AND | ||
| (header.image ENDS_WITH "bash" OR header.image ENDS_WITH "dash" OR header.image ENDS_WITH "ash" OR header.image ENDS_WITH "sh" OR header.image ENDS_WITH "tcsh" OR header.image ENDS_WITH "csh" OR header.image ENDS_WITH "zsh" OR header.image ENDS_WITH "ksh" OR header.image ENDS_WITH "fish") | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| # Title: Linux Kworker Netcon | ||
|
|
||
| # Creation date: 2023/10/18 | ||
|
|
||
| # Category: Command and control | ||
|
|
||
| # Severity: Low | ||
|
|
||
| # Description: This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the | ||
| # kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel | ||
| # space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. | ||
| # Attackers may attempt to evade detection by masquerading as a kernel worker process. | ||
|
|
||
| # MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ | ||
|
|
||
| # MITRE ATT&CK Technique: T1036 - Masquerading - https://attack.mitre.org/techniques/T1036/ | ||
|
|
||
| - name: Suspicious kworker network activity | ||
| type: Accept | ||
| condition: header.image ENDS_WITH "kworker" | ||
| # AND NOT payload.destination.ip IN ["10.0.0.1", "10.255.255.254", "127.0.0.1", "127.255.255.254", "169.254.0.1", "169.254.255.254", "172.16.0.1", "172.31.255.254", "192.168.0.1", "192.168.255.254", "224.0.0.1", "239.255.255.254"] | ||
|
|
||
| - name: Suspicious kworker network activity | ||
| type: Connect | ||
| condition: header.image ENDS_WITH "kworker" | ||
| # AND NOT payload.destination.ip IN ["10.0.0.1", "10.255.255.254", "127.0.0.1", "127.255.255.254", "169.254.0.1", "169.254.255.254", "172.16.0.1", "172.31.255.254", "192.168.0.1", "192.168.255.254", "224.0.0.1", "239.255.255.254"] |
21 changes: 21 additions & 0 deletions
21
rules /command_and_control/linux_suspicious_proxychains_activity.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # Title: Linux Suspicious Proxychains Activity | ||
|
|
||
| # Creation date: 2023/08/23 | ||
|
|
||
| # Category: Command and control | ||
|
|
||
| # Severity: Low | ||
|
|
||
| # Description: This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool | ||
| # that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to | ||
| # restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, | ||
| # and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. | ||
|
|
||
| # MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ | ||
|
|
||
| # MITRE ATT&CK Technique: T1572 - Protocol Tunneling - https://attack.mitre.org/techniques/T1572/ | ||
|
|
||
| - name: Proxychains executing suspicious commands | ||
| type: Exec | ||
| condition: header.image ENDS_WITH "proxychains" | ||
| AND (payload.argv CONTAINS "ssh" OR payload.argv CONTAINS "sshd" OR payload.argv CONTAINS "sshuttle" OR payload.argv CONTAINS "socat" OR payload.argv CONTAINS "iodine" OR payload.argv CONTAINS "iodined" OR payload.argv CONTAINS "dnscat" OR payload.argv CONTAINS "hans" OR payload.argv CONTAINS "hans-ubuntu" OR payload.argv CONTAINS "ptunnel-ng" OR payload.argv CONTAINS "ssf" OR payload.argv CONTAINS "3proxy" OR payload.argv CONTAINS "ngrok" OR payload.argv CONTAINS "gost" OR payload.argv CONTAINS "pivotnacci" OR payload.argv CONTAINS "chisel*" OR payload.argv CONTAINS "nmap" OR payload.argv CONTAINS "ping" OR payload.argv CONTAINS "python*" OR payload.argv CONTAINS "php*" OR payload.argv CONTAINS "perl" OR payload.argv CONTAINS "ruby" OR payload.argv CONTAINS "lua*" OR payload.argv CONTAINS "openssl" OR payload.argv CONTAINS "nc" OR payload.argv CONTAINS "netcat" OR payload.argv CONTAINS "ncat" OR payload.argv CONTAINS "telnet" OR payload.argv CONTAINS "awk" OR payload.argv CONTAINS "java" OR payload.argv CONTAINS "telnet" OR payload.argv CONTAINS "ftp" OR payload.argv CONTAINS "curl" OR payload.argv CONTAINS "wget") |
51 changes: 51 additions & 0 deletions
51
rules /command_and_control/linux_tunneling_and_port_forwarding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| # Title: Linux Tunneling And Port Forwarding | ||
|
|
||
| # Creation date: 2023/08/23 | ||
|
|
||
| # Category: Command and control | ||
|
|
||
| # Severity: Medium | ||
|
|
||
| # Description: This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can | ||
| # leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, | ||
| # and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control. | ||
|
|
||
| # MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ | ||
|
|
||
| # MITRE ATT&CK Technique: T1572 - Protocol Tunneling - https://attack.mitre.org/techniques/T1572/ | ||
|
|
||
| - name: Gost without parent process | ||
| type: Exec | ||
| condition: payload.filename ENDS_WITH "gost" | ||
| AND (payload.argv CONTAINS "-L" OR payload.argv CONTAINS "-C" OR payload.argv CONTAINS "-R") | ||
| AND ( | ||
| header.image ENDS_WITH "bash" OR header.image ENDS_WITH "dash" OR header.image ENDS_WITH "ash" OR header.image ENDS_WITH "sh" OR header.image ENDS_WITH "tcsh" OR header.image ENDS_WITH "csh" OR header.image ENDS_WITH "zsh" OR header.image ENDS_WITH "ksh" OR header.image ENDS_WITH "fish" | ||
| ) | ||
|
|
||
| - name: Pivotnacci without parent process | ||
| type: Exec | ||
| condition: payload.filename ENDS_WITH "pivotnacci" | ||
| AND ( | ||
| header.image ENDS_WITH "bash" OR header.image ENDS_WITH "dash" OR header.image ENDS_WITH "ash" OR header.image ENDS_WITH "sh" OR header.image ENDS_WITH "tcsh" OR header.image ENDS_WITH "csh" OR header.image ENDS_WITH "zsh" OR header.image ENDS_WITH "ksh" OR header.image ENDS_WITH "fish" | ||
| ) | ||
|
|
||
| - name: SSH with suspicious arguments | ||
| type: Exec | ||
| condition: header.image IN ["/usr/bin/ssh", "/usr/sbin/sshd"] AND (payload.argv CONTAINS "-R" OR payload.argv CONTAINS "-L" OR payload.argv CONTAINS "-D" OR payload.argv CONTAINS "-w") AND payload.argc >= 4 AND NOT payload.argv CONTAINS "chmod" | ||
|
|
||
| - name: Sshuttle with suspicious arguments | ||
| type: Exec | ||
| condition: payload.filename ENDS_WITH "sshuttle" AND (payload.argv CONTAINS "-r" OR payload.argv CONTAINS "--remote" OR payload.argv CONTAINS "-l" OR payload.argv CONTAINS "--listen") AND payload.argc >= 4 | ||
|
|
||
| - name: Socat with suspicious arguments | ||
| type: Exec | ||
| condition: payload.filename ENDS_WITH "socat" AND (payload.argv CONTAINS "TCP4-LISTEN:" OR payload.argv CONTAINS "SOCKS") AND payload.argc >= 3 | ||
|
|
||
| - name: Chisel client OR server mode | ||
| type: Exec | ||
| condition: payload.filename ENDS_WITH "chisel" AND (payload.argv CONTAINS "client" OR payload.argv CONTAINS "server") | ||
|
|
||
| - name: Tunneling tools execution | ||
| type: Exec | ||
| condition: payload.filename ENDS_WITH "iodine" OR payload.filename ENDS_WITH "iodined" OR payload.filename ENDS_WITH "dnscat" OR payload.filename ENDS_WITH "hans" OR payload.filename ENDS_WITH "hans-ubuntu" OR payload.filename ENDS_WITH "ptunnel-ng" OR payload.filename ENDS_WITH "ssf" OR payload.filename ENDS_WITH "3proxy" OR payload.filename ENDS_WITH "ngrok" | ||
|
|
25 changes: 25 additions & 0 deletions
25
rules /command_and_control/suspicious_network_activity_from_unknown_executable.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| # Title: Suspicious Network Activity From Unknown Executable | ||
|
|
||
| # Creation date: 2023/06/14 | ||
|
|
||
| # Category: Command and control | ||
|
|
||
| # Severity: Low | ||
|
|
||
| # Description: This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious | ||
| # directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially | ||
| # malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to | ||
| # unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can | ||
| # help identify and mitigate potential security threats, protecting the system and its data from potential compromise. | ||
|
|
||
| # MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ | ||
|
|
||
| # MITRE ATT&CK Technique: T1071 - Application Layer Protocol - https://attack.mitre.org/techniques/T1071/ | ||
|
|
||
|
|
||
| - name: Executable file connection attempt | ||
| type: Exec | ||
| condition: | ||
| NOT header.image ENDS_WITH "/apt" OR NOT header.image ENDS_WITH "/chrome" OR NOT header.image ENDS_WITH "/curl" OR NOT header.image ENDS_WITH "/dnf" OR NOT header.image ENDS_WITH "/dockerd" OR NOT header.image ENDS_WITH "/dpkg" OR NOT header.image ENDS_WITH "/firefox-bin" OR NOT header.image ENDS_WITH "/java" OR NOT header.image ENDS_WITH "/kite-update" OR NOT header.image ENDS_WITH "/kited" OR NOT header.image ENDS_WITH "/node" OR NOT header.image ENDS_WITH "/rpm" OR NOT header.image ENDS_WITH "/saml2aws" OR NOT header.image ENDS_WITH "/wget" OR NOT header.image ENDS_WITH "/yum" OR NOT header.image ENDS_WITH "/ansible" OR NOT header.image ENDS_WITH "/aws" OR NOT header.image ENDS_WITH "/php" OR NOT header.image ENDS_WITH "/pip" OR NOT header.image ENDS_WITH "/python" OR NOT header.image ENDS_WITH "/steam" OR NOT header.image ENDS_WITH "/terraform" | ||
| AND (payload.filename STARTS_WITH "/etc/crontab" OR payload.filename STARTS_WITH "/etc/rc.local" OR payload.filename STARTS_WITH "/boot/" OR payload.filename STARTS_WITH "/dev/shm/" OR payload.filename STARTS_WITH "/etc/cron." OR payload.filename STARTS_WITH "/etc/init.d/" OR payload.filename STARTS_WITH "/etc/rc" OR payload.filename STARTS_WITH "/etc/update-motd.d/" OR payload.filename STARTS_WITH "/home/" OR payload.filename STARTS_WITH "/run/" OR payload.filename STARTS_WITH "/srv/" OR payload.filename STARTS_WITH "/tmp/" OR payload.filename STARTS_WITH "/usr/lib/update-notifier/" OR payload.filename STARTS_WITH "/var/tmp/") | ||
| AND NOT (payload.filename STARTS_WITH "/tmp/newroot/" OR payload.filename STARTS_WITH "/tmp/snap.rootfs/") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # Title: Tunneling Via Earthworm | ||
|
|
||
| # Creation date: 2021/04/12 | ||
|
|
||
| # Category: Command and control | ||
|
|
||
| # Severity: Medium | ||
|
|
||
| # Description: Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim | ||
| # system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable | ||
| # systems. | ||
|
|
||
| # MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ | ||
|
|
||
| # MITRE ATT&CK Technique: T1572 - Protocol Tunneling - https://attack.mitre.org/techniques/T1572/ | ||
|
|
||
| - name: Process with specific arguments | ||
| type: Exec | ||
| condition: payload.argv CONTAINS "-s" AND payload.argv CONTAINS "-d" AND payload.argv CONTAINS "rssocks" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| # Title: Collection Sensitive Files | ||
|
|
||
| # Creation date: 2020/12/22 | ||
|
|
||
| # Category: Credential access | ||
|
|
||
| # Severity: Medium | ||
|
|
||
| # Description: Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials | ||
| # and system configurations. | ||
|
|
||
| # MITRE ATT&CK Tactic: TA0006 - Credential Access - https://attack.mitre.org/tactics/TA0006/ | ||
|
|
||
| # MITRE ATT&CK Technique: T1552 - Unsecured Credentials - https://attack.mitre.org/techniques/T1552/ | ||
|
|
||
| - name: Compressing sensitive files | ||
| type: Exec | ||
| condition: ( | ||
| payload.filename ENDS_WITH "zip" OR | ||
| payload.filename ENDS_WITH "tar" OR | ||
| payload.filename ENDS_WITH "gzip" OR | ||
| payload.filename ENDS_WITH "hdiutil" OR | ||
| payload.filename ENDS_WITH "7z" | ||
| ) | ||
| AND ( | ||
| payload.argv CONTAINS "/root/.ssh/id_rsa" OR | ||
| payload.argv CONTAINS "/root/.ssh/id_rsa.pub" OR | ||
| payload.argv CONTAINS "/root/.ssh/id_ed25519" OR | ||
| payload.argv CONTAINS "/root/.ssh/id_ed25519.pub" OR | ||
| payload.argv CONTAINS "/root/.ssh/authorized_keys" OR | ||
| payload.argv CONTAINS "/root/.ssh/authorized_keys2" OR | ||
| payload.argv CONTAINS "/root/.ssh/known_hosts" OR | ||
| payload.argv CONTAINS "/root/.bash_history" OR | ||
| payload.argv CONTAINS "/etc/hosts" OR | ||
| payload.argv CONTAINS "/home/*/.ssh/id_rsa" OR | ||
| payload.argv CONTAINS "/home/*/.ssh/id_rsa.pub" OR | ||
| payload.argv CONTAINS "/home/*/.ssh/id_ed25519" OR | ||
| payload.argv CONTAINS "/home/*/.ssh/id_ed25519.pub" OR | ||
| payload.argv CONTAINS "/home/*/.ssh/authorized_keys" OR | ||
| payload.argv CONTAINS "/home/*/.ssh/authorized_keys2" OR | ||
| payload.argv CONTAINS "/home/*/.ssh/known_hosts" OR | ||
| payload.argv CONTAINS "/home/*/.bash_history" OR | ||
| payload.argv CONTAINS "/root/.aws/credentials" OR | ||
| payload.argv CONTAINS "/root/.aws/config" OR | ||
| payload.argv CONTAINS "/home/*/.aws/credentials" OR | ||
| payload.argv CONTAINS "/home/*/.aws/config" OR | ||
| payload.argv CONTAINS "/root/.docker/config.json" OR | ||
| payload.argv CONTAINS "/home/*/.docker/config.json" OR | ||
| payload.argv CONTAINS "/etc/group" OR | ||
| payload.argv CONTAINS "/etc/passwd" OR | ||
| payload.argv CONTAINS "/etc/shadow" OR | ||
| payload.argv CONTAINS "/etc/gshadow" | ||
| ) | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Title: Credential Dumping | ||
|
|
||
| # Creation date: 2023/02/27 | ||
|
|
||
| # Category: Credential access | ||
|
|
||
| # Severity: Medium | ||
|
|
||
| # Description: Identifies the execution of the unshadow utility which is part of John the Ripper, | ||
| # a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve | ||
| # the combined contents of the '/etc/shadow' and '/etc/password' files. | ||
| # Using the combined file generated from the utility, the malicious threat actors can use them as input | ||
| # for password-cracking utilities or prepare themselves for future operations by gathering | ||
| # credential information of the victim. | ||
|
|
||
| # MITRE ATT&CK Tactic: TA0006 - Credential Access - https://attack.mitre.org/tactics/TA0006/ | ||
|
|
||
| # MITRE ATT&CK Technique: T1003 - OS Credential Dumping - https://attack.mitre.org/techniques/T1003/ | ||
|
|
||
| - name: Unshadow execution start | ||
| type: Exec | ||
| condition: header.image ENDS_WITH "/unshadow" AND payload.argc >= 2 |
Oops, something went wrong.