diff --git a/rules /README.md b/rules /README.md new file mode 100644 index 00000000..252cae52 --- /dev/null +++ b/rules /README.md @@ -0,0 +1,19 @@ +# Pulsar Security Rules +Pulsar Security Rules offer a robust set of rules designed to be used with Pulsar Rule Engine module to enforce effective security policies for most common use cases. + +Rules are organized into folders based on the MITRE ATT&CK framework, allowing users to easily identify and select rules based on their specific security requirements. + +## Features +Each security rule within the Pulsar Security Rules comprises the following key elements: +- **Title**: A concise description providing a quick overview of the rule +- **Category**: Classification of the rule based on the MITRE ATT&CK framework, ensuring a standardized approach to rule organization +- **Severity**: An indication of the rule's severity level, allowing users to prioritize and address security concerns accordingly +- **Description**:A comprehensive and detailed explanation of the rule, offering insights into its purpose and implications +- **MITRE ATT&CK Tactic**: Alignment with the MITRE ATT&CK framework's tactics, highlighting the broader strategic context of the rule +- **MITRE ATT&CK Technique**: Association with specific MITRE ATT&CK techniques, providing users with additional context and reference points + +## Contribution +We welcome contributions from the community to enhance the Pulsar Security Rules. If you have identified new security patterns, want to improve existing rules, or have suggestions for additional features, please consider contributing to the project. + +## Acknowledgements +The Pulsar Security Rules are built upon the foundation of the [Elastic Detection Rules](https://github.com/elastic/detection-rules). diff --git a/rules/basic-rules.yaml b/rules /basic-rules.yaml similarity index 99% rename from rules/basic-rules.yaml rename to rules /basic-rules.yaml index c08161c5..2019ef4c 100644 --- a/rules/basic-rules.yaml +++ b/rules /basic-rules.yaml @@ -112,4 +112,4 @@ # Rules preventing known vulnerabilities - name: CVE-2021-4034, possible envp manipulation with empty argv type: Exec - condition: payload.argc == 0 + condition: payload.argc == 0 \ No newline at end of file diff --git a/rules /command_and_control/cat_network_activity.yaml b/rules /command_and_control/cat_network_activity.yaml new file mode 100644 index 00000000..ec0e3628 --- /dev/null +++ b/rules /command_and_control/cat_network_activity.yaml @@ -0,0 +1,25 @@ +# Title: Cat Network Activity + +# Creation date: 2023/09/04 + +# Category: Command and control + +# Severity: Medium + +# Description: This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat +# is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. +# This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools +# or files to another host in the network or exfiltrate data while attempting to evade detection in the process. + +# MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ + +# MITRE ATT&CK Technique: - - + +- name: Shell executing suspicious binary + type: Exec + condition: payload.filename ENDS_WITH "cat" + AND + (header.image ENDS_WITH "/bash" OR header.image ENDS_WITH "/dash" OR header.image ENDS_WITH "/sh" OR header.image ENDS_WITH "/tcsh" + OR header.image ENDS_WITH "/csh" OR header.image ENDS_WITH "/zsh" OR header.image ENDS_WITH "/ksh" OR header.image ENDS_WITH "/fish") + + \ No newline at end of file diff --git a/rules /command_and_control/linux_chisel_client_activity.yaml b/rules /command_and_control/linux_chisel_client_activity.yaml new file mode 100644 index 00000000..d7c9c56a --- /dev/null +++ b/rules /command_and_control/linux_chisel_client_activity.yaml @@ -0,0 +1,29 @@ +# Title: Linux Chisel Client Activity + +# Creation date: 2023/08/23 + +# Category: Command and control + +# Severity: Medium + +# Description: This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. +# Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure +# communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass +# network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal +# systems. + +# MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ + +# MITRE ATT&CK Technique: T1572 - Protocol Tunneling - https://attack.mitre.org/techniques/T1572/ + +- name: Shell executing suspicious binary with specific arguments + type: Exec + condition: payload.filename ENDS_WITH "client" + AND + (payload.argv CONTAINS "R*" OR payload.argv CONTAINS "*:*" OR payload.argv CONTAINS "*socks*" OR payload.argv CONTAINS "*.*") + AND + payload.argc >= 4 + AND + (header.image ENDS_WITH "bash" OR header.image ENDS_WITH "dash" OR header.image ENDS_WITH "ash" OR header.image ENDS_WITH "sh" OR header.image ENDS_WITH "tcsh" OR header.image ENDS_WITH "csh" OR header.image ENDS_WITH "zsh" OR header.image ENDS_WITH "ksh" OR header.image ENDS_WITH "fish") + + diff --git a/rules /command_and_control/linux_chisel_server_activity.yaml b/rules /command_and_control/linux_chisel_server_activity.yaml new file mode 100644 index 00000000..2b02eb4a --- /dev/null +++ b/rules /command_and_control/linux_chisel_server_activity.yaml @@ -0,0 +1,32 @@ +# Title: Linux Chisel Server Activity + +# Creation date: 2023/08/23 + +# Category: Command and control + +# Severity: Medium + +# Description: This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection +# within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, +# enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish +# covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that +# allow unauthorized access to internal systems. + +# MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ + +# MITRE ATT&CK Technique: T1572 - Protocol Tunneling - https://attack.mitre.org/techniques/T1572/ + +- name: Shell executing suspicious server command + type: Exec + condition: payload.argc >= 3 + AND ( + payload.argv CONTAINS "server" + OR payload.argv CONTAINS "--port" + OR payload.argv CONTAINS "-p" + OR payload.argv CONTAINS "--reverse" + OR payload.argv CONTAINS "--backend" + OR payload.argv CONTAINS "--socks5" + ) + AND + (header.image ENDS_WITH "bash" OR header.image ENDS_WITH "dash" OR header.image ENDS_WITH "ash" OR header.image ENDS_WITH "sh" OR header.image ENDS_WITH "tcsh" OR header.image ENDS_WITH "csh" OR header.image ENDS_WITH "zsh" OR header.image ENDS_WITH "ksh" OR header.image ENDS_WITH "fish") + diff --git a/rules /command_and_control/linux_kworker_netcon.yaml b/rules /command_and_control/linux_kworker_netcon.yaml new file mode 100644 index 00000000..213cf189 --- /dev/null +++ b/rules /command_and_control/linux_kworker_netcon.yaml @@ -0,0 +1,26 @@ +# Title: Linux Kworker Netcon + +# Creation date: 2023/10/18 + +# Category: Command and control + +# Severity: Low + +# Description: This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the +# kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel +# space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. +# Attackers may attempt to evade detection by masquerading as a kernel worker process. + +# MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ + +# MITRE ATT&CK Technique: T1036 - Masquerading - https://attack.mitre.org/techniques/T1036/ + +- name: Suspicious kworker network activity + type: Accept + condition: header.image ENDS_WITH "kworker" + # AND NOT payload.destination.ip IN ["10.0.0.1", "10.255.255.254", "127.0.0.1", "127.255.255.254", "169.254.0.1", "169.254.255.254", "172.16.0.1", "172.31.255.254", "192.168.0.1", "192.168.255.254", "224.0.0.1", "239.255.255.254"] + +- name: Suspicious kworker network activity + type: Connect + condition: header.image ENDS_WITH "kworker" + # AND NOT payload.destination.ip IN ["10.0.0.1", "10.255.255.254", "127.0.0.1", "127.255.255.254", "169.254.0.1", "169.254.255.254", "172.16.0.1", "172.31.255.254", "192.168.0.1", "192.168.255.254", "224.0.0.1", "239.255.255.254"] \ No newline at end of file diff --git a/rules /command_and_control/linux_suspicious_proxychains_activity.yaml b/rules /command_and_control/linux_suspicious_proxychains_activity.yaml new file mode 100644 index 00000000..51082b0e --- /dev/null +++ b/rules /command_and_control/linux_suspicious_proxychains_activity.yaml @@ -0,0 +1,21 @@ +# Title: Linux Suspicious Proxychains Activity + +# Creation date: 2023/08/23 + +# Category: Command and control + +# Severity: Low + +# Description: This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool +# that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to +# restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, +# and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. + +# MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ + +# MITRE ATT&CK Technique: T1572 - Protocol Tunneling - https://attack.mitre.org/techniques/T1572/ + +- name: Proxychains executing suspicious commands + type: Exec + condition: header.image ENDS_WITH "proxychains" + AND (payload.argv CONTAINS "ssh" OR payload.argv CONTAINS "sshd" OR payload.argv CONTAINS "sshuttle" OR payload.argv CONTAINS "socat" OR payload.argv CONTAINS "iodine" OR payload.argv CONTAINS "iodined" OR payload.argv CONTAINS "dnscat" OR payload.argv CONTAINS "hans" OR payload.argv CONTAINS "hans-ubuntu" OR payload.argv CONTAINS "ptunnel-ng" OR payload.argv CONTAINS "ssf" OR payload.argv CONTAINS "3proxy" OR payload.argv CONTAINS "ngrok" OR payload.argv CONTAINS "gost" OR payload.argv CONTAINS "pivotnacci" OR payload.argv CONTAINS "chisel*" OR payload.argv CONTAINS "nmap" OR payload.argv CONTAINS "ping" OR payload.argv CONTAINS "python*" OR payload.argv CONTAINS "php*" OR payload.argv CONTAINS "perl" OR payload.argv CONTAINS "ruby" OR payload.argv CONTAINS "lua*" OR payload.argv CONTAINS "openssl" OR payload.argv CONTAINS "nc" OR payload.argv CONTAINS "netcat" OR payload.argv CONTAINS "ncat" OR payload.argv CONTAINS "telnet" OR payload.argv CONTAINS "awk" OR payload.argv CONTAINS "java" OR payload.argv CONTAINS "telnet" OR payload.argv CONTAINS "ftp" OR payload.argv CONTAINS "curl" OR payload.argv CONTAINS "wget") \ No newline at end of file diff --git a/rules /command_and_control/linux_tunneling_and_port_forwarding.yaml b/rules /command_and_control/linux_tunneling_and_port_forwarding.yaml new file mode 100644 index 00000000..6cb94826 --- /dev/null +++ b/rules /command_and_control/linux_tunneling_and_port_forwarding.yaml @@ -0,0 +1,51 @@ +# Title: Linux Tunneling And Port Forwarding + +# Creation date: 2023/08/23 + +# Category: Command and control + +# Severity: Medium + +# Description: This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can +# leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, +# and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control. + +# MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ + +# MITRE ATT&CK Technique: T1572 - Protocol Tunneling - https://attack.mitre.org/techniques/T1572/ + +- name: Gost without parent process + type: Exec + condition: payload.filename ENDS_WITH "gost" + AND (payload.argv CONTAINS "-L" OR payload.argv CONTAINS "-C" OR payload.argv CONTAINS "-R") + AND ( + header.image ENDS_WITH "bash" OR header.image ENDS_WITH "dash" OR header.image ENDS_WITH "ash" OR header.image ENDS_WITH "sh" OR header.image ENDS_WITH "tcsh" OR header.image ENDS_WITH "csh" OR header.image ENDS_WITH "zsh" OR header.image ENDS_WITH "ksh" OR header.image ENDS_WITH "fish" + ) + +- name: Pivotnacci without parent process + type: Exec + condition: payload.filename ENDS_WITH "pivotnacci" + AND ( + header.image ENDS_WITH "bash" OR header.image ENDS_WITH "dash" OR header.image ENDS_WITH "ash" OR header.image ENDS_WITH "sh" OR header.image ENDS_WITH "tcsh" OR header.image ENDS_WITH "csh" OR header.image ENDS_WITH "zsh" OR header.image ENDS_WITH "ksh" OR header.image ENDS_WITH "fish" + ) + +- name: SSH with suspicious arguments + type: Exec + condition: header.image IN ["/usr/bin/ssh", "/usr/sbin/sshd"] AND (payload.argv CONTAINS "-R" OR payload.argv CONTAINS "-L" OR payload.argv CONTAINS "-D" OR payload.argv CONTAINS "-w") AND payload.argc >= 4 AND NOT payload.argv CONTAINS "chmod" + +- name: Sshuttle with suspicious arguments + type: Exec + condition: payload.filename ENDS_WITH "sshuttle" AND (payload.argv CONTAINS "-r" OR payload.argv CONTAINS "--remote" OR payload.argv CONTAINS "-l" OR payload.argv CONTAINS "--listen") AND payload.argc >= 4 + +- name: Socat with suspicious arguments + type: Exec + condition: payload.filename ENDS_WITH "socat" AND (payload.argv CONTAINS "TCP4-LISTEN:" OR payload.argv CONTAINS "SOCKS") AND payload.argc >= 3 + +- name: Chisel client OR server mode + type: Exec + condition: payload.filename ENDS_WITH "chisel" AND (payload.argv CONTAINS "client" OR payload.argv CONTAINS "server") + +- name: Tunneling tools execution + type: Exec + condition: payload.filename ENDS_WITH "iodine" OR payload.filename ENDS_WITH "iodined" OR payload.filename ENDS_WITH "dnscat" OR payload.filename ENDS_WITH "hans" OR payload.filename ENDS_WITH "hans-ubuntu" OR payload.filename ENDS_WITH "ptunnel-ng" OR payload.filename ENDS_WITH "ssf" OR payload.filename ENDS_WITH "3proxy" OR payload.filename ENDS_WITH "ngrok" + diff --git a/rules /command_and_control/suspicious_network_activity_from_unknown_executable.yaml b/rules /command_and_control/suspicious_network_activity_from_unknown_executable.yaml new file mode 100644 index 00000000..c35b6764 --- /dev/null +++ b/rules /command_and_control/suspicious_network_activity_from_unknown_executable.yaml @@ -0,0 +1,25 @@ +# Title: Suspicious Network Activity From Unknown Executable + +# Creation date: 2023/06/14 + +# Category: Command and control + +# Severity: Low + +# Description: This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious +# directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially +# malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to +# unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can +# help identify and mitigate potential security threats, protecting the system and its data from potential compromise. + +# MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ + +# MITRE ATT&CK Technique: T1071 - Application Layer Protocol - https://attack.mitre.org/techniques/T1071/ + + +- name: Executable file connection attempt + type: Exec + condition: + NOT header.image ENDS_WITH "/apt" OR NOT header.image ENDS_WITH "/chrome" OR NOT header.image ENDS_WITH "/curl" OR NOT header.image ENDS_WITH "/dnf" OR NOT header.image ENDS_WITH "/dockerd" OR NOT header.image ENDS_WITH "/dpkg" OR NOT header.image ENDS_WITH "/firefox-bin" OR NOT header.image ENDS_WITH "/java" OR NOT header.image ENDS_WITH "/kite-update" OR NOT header.image ENDS_WITH "/kited" OR NOT header.image ENDS_WITH "/node" OR NOT header.image ENDS_WITH "/rpm" OR NOT header.image ENDS_WITH "/saml2aws" OR NOT header.image ENDS_WITH "/wget" OR NOT header.image ENDS_WITH "/yum" OR NOT header.image ENDS_WITH "/ansible" OR NOT header.image ENDS_WITH "/aws" OR NOT header.image ENDS_WITH "/php" OR NOT header.image ENDS_WITH "/pip" OR NOT header.image ENDS_WITH "/python" OR NOT header.image ENDS_WITH "/steam" OR NOT header.image ENDS_WITH "/terraform" + AND (payload.filename STARTS_WITH "/etc/crontab" OR payload.filename STARTS_WITH "/etc/rc.local" OR payload.filename STARTS_WITH "/boot/" OR payload.filename STARTS_WITH "/dev/shm/" OR payload.filename STARTS_WITH "/etc/cron." OR payload.filename STARTS_WITH "/etc/init.d/" OR payload.filename STARTS_WITH "/etc/rc" OR payload.filename STARTS_WITH "/etc/update-motd.d/" OR payload.filename STARTS_WITH "/home/" OR payload.filename STARTS_WITH "/run/" OR payload.filename STARTS_WITH "/srv/" OR payload.filename STARTS_WITH "/tmp/" OR payload.filename STARTS_WITH "/usr/lib/update-notifier/" OR payload.filename STARTS_WITH "/var/tmp/") + AND NOT (payload.filename STARTS_WITH "/tmp/newroot/" OR payload.filename STARTS_WITH "/tmp/snap.rootfs/") diff --git a/rules /command_and_control/tunneling_via_earthworm.yaml b/rules /command_and_control/tunneling_via_earthworm.yaml new file mode 100644 index 00000000..d95169b2 --- /dev/null +++ b/rules /command_and_control/tunneling_via_earthworm.yaml @@ -0,0 +1,19 @@ +# Title: Tunneling Via Earthworm + +# Creation date: 2021/04/12 + +# Category: Command and control + +# Severity: Medium + +# Description: Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim +# system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable +# systems. + +# MITRE ATT&CK Tactic: TA0011 - Command and Control - https://attack.mitre.org/tactics/TA0011/ + +# MITRE ATT&CK Technique: T1572 - Protocol Tunneling - https://attack.mitre.org/techniques/T1572/ + +- name: Process with specific arguments + type: Exec + condition: payload.argv CONTAINS "-s" AND payload.argv CONTAINS "-d" AND payload.argv CONTAINS "rssocks" \ No newline at end of file diff --git a/rules /credential_access/collection_sensitive_files.yaml b/rules /credential_access/collection_sensitive_files.yaml new file mode 100644 index 00000000..03bdf836 --- /dev/null +++ b/rules /credential_access/collection_sensitive_files.yaml @@ -0,0 +1,54 @@ +# Title: Collection Sensitive Files + +# Creation date: 2020/12/22 + +# Category: Credential access + +# Severity: Medium + +# Description: Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials +# and system configurations. + +# MITRE ATT&CK Tactic: TA0006 - Credential Access - https://attack.mitre.org/tactics/TA0006/ + +# MITRE ATT&CK Technique: T1552 - Unsecured Credentials - https://attack.mitre.org/techniques/T1552/ + +- name: Compressing sensitive files + type: Exec + condition: ( + payload.filename ENDS_WITH "zip" OR + payload.filename ENDS_WITH "tar" OR + payload.filename ENDS_WITH "gzip" OR + payload.filename ENDS_WITH "hdiutil" OR + payload.filename ENDS_WITH "7z" + ) + AND ( + payload.argv CONTAINS "/root/.ssh/id_rsa" OR + payload.argv CONTAINS "/root/.ssh/id_rsa.pub" OR + payload.argv CONTAINS "/root/.ssh/id_ed25519" OR + payload.argv CONTAINS "/root/.ssh/id_ed25519.pub" OR + payload.argv CONTAINS "/root/.ssh/authorized_keys" OR + payload.argv CONTAINS "/root/.ssh/authorized_keys2" OR + payload.argv CONTAINS "/root/.ssh/known_hosts" OR + payload.argv CONTAINS "/root/.bash_history" OR + payload.argv CONTAINS "/etc/hosts" OR + payload.argv CONTAINS "/home/*/.ssh/id_rsa" OR + payload.argv CONTAINS "/home/*/.ssh/id_rsa.pub" OR + payload.argv CONTAINS "/home/*/.ssh/id_ed25519" OR + payload.argv CONTAINS "/home/*/.ssh/id_ed25519.pub" OR + payload.argv CONTAINS "/home/*/.ssh/authorized_keys" OR + payload.argv CONTAINS "/home/*/.ssh/authorized_keys2" OR + payload.argv CONTAINS "/home/*/.ssh/known_hosts" OR + payload.argv CONTAINS "/home/*/.bash_history" OR + payload.argv CONTAINS "/root/.aws/credentials" OR + payload.argv CONTAINS "/root/.aws/config" OR + payload.argv CONTAINS "/home/*/.aws/credentials" OR + payload.argv CONTAINS "/home/*/.aws/config" OR + payload.argv CONTAINS "/root/.docker/config.json" OR + payload.argv CONTAINS "/home/*/.docker/config.json" OR + payload.argv CONTAINS "/etc/group" OR + payload.argv CONTAINS "/etc/passwd" OR + payload.argv CONTAINS "/etc/shadow" OR + payload.argv CONTAINS "/etc/gshadow" + ) + \ No newline at end of file diff --git a/rules /credential_access/credential_dumping.yaml b/rules /credential_access/credential_dumping.yaml new file mode 100644 index 00000000..8331304d --- /dev/null +++ b/rules /credential_access/credential_dumping.yaml @@ -0,0 +1,22 @@ +# Title: Credential Dumping + +# Creation date: 2023/02/27 + +# Category: Credential access + +# Severity: Medium + +# Description: Identifies the execution of the unshadow utility which is part of John the Ripper, +# a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve +# the combined contents of the '/etc/shadow' and '/etc/password' files. +# Using the combined file generated from the utility, the malicious threat actors can use them as input +# for password-cracking utilities or prepare themselves for future operations by gathering +# credential information of the victim. + +# MITRE ATT&CK Tactic: TA0006 - Credential Access - https://attack.mitre.org/tactics/TA0006/ + +# MITRE ATT&CK Technique: T1003 - OS Credential Dumping - https://attack.mitre.org/techniques/T1003/ + +- name: Unshadow execution start + type: Exec + condition: header.image ENDS_WITH "/unshadow" AND payload.argc >= 2 \ No newline at end of file diff --git a/rules /credential_access/gdb_init_memory_dump.yaml b/rules /credential_access/gdb_init_memory_dump.yaml new file mode 100644 index 00000000..ae877c48 --- /dev/null +++ b/rules /credential_access/gdb_init_memory_dump.yaml @@ -0,0 +1,22 @@ +# Title: Gdb Init Memory Dump + +# Creation date: 2023/08/30 + +# Category: Credential access + +# Severity: Medium + +# Description: This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory +# dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include +# "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. + +# MITRE ATT&CK Tactic: TA0006 - Credential Access - https://attack.mitre.org/tactics/TA0006/ + +# MITRE ATT&CK Technique: T1003 - OS Credential Dumping - https://attack.mitre.org/techniques/T1003/ + +- name: GDB process execution with specific arguments + type: Exec + condition: payload.filename ENDS_WITH "/gdb" + AND (payload.argv CONTAINS "--pid" + OR payload.argv CONTAINS "-p") + AND payload.argv CONTAINS "1" \ No newline at end of file diff --git a/rules /credential_access/proc_credential_dumping.yaml b/rules /credential_access/proc_credential_dumping.yaml new file mode 100644 index 00000000..322871c4 --- /dev/null +++ b/rules /credential_access/proc_credential_dumping.yaml @@ -0,0 +1,30 @@ +# Title: Proc Credential Dumping + +# Creation date: 2023/04/26 + +# Category: Credential access + +# Severity: Medium + +# Description: Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. +# Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits +# a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by +# dumping the process and extracting lines that have a high probability of containing cleartext passwords. + +# MITRE ATT&CK Tactic: TA0006 - Credential Access - https://attack.mitre.org/tactics/TA0006/ + +# MITRE ATT&CK Technique: T1003 - OS Credential Dumping - https://attack.mitre.org/techniques/T1003/ + +- name: Suspicious process execution - ps + type: Exec + condition: (payload.filename == "/usr/bin/ps" OR payload.filename == "/bin/ps") + AND + (payload.argv CONTAINS "-eo" OR payload.argv CONTAINS "pid" OR payload.argv CONTAINS "command") + AND + header.image STARTS_WITH "/usr/bin/" + +- name: Suspicious process execution - strings + type: Exec + condition: payload.filename ENDS_WITH "/strings" + AND + payload.argv CONTAINS "/tmp/" \ No newline at end of file diff --git a/rules /credential_access/ssh_backdoor_log.yaml b/rules /credential_access/ssh_backdoor_log.yaml new file mode 100644 index 00000000..3de3ebbd --- /dev/null +++ b/rules /credential_access/ssh_backdoor_log.yaml @@ -0,0 +1,29 @@ +# Title: Ssh Backdoor Log + +# Creation date: 2020/12/21 + +# Category: Credential access + +# Severity: High + +# Description: Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. +# Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to +# enable unauthorized access or to log SSH credentials for exfiltration. + +# MITRE ATT&CK Tactic: TA0006 - Credential Access - https://attack.mitre.org/tactics/TA0006/ + +# MITRE ATT&CK Technique: T1556 - Modify Authentication Process - https://attack.mitre.org/techniques/T1556/ + +- name: SSH related file changes + type: FileOpened + condition: (header.image IN ["/usr/sbin/sshd", "/usr/bin/ssh"]) + AND ( + (payload.filename ENDS_WITH "~" OR payload.filename STARTS_WITH "." OR payload.filename ENDS_WITH "~") + AND NOT ( + payload.filename IN [".cache", ".viminfo", ".bash_history", ".google_authenticator", ".jelenv", ".csvignore", ".rtreport"] + ) + OR payload.filename ENDS_WITH ".in" OR payload.filename ENDS_WITH ".out" OR payload.filename ENDS_WITH ".ini" OR payload.filename ENDS_WITH ".h" OR payload.filename ENDS_WITH ".gz" OR payload.filename ENDS_WITH ".so" OR payload.filename ENDS_WITH ".sock" OR payload.filename ENDS_WITH ".sync" OR payload.filename ENDS_WITH ".0" OR payload.filename ENDS_WITH ".1" OR payload.filename ENDS_WITH ".2" OR payload.filename ENDS_WITH ".3" OR payload.filename ENDS_WITH ".4" OR payload.filename ENDS_WITH ".5" OR payload.filename ENDS_WITH ".6" OR payload.filename ENDS_WITH ".7" OR payload.filename ENDS_WITH ".8" OR payload.filename ENDS_WITH ".9" OR payload.filename IN [ + "/private/etc/*--", "/usr/share/*", "/usr/include/*", "/usr/local/include/*", "/private/tmp/*", "/private/var/tmp/*", "/usr/tmp/*", "/usr/share/man/*", "/usr/local/share/*", "/usr/lib/*.so.*", "/private/etc/ssh/.sshd_auth", "/usr/bin/ssd", "/private/var/opt/power", "/private/etc/ssh/ssh_known_hosts", "/private/var/html/lol", "/private/var/log/utmp", "/private/var/lib", "/var/run/sshd/sshd.pid", "/var/run/nscd/ns.pid", "/var/run/udev/ud.pid", "/var/run/udevd.pid" + ] + ) + diff --git a/rules /defense_evasion/attempt_to_disable_iptables_or_firewall.yaml b/rules /defense_evasion/attempt_to_disable_iptables_or_firewall.yaml new file mode 100644 index 00000000..a7adf092 --- /dev/null +++ b/rules /defense_evasion/attempt_to_disable_iptables_or_firewall.yaml @@ -0,0 +1,34 @@ +# Title: Attempt To Disable Iptables Or Firewall + +# Creation date: 2023/02/22 + +# Category: Defense evasion + +# Severity: Low + +# Description: Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to +# receive or send network traffic. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1562 - Impair Defenses - https://attack.mitre.org/techniques/T1562/ + +- name: Disable firewall with ufw + type: Exec + condition: payload.filename ENDS_WITH "/ufw" AND payload.argv CONTAINS "disable" + +- name: Flush iptables rules + type: Exec + condition: payload.filename ENDS_WITH "/iptables" AND payload.argv CONTAINS "-F" AND payload.argc == 2 + +- name: Stop firewall service with service command + type: Exec + condition: payload.filename ENDS_WITH "/service" AND payload.argv CONTAINS "stop" AND (payload.argv CONTAINS "firewalld" OR payload.argv CONTAINS "ip6tables" OR payload.argv CONTAINS "iptables") + +- name: Turn off firewall service with chkconfig + type: Exec + condition: payload.filename ENDS_WITH "/sbin/chkconfig" AND payload.argv CONTAINS "off" AND (payload.argv CONTAINS "firewalld" OR payload.argv CONTAINS "ip6tables" OR payload.argv CONTAINS "iptables") + +- name: Disable or stop firewall service with systemctl + type: Exec + condition: payload.filename ENDS_WITH "/bin/systemctl" AND (payload.argv CONTAINS "disable" OR payload.argv CONTAINS "stop" OR payload.argv CONTAINS "kill") AND (payload.argv CONTAINS "firewalld" OR payload.argv CONTAINS "ip6tables" OR payload.argv CONTAINS "iptables") \ No newline at end of file diff --git a/rules /defense_evasion/attempt_to_disable_syslog_service.yaml b/rules /defense_evasion/attempt_to_disable_syslog_service.yaml new file mode 100644 index 00000000..2a5bb566 --- /dev/null +++ b/rules /defense_evasion/attempt_to_disable_syslog_service.yaml @@ -0,0 +1,34 @@ +# Title: Attempt To Disable Syslog Service + +# Creation date: 2020/04/27 + +# Category: Defense evasion + +# Severity: Medium + +# Description: Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade +# detection by security controls. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1562 - Impair Defenses - https://attack.mitre.org/techniques/T1562/ + +- name: Service command to stop syslog-related services + type: Exec + condition: payload.filename ENDS_WITH "service" AND payload.argv CONTAINS "stop" AND (payload.argv CONTAINS "syslog" OR payload.argv CONTAINS "rsyslog" OR payload.argv CONTAINS "syslog-ng") + +- name: Chkconfig command to turn off syslog-related services + type: Exec + condition: payload.filename ENDS_WITH "chkconfig" AND payload.argv CONTAINS "off" AND (payload.argv CONTAINS "syslog" OR payload.argv CONTAINS "rsyslog" OR payload.argv CONTAINS "syslog-ng") + +- name: Systemctl command to disable syslog-related services + type: Exec + condition: payload.filename ENDS_WITH "systemctl" AND payload.argv CONTAINS "disable" AND (payload.argv CONTAINS "syslog" OR payload.argv CONTAINS "rsyslog" OR payload.argv CONTAINS "syslog-ng") + +- name: Systemctl command to stop syslog-related services + type: Exec + condition: payload.filename ENDS_WITH "systemctl" AND payload.argv CONTAINS "stop" AND (payload.argv CONTAINS "syslog" OR payload.argv CONTAINS "rsyslog" OR payload.argv CONTAINS "syslog-ng") + +- name: Systemctl command to kill syslog-related services + type: Exec + condition: payload.filename ENDS_WITH "systemctl" AND payload.argv CONTAINS "kill" AND (payload.argv CONTAINS "syslog" OR payload.argv CONTAINS "rsyslog" OR payload.argv CONTAINS "syslog-ng") \ No newline at end of file diff --git a/rules /defense_evasion/base16_or_base32_encoding_or_decoding_activity.yaml b/rules /defense_evasion/base16_or_base32_encoding_or_decoding_activity.yaml new file mode 100644 index 00000000..428f379d --- /dev/null +++ b/rules /defense_evasion/base16_or_base32_encoding_or_decoding_activity.yaml @@ -0,0 +1,27 @@ +# Title: Base16 Or Base32 Encoding Or Decoding Activity + +# Creation date: 2020/04/17 + +# Category: Defense evasion + +# Severity: Low + +# Description: Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1027 - Obfuscated Files or Information - https://attack.mitre.org/techniques/T1027/ + + +- name: Base16 execution + type: Exec + condition: payload.filename IN ["/usr/bin/base16", "/sbin/base16", "/usr/bin/base16-encode", "/usr/bin/base16-decode", "/usr/bin/base16enc", "/usr/bin/base16dec", "/usr/bin/base16plain", "/usr/bin/base16hex"] + +- name: Base32 execution + type: Exec + condition: payload.filename IN ["/usr/bin/base32", "/sbin/base32", "/usr/bin/base32-encode", "/usr/bin/base32-decode", "/usr/bin/base32enc", "/usr/bin/base32dec", "/usr/bin/base32plain", "/usr/bin/base32hex"] + +- name: Base64 execution + type: Exec + condition: payload.filename IN ["/usr/bin/base64", "/sbin/base64", "/usr/bin/base64-encode", "/usr/bin/base64-decode", "/usr/bin/base64enc", "/usr/bin/base64dec", "/usr/bin/base64plain", "/usr/bin/base64hex"] + diff --git a/rules /defense_evasion/binary_copied_to_suspicious_directory.yaml b/rules /defense_evasion/binary_copied_to_suspicious_directory.yaml new file mode 100644 index 00000000..3dceccbd --- /dev/null +++ b/rules /defense_evasion/binary_copied_to_suspicious_directory.yaml @@ -0,0 +1,27 @@ +# Title: Binary Copied To Suspicious Directory + +# Creation date: 2023/08/29 + +# Category: Defense evasion + +# Severity: Low + +# Description: This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move +# and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, +# so if it does, the activity should be investigated. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1564 - Hide Artifacts - https://attack.mitre.org/techniques/T1564/ + +- name: Suspicious file operation by binary + type: Exec + condition: payload.filename IN ["/usr/bin/cp", "/usr/bin/mv"] + AND + (payload.argv CONTAINS "/bin/*sh" OR payload.argv CONTAINS "/usr/bin/*sh" OR payload.argv CONTAINS "/bin/python*" OR payload.argv CONTAINS "/usr/bin/python*" OR payload.argv CONTAINS "/bin/php*" OR payload.argv CONTAINS "/usr/bin/php*" OR payload.argv CONTAINS "/bin/ruby*" OR payload.argv CONTAINS "/usr/bin/ruby*" OR payload.argv CONTAINS "/bin/perl*" OR payload.argv CONTAINS "/usr/bin/perl*" OR payload.argv CONTAINS "/bin/lua*" OR payload.argv CONTAINS "/usr/bin/lua*" OR payload.argv CONTAINS "/bin/java*" OR payload.argv CONTAINS "/usr/bin/java*" OR payload.argv CONTAINS "/bin/gcc*" OR payload.argv CONTAINS "/usr/bin/gcc*" OR payload.argv CONTAINS "/bin/g++*" OR payload.argv CONTAINS "/usr/bin/g++*" OR payload.argv CONTAINS "/bin/cc" OR payload.argv CONTAINS "/usr/bin/cc" OR payload.argv CONTAINS "/bin/nc" OR payload.argv CONTAINS "/usr/bin/nc" OR payload.argv CONTAINS "/bin/ncat" OR payload.argv CONTAINS "/usr/bin/ncat" OR payload.argv CONTAINS "/bin/netcat" OR payload.argv CONTAINS "/usr/bin/netcat" OR payload.argv CONTAINS "/bin/nc.openbsd" OR payload.argv CONTAINS "/usr/bin/nc.openbsd" OR payload.argv CONTAINS "/bin/*awk" OR payload.argv CONTAINS "/usr/bin/*awk" OR payload.argv CONTAINS "/bin/socat" OR payload.argv CONTAINS "/usr/bin/socat" OR payload.argv CONTAINS "/bin/openssl" OR payload.argv CONTAINS "/usr/bin/openssl" OR payload.argv CONTAINS "/bin/telnet" OR payload.argv CONTAINS "/usr/bin/telnet" OR payload.argv CONTAINS "/bin/mkfifo" OR payload.argv CONTAINS "/usr/bin/mkfifo" OR payload.argv CONTAINS "/bin/mknod" OR payload.argv CONTAINS "/usr/bin/mknod" OR payload.argv CONTAINS "/bin/ping*" OR payload.argv CONTAINS "/usr/bin/ping*" OR payload.argv CONTAINS "/bin/nmap" OR payload.argv CONTAINS "/usr/bin/nmap" OR payload.argv CONTAINS "/bin/ls" OR payload.argv CONTAINS "/usr/bin/ls" OR payload.argv CONTAINS "/bin/cat" OR payload.argv CONTAINS "/usr/bin/cat" OR payload.argv CONTAINS "/bin/sudo" OR payload.argv CONTAINS "/usr/bin/sudo" OR payload.argv CONTAINS "/bin/curl" OR payload.argv CONTAINS "/usr/bin/curl" OR payload.argv CONTAINS "/bin/wget" OR payload.argv CONTAINS "/usr/bin/wget" OR payload.argv CONTAINS "/bin/tmux" OR payload.argv CONTAINS "/usr/bin/tmux" OR payload.argv CONTAINS "/bin/screen" OR payload.argv CONTAINS "/usr/bin/screen" OR payload.argv CONTAINS "/bin/ssh" OR payload.argv CONTAINS "/usr/bin/ssh" OR payload.argv CONTAINS "/bin/ftp" OR payload.argv CONTAINS "/usr/bin/ftp") + AND NOT header.image IN ["/usr/bin/dracut-install", "/usr/bin/apticron", "/usr/bin/generate-from-dir", "/usr/bin/platform-python"] + +- name: Suspicious file creation + type: FileCreated + condition: (payload.filename STARTS_WITH "/dev/shm/" OR payload.filename STARTS_WITH "/run/shm/" OR payload.filename STARTS_WITH "/tmp/" OR payload.filename STARTS_WITH "/var/tmp/" OR payload.filename STARTS_WITH "/run/" OR payload.filename STARTS_WITH "/var/run/" OR payload.filename STARTS_WITH "/var/www/" OR payload.filename STARTS_WITH "/proc/" AND payload.filename ENDS_WITH "/fd/") + AND NOT (payload.filename STARTS_WITH "/tmp/rear" OR payload.filename STARTS_WITH "/var/tmp/dracut") \ No newline at end of file diff --git a/rules /defense_evasion/chattr_immutable_file.yaml b/rules /defense_evasion/chattr_immutable_file.yaml new file mode 100644 index 00000000..09bb64f4 --- /dev/null +++ b/rules /defense_evasion/chattr_immutable_file.yaml @@ -0,0 +1,22 @@ +# Title: Chattr Immutable File + +# Creation date: 2022/07/22 + +# Category: Defense evasion + +# Severity: Medium + +# Description: Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or +# renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be +# opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious +# files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1222 - File and Directory Permissions Modification - https://attack.mitre.org/techniques/T1222/ + +- name: Root user executing chattr + type: Exec + condition: header.image ENDS_WITH "/chattr" AND (payload.argv CONTAINS "-*i*" OR payload.argv CONTAINS "+*i*") AND payload.argc > 0 + AND NOT header.image STARTS_WITH "/lib/systemd/systemd" AND NOT header.image STARTS_WITH "/usr/local/uems_agent/bin/" AND NOT header.image STARTS_WITH "/usr/lib/systemd/systemd" + AND NOT header.image IN ["/usr/bin/systemd", "/usr/bin/cf-agent", "/usr/bin/ntpdate", "/usr/bin/xargs", "/usr/bin/px", "/usr/bin/preinst", "/usr/bin/auth"] \ No newline at end of file diff --git a/rules /defense_evasion/clear_kernel_ring_buffer.yaml b/rules /defense_evasion/clear_kernel_ring_buffer.yaml new file mode 100644 index 00000000..04d24a35 --- /dev/null +++ b/rules /defense_evasion/clear_kernel_ring_buffer.yaml @@ -0,0 +1,18 @@ +# Title: Clear Kernel Ring Buffer + +# Creation date: 2023/10/24 + +# Category: Defense evasion + +# Severity: Low + +# Description: Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events +# to evade detection after installing a Linux kernel module (LKM). + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1562 - Impair Defenses - https://attack.mitre.org/techniques/T1562/ + +- name: Executing dmesg with clear flag + type: Exec + condition: header.image == "/usr/bin/dmesg" AND payload.argv CONTAINS "-c" \ No newline at end of file diff --git a/rules /defense_evasion/disable_apparmor_attempt.yaml b/rules /defense_evasion/disable_apparmor_attempt.yaml new file mode 100644 index 00000000..624be0f5 --- /dev/null +++ b/rules /defense_evasion/disable_apparmor_attempt.yaml @@ -0,0 +1,23 @@ +# Title: Disable Apparmor Attempt + +# Creation date: 2023/08/28 + +# Category: Defense evasion + +# Severity: Low + +# Description: This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces +# fine-grained access control policies to restrict the actions and resources that specific applications and processes can +# access. Adversaries may disable security tools to avoid possible detection of their tools and activities. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1562 - Impair Defenses - https://attack.mitre.org/techniques/T1562/ + +- name: Disable AppArmor service + type: Exec + condition: payload.filename == "/usr/bin/systemctl" AND payload.argv CONTAINS "disable" AND payload.argv CONTAINS "apparmor" + +- name: Create symlink to disable AppArmor + type: Exec + condition: payload.filename == "/usr/bin/ln" AND payload.argv CONTAINS "/etc/apparmor.d/" AND payload.argv CONTAINS "/etc/apparmor.d/disable/" \ No newline at end of file diff --git a/rules /defense_evasion/disable_selinux_attempt.yaml b/rules /defense_evasion/disable_selinux_attempt.yaml new file mode 100644 index 00000000..1b9170b4 --- /dev/null +++ b/rules /defense_evasion/disable_selinux_attempt.yaml @@ -0,0 +1,19 @@ +# Title: Disable Selinux Attempt + +# Creation date: 2020/04/22 + +# Category: Defense evasion + +# Severity: Medium + +# Description: Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to +# support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and +# activities. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1562 - Impair Defenses - https://attack.mitre.org/techniques/T1562/ + +- name: Set enforce mode to permissive + type: Exec + condition: payload.filename == "/usr/sbin/setenforce" AND payload.argv CONTAINS "0" \ No newline at end of file diff --git a/rules /defense_evasion/esxi_suspicious_timestomp_touch.yaml b/rules /defense_evasion/esxi_suspicious_timestomp_touch.yaml new file mode 100644 index 00000000..2960ab9d --- /dev/null +++ b/rules /defense_evasion/esxi_suspicious_timestomp_touch.yaml @@ -0,0 +1,21 @@ +# Title: Esxi Suspicious Timestomp Touch + +# Creation date: 2023/04/11 + +# Category: Defense evasion + +# Severity: Medium + +# Description: Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, +# which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related +# paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization +# software, and their presence in the touch command arguments may indicate that a threat actor is attempting to +# tamper with timestamps of VM-related files and configurations on the system. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1070 - Indicator Removal - https://attack.mitre.org/techniques/T1070/ + +- name: Touch command with reference file + type: Exec + condition: payload.filename == "/usr/bin/touch" AND payload.argv CONTAINS "-r" AND (payload.argv CONTAINS "/etc/vmware/" OR payload.argv CONTAINS "/usr/lib/vmware/" OR payload.argv CONTAINS "/vmfs/") \ No newline at end of file diff --git a/rules /defense_evasion/file_deletion_via_shred.yaml b/rules /defense_evasion/file_deletion_via_shred.yaml new file mode 100644 index 00000000..f77e09ef --- /dev/null +++ b/rules /defense_evasion/file_deletion_via_shred.yaml @@ -0,0 +1,19 @@ +# Title: File Deletion Via Shred + +# Creation date: 2020/04/27 + +# Category: Defense evasion + +# Severity: Low + +# Description: Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within +# a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or +# remove them at the end as part of the post-intrusion cleanup process. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1070 - Indicator Removal - https://attack.mitre.org/techniques/T1070/ + +- name: Shred execution + type: Exec + condition: header.image == "/usr/bin/shred" AND (payload.argv CONTAINS "-u" OR payload.argv CONTAINS "--remove" OR payload.argv CONTAINS "-z" OR payload.argv CONTAINS "--zero") diff --git a/rules /defense_evasion/file_mod_writable_dir.yaml b/rules /defense_evasion/file_mod_writable_dir.yaml new file mode 100644 index 00000000..45f73506 --- /dev/null +++ b/rules /defense_evasion/file_mod_writable_dir.yaml @@ -0,0 +1,19 @@ +# Title: File Mod Writable Dir + +# Creation date: 2020/04/21 + +# Category: Defense evasion + +# Severity: Low + +# Description: Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files +# or payloads into a writable directory and change permissions prior to execution. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1222 - File and Directory Permissions Modification - https://attack.mitre.org/techniques/T1222/ + +- name: Suspicious file attribute modification binary execution + type: Exec + condition: header.image IN ["/usr/bin/chattr", "/usr/bin/chgrp", "/usr/bin/chmod", "/usr/bin/chown"] + AND (payload.argv CONTAINS "/dev/shm" OR payload.argv CONTAINS "/tmp" OR payload.argv CONTAINS "/var/tmp") \ No newline at end of file diff --git a/rules /defense_evasion/hidden_file_dir_tmp.yaml b/rules /defense_evasion/hidden_file_dir_tmp.yaml new file mode 100644 index 00000000..f25f001a --- /dev/null +++ b/rules /defense_evasion/hidden_file_dir_tmp.yaml @@ -0,0 +1,23 @@ +# Title: Hidden File Dir Tmp + +# Creation date: 2020/04/29 + +# Category: Defense evasion + +# Severity: Medium + +# Description: Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. +# Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. +# This rule looks for hidden files or folders in common writable directories. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1564 - Hide Artifacts - https://attack.mitre.org/techniques/T1564/ + +- name: Rename with suspicious pattern + type: FileRename + condition: NOT header.image IN ["/usr/bin/ls", "/usr/bin/find", "/usr/bin/grep", "/usr/bin/git", "/usr/bin/jq", "/usr/bin/basename"] + AND + (payload.source STARTS_WITH "/tmp" OR payload.source STARTS_WITH "/var/tmp" OR payload.source STARTS_WITH "/dev/shm") + AND + (payload.destination STARTS_WITH "/tmp/." OR payload.destination STARTS_WITH "/var/tmp/." OR payload.destination STARTS_WITH "/dev/shm/.") \ No newline at end of file diff --git a/rules /defense_evasion/hidden_shared_object.yaml b/rules /defense_evasion/hidden_shared_object.yaml new file mode 100644 index 00000000..6f51f153 --- /dev/null +++ b/rules /defense_evasion/hidden_shared_object.yaml @@ -0,0 +1,19 @@ +# Title: Hidden Shared Object + +# Creation date: 2022/07/20 + +# Category: Defense evasion + +# Severity: Medium + +# Description: Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting +# a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and +# folders on the system for persistence and defense evasion. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1564 - Hide Artifacts - https://attack.mitre.org/techniques/T1564/ + +- name: Creation of shared object files + type: FileCreated + condition: payload.filename ENDS_WITH ".so" \ No newline at end of file diff --git a/rules /defense_evasion/kernel_module_removal.yaml b/rules /defense_evasion/kernel_module_removal.yaml new file mode 100644 index 00000000..8386535c --- /dev/null +++ b/rules /defense_evasion/kernel_module_removal.yaml @@ -0,0 +1,23 @@ +# Title: Kernel Module Removal + +# Creation date: 2020/04/24 + +# Category: Defense evasion + +# Severity: Medium + +# Description: Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the +# functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel +# module. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1562 - Impair Defenses - https://attack.mitre.org/techniques/T1562/ + +- name: Remove Linux Kernel Module with rmmod + type: Exec + condition: header.image == "/usr/sbin/rmmod" + +- name: Remove Linux Kernel Module with modprobe + type: Exec + condition: payload.filename == "/usr/sbin/modprobe" AND (payload.argv CONTAINS "--remove" OR payload.argv CONTAINS "-r") diff --git a/rules /defense_evasion/log_files_deleted.yaml b/rules /defense_evasion/log_files_deleted.yaml new file mode 100644 index 00000000..bf2f2633 --- /dev/null +++ b/rules /defense_evasion/log_files_deleted.yaml @@ -0,0 +1,19 @@ +# Title: Log Files Deleted + +# Creation date: 2020/11/03 + +# Category: Defense evasion + +# Severity: Medium + +# Description: Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy +# forensic evidence on a system. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1070 - Indicator Removal - https://attack.mitre.org/techniques/T1070/ + +- name: Delete sensitive log files + type: FileDeleted + condition: payload.filename IN ["/var/run/utmp", "/var/log/wtmp", "/var/log/btmp", "/var/log/lastlog", "/var/log/faillog", "/var/log/syslog", "/var/log/messages", "/var/log/secure", "/var/log/auth.log", "/var/log/boot.log", "/var/log/kern.log"] + AND NOT header.image IN ["/usr/bin/gzip", "/usr/bin/executor", "/usr/bin/dockerd"] \ No newline at end of file diff --git a/rules /defense_evasion/mount_execution.yaml b/rules /defense_evasion/mount_execution.yaml new file mode 100644 index 00000000..bf1738e6 --- /dev/null +++ b/rules /defense_evasion/mount_execution.yaml @@ -0,0 +1,25 @@ +# Title: Mount Execution + +# Creation date: 2023/04/11 + +# Category: Defense evasion + +# Severity: Medium + +# Description: Identifies the execution of mount process with hidepid parameter, which can make processes invisible to +# other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide +# the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user +# can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for +# the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. +# With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, +# which can now be monitored and detected. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1564 - Hide Artifacts - https://attack.mitre.org/techniques/T1564/ + +- name: Mount proc with hidepid + type: Exec + condition: header.image == "/usr/bin/mount" + AND + (payload.argv CONTAINS "/proc" AND payload.argv CONTAINS "-o" AND payload.argv CONTAINS "hidepid=2") \ No newline at end of file diff --git a/rules /defense_evasion/potential_proot_exploits.yaml b/rules /defense_evasion/potential_proot_exploits.yaml new file mode 100644 index 00000000..aa02254f --- /dev/null +++ b/rules /defense_evasion/potential_proot_exploits.yaml @@ -0,0 +1,26 @@ +# Title: Potential Proot Exploits + +# Creation date: 2023/03/07 + +# Category: Defense evasion + +# Severity: Medium + +# Description: Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of +# chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot +# to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. +# In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. +# With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, +# such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other +# architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), +# can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or +# orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent +# it can be easily tuned to work for one. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1211 - Exploitation for Defense Evasion - https://attack.mitre.org/techniques/T1211/ + +- name: Execution from proot + type: Exec + condition: header.image ENDS_WITH "/proot" \ No newline at end of file diff --git a/rules /defense_evasion/rename_esxi_files.yaml b/rules /defense_evasion/rename_esxi_files.yaml new file mode 100644 index 00000000..067c66ac --- /dev/null +++ b/rules /defense_evasion/rename_esxi_files.yaml @@ -0,0 +1,19 @@ +# Title: Rename Esxi Files + +# Creation date: 2023/04/11 + +# Category: Defense evasion + +# Severity: Medium + +# Description: Identifies instances where VMware-related files, such as those with extensions like ".vmdk", ".vmx", ".vmxf", ".vmsd", +# ".vmsn", ".vswp", ".vmss", ".nvram", and ".vmem", are renamed on a Linux system. The rule monitors for the "rename" +# event action associated with these file types, which could indicate malicious activity. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1036 - Masquerading - https://attack.mitre.org/techniques/T1036/ + +- name: Rename virtual machine files + type: FileRename + condition: (payload.source ENDS_WITH ".vmdk" OR payload.source ENDS_WITH ".vmx" OR payload.source ENDS_WITH ".vmxf" OR payload.source ENDS_WITH ".vmsd" OR payload.source ENDS_WITH ".vmsn" OR payload.source ENDS_WITH ".vswp" OR payload.source ENDS_WITH ".vmss" OR payload.source ENDS_WITH ".nvram" OR payload.source ENDS_WITH ".vmem") \ No newline at end of file diff --git a/rules /defense_evasion/rename_esxi_index_file.yaml b/rules /defense_evasion/rename_esxi_index_file.yaml new file mode 100644 index 00000000..51e3ec63 --- /dev/null +++ b/rules /defense_evasion/rename_esxi_index_file.yaml @@ -0,0 +1,19 @@ +# Title: Rename Esxi Index File + +# Creation date: 2023/04/11 + +# Category: Defense evasion + +# Severity: Medium + +# Description: Identifies instances where the "index.html" file within the "/usr/lib/vmware/*" directory is renamed on a Linux system. +# The rule monitors for the "rename" event action associated with this specific file and path, +# which could indicate malicious activity. + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1036 - Masquerading - https://attack.mitre.org/techniques/T1036/ + +- name: Rename index.html file + type: FileRename + condition: payload.source ENDS_WITH "index.html" AND payload.source STARTS_WITH "/usr/lib/vmware/" \ No newline at end of file diff --git a/rules /discovery/esxi_software_via_find.yaml b/rules /discovery/esxi_software_via_find.yaml new file mode 100644 index 00000000..5e363d0d --- /dev/null +++ b/rules /discovery/esxi_software_via_find.yaml @@ -0,0 +1,21 @@ +# Title: Esxi Software Via Find + +# Creation date: 2023/04/11 + +# Category: Discovery + +# Severity: Medium + +# Description: Identifies instances where the 'find' command is started on a Linux system with arguments targeting +# specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". +# These paths are associated with VMware virtualization software, and their presence in the find command arguments +# may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files +# and configurations on the system. + +# MITRE ATT&CK Tactic: TA0007 - Discovery - https://attack.mitre.org/tactics/TA0007/ + +# MITRE ATT&CK Technique: T1518 - Software Discovery - https://attack.mitre.org/techniques/T1518/ + +- name: Find command execution in specific directories + type: Exec + condition: payload.filename ENDS_WITH "/find" AND (payload.argv CONTAINS "/etc/vmware/" OR payload.argv CONTAINS "/usr/lib/vmware/" OR payload.argv CONTAINS "/vmfs/") \ No newline at end of file diff --git a/rules /discovery/esxi_software_via_grep.yaml b/rules /discovery/esxi_software_via_grep.yaml new file mode 100644 index 00000000..207485d6 --- /dev/null +++ b/rules /discovery/esxi_software_via_grep.yaml @@ -0,0 +1,20 @@ +# Title: Esxi Software Via Grep + +# Creation date: 2023/04/11 + +# Category: Discovery + +# Severity: Medium + +# Description: Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments +# related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", +# or "vmem". These file extensions are associated with VM-related file formats, and their presence in grep command +# arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. + +# MITRE ATT&CK Tactic: TA0007 - Discovery - https://attack.mitre.org/tactics/TA0007/ + +# MITRE ATT&CK Technique: T1518 - Software Discovery - https://attack.mitre.org/techniques/T1518/ + +- name: Search for virtual machine files + type: Exec + condition: (payload.filename IN ["/usr/bin/grep", "/usr/bin/egrep", "/usr/bin/pgrep"]) AND (payload.argv CONTAINS "vmdk" OR payload.argv CONTAINS "vmx" OR payload.argv CONTAINS "vmxf" OR payload.argv CONTAINS "vmsd" OR payload.argv CONTAINS "vmsn" OR payload.argv CONTAINS "vswp" OR payload.argv CONTAINS "vmss" OR payload.argv CONTAINS "nvram" OR payload.argv CONTAINS "vmem") \ No newline at end of file diff --git a/rules /discovery/kernel_module_enumeration.yaml b/rules /discovery/kernel_module_enumeration.yaml new file mode 100644 index 00000000..94eeaab4 --- /dev/null +++ b/rules /discovery/kernel_module_enumeration.yaml @@ -0,0 +1,21 @@ +# Title: Kernel Module Enumeration + +# Creation date: 2020/04/23 + +# Category: Discovery + +# Severity: Medium + +# Description: Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They +# extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate +# information about a kernel module. + +# MITRE ATT&CK Tactic: TA0007 - Discovery - https://attack.mitre.org/tactics/TA0007/ + +# MITRE ATT&CK Technique: T1082 - System Information Discovery - https://attack.mitre.org/techniques/T1082/ + +- name: Linux module listing utilities execution + type: Exec + condition: payload.filename IN ["/usr/bin/lsmod", "/usr/sbin/lsmod", "/usr/bin/modinfo", "/usr/sbin/modinfo", "/usr/bin/kmod", "/usr/bin/depmod", "/usr/sbin/depmod"] + AND (NOT payload.argv CONTAINS "--all" OR NOT payload.argv CONTAINS "-a" OR payload.argv CONTAINS "list") + AND NOT header.image ENDS_WITH "/mkinitramfs" AND NOT header.image ENDS_WITH "/cryptroot" AND NOT header.image ENDS_WITH "/framebuffer" AND NOT header.image ENDS_WITH "/dracut" AND NOT header.image ENDS_WITH "/jem" AND NOT header.image ENDS_WITH "/thin-provisioning-tools" AND NOT header.image ENDS_WITH "/readykernel" AND NOT header.image ENDS_WITH "/lvm2" AND NOT header.image ENDS_WITH "/vz-start" AND NOT header.image ENDS_WITH "/iscsi" AND NOT header.image ENDS_WITH "/mdadm" \ No newline at end of file diff --git a/rules /execution/abnormal_process_id_file_created.yaml b/rules /execution/abnormal_process_id_file_created.yaml new file mode 100644 index 00000000..91b33e4f --- /dev/null +++ b/rules /execution/abnormal_process_id_file_created.yaml @@ -0,0 +1,23 @@ +# Title: Abnormal Process Id File Created + +# Creation date: 2022/05/11 + +# Category: Execution + +# Severity: Medium + +# Description: Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) +# directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage +# other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising +# itself or these files as legitimate PID files. + +# MITRE ATT&CK Tactic: TA0002 - Execution - https://attack.mitre.org/tactics/TA0002/ + +# MITRE ATT&CK Technique: T1106 - Native API - https://attack.mitre.org/techniques/T1106/ + +- name: File creation by suspicious processes + type: FileCreated + condition: header.image ENDS_WITH "/bash" OR header.image ENDS_WITH "/dash" OR header.image ENDS_WITH "/sh" OR header.image ENDS_WITH "/tcsh" OR header.image ENDS_WITH "/csh" OR header.image ENDS_WITH "/zsh" OR header.image ENDS_WITH "/ksh" OR header.image ENDS_WITH "/fish" OR header.image ENDS_WITH "/ash" OR header.image ENDS_WITH "/touch" OR header.image ENDS_WITH "/nano" OR header.image ENDS_WITH "/vim" OR header.image ENDS_WITH "/vi" OR header.image ENDS_WITH "/editor" OR header.image ENDS_WITH "/mv" OR header.image ENDS_WITH "/cp" + AND payload.filename ENDS_WITH ".pid" OR payload.filename ENDS_WITH ".lock" OR payload.filename ENDS_WITH ".reboot" + AND payload.filename STARTS_WITH "/var/run/" OR payload.filename STARTS_WITH "/run/" + AND NOT header.image ENDS_WITH "/go" AND NOT header.image ENDS_WITH "/git" AND NOT header.image ENDS_WITH "/containerd" AND NOT header.image ENDS_WITH "/snap-confine" AND NOT header.image ENDS_WITH "/cron" AND NOT header.image ENDS_WITH "/crond" AND NOT header.image ENDS_WITH "/sshd" AND NOT header.image ENDS_WITH "/unattended-upgrade" AND NOT header.image ENDS_WITH "/vzctl" AND NOT header.image ENDS_WITH "/ifup" AND NOT header.image ENDS_WITH "/rpcbind" diff --git a/rules /execution/curl_cve_2023_38545_heap_overflow.yaml b/rules /execution/curl_cve_2023_38545_heap_overflow.yaml new file mode 100644 index 00000000..62a9c5dc --- /dev/null +++ b/rules /execution/curl_cve_2023_38545_heap_overflow.yaml @@ -0,0 +1,33 @@ +# Title: Curl Cve 2023 38545 Heap Overflow + +# Creation date: 2023/10/11 + +# Category: Execution + +# Severity: Medium + +# Description: Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction +# with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow +# during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed +# with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, +# HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule. + +# MITRE ATT&CK Tactic: TA0002 - Execution - https://attack.mitre.org/tactics/TA0002/ + +# MITRE ATT&CK Technique: T1203 - Exploitation for Client Execution - https://attack.mitre.org/techniques/T1203/ + +- name: Curl execution with proxy arguments + type: Exec + condition: payload.filename == "/usr/bin/curl" AND (payload.argv CONTAINS "--socks5-hostname" OR payload.argv CONTAINS "--proxy" OR payload.argv CONTAINS "--preproxy" OR payload.argv CONTAINS "socks5*") + +- name: Curl execution with proxy environment variables + type: Exec + condition: payload.filename == "/usr/bin/curl" AND (payload.argv CONTAINS "http_proxy=socks5h://" OR payload.argv CONTAINS "HTTPS_PROXY=socks5h://" OR payload.argv CONTAINS "ALL_PROXY=socks5h://") + +- name: Curl execution with long command line + type: Exec + condition: payload.filename == "/usr/bin/curl" AND payload.argc > 255 + +- name: Curl execution not by specific parents + type: Exec + condition: payload.filename == "/usr/bin/curl" AND NOT header.image ENDS_WITH "/cf-agent" AND NOT header.image ENDS_WITH "/agent-run" AND NOT header.image ENDS_WITH "/rudder" AND NOT header.image ENDS_WITH "/agent-inventory" AND NOT header.image ENDS_WITH "/cf-execd" diff --git a/rules /execution/interpreter_tty_upgrade.yaml b/rules /execution/interpreter_tty_upgrade.yaml new file mode 100644 index 00000000..830811c4 --- /dev/null +++ b/rules /execution/interpreter_tty_upgrade.yaml @@ -0,0 +1,23 @@ +# Title: Interpreter Tty Upgrade + +# Creation date: 2023/09/20 + +# Category: Execution + +# Severity: Medium + +# Description: Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade +# a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more +# stable connection. + +# MITRE ATT&CK Tactic: TA0002 - Execution - https://attack.mitre.org/tactics/TA0002/ + +# MITRE ATT&CK Technique: T1059 - Command and Scripting Interpreter - https://attack.mitre.org/techniques/T1059/ + +- name: Stty raw no echo execution + type: Exec + condition: payload.filename == "/usr/bin/stty" AND payload.argv CONTAINS "raw" AND payload.argv CONTAINS "-echo" AND payload.argc >= 3 + +- name: Script execution with no output + type: Exec + condition: payload.filename == "/usr/bin/script" AND (payload.argv CONTAINS "-qc" OR payload.argv CONTAINS "-c") AND payload.argv CONTAINS "/dev/null" AND payload.argc == 4 \ No newline at end of file diff --git a/rules /execution/nc_listener_via_rlwrap.yaml b/rules /execution/nc_listener_via_rlwrap.yaml new file mode 100644 index 00000000..be9aeb1f --- /dev/null +++ b/rules /execution/nc_listener_via_rlwrap.yaml @@ -0,0 +1,19 @@ +# Title: Nc Listener Via Rlwrap + +# Creation date: 2023/09/22 + +# Category: Execution + +# Severity: Low + +# Description: Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses +# the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction +# with netcat to gain a more stable reverse shell. + +# MITRE ATT&CK Tactic: TA0002 - Execution - https://attack.mitre.org/tactics/TA0002/ + +# MITRE ATT&CK Technique: T1059 - Command and Scripting Interpreter - https://attack.mitre.org/techniques/T1059/ + +- name: Exec rlwrap with specific arguments + type: Exec + condition: payload.filename ENDS_WITH "/rlwrap" AND (payload.argv CONTAINS "nc" OR payload.argv CONTAINS "ncat" OR payload.argv CONTAINS "netcat" OR payload.argv CONTAINS "nc.openbsd" OR payload.argv CONTAINS "socat") AND payload.argv CONTAINS "*l*" AND payload.argc >= 4 \ No newline at end of file diff --git a/rules /execution/perl_tty_shell.yaml b/rules /execution/perl_tty_shell.yaml new file mode 100644 index 00000000..09b3fa6d --- /dev/null +++ b/rules /execution/perl_tty_shell.yaml @@ -0,0 +1,19 @@ +# Title: Perl Tty Shell + +# Creation date: 2020/04/16 + +# Category: Execution + +# Severity: High + +# Description: Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully +# interactive tty after obtaining initial access to a host. + +# MITRE ATT&CK Tactic: TA0002 - Execution - https://attack.mitre.org/tactics/TA0002/ + +# MITRE ATT&CK Technique: T1059 - Command and Scripting Interpreter - https://attack.mitre.org/techniques/T1059/ + +- name: Perl executing shell binary + type: Exec + condition: payload.filename == "/usr/bin/perl" AND payload.argv CONTAINS "exec" AND + (payload.argv CONTAINS "/bin/sh" OR payload.argv CONTAINS "/bin/dash" OR payload.argv CONTAINS "/bin/bash") \ No newline at end of file diff --git a/rules /impact/data_encrypted_via_openssl.yaml b/rules /impact/data_encrypted_via_openssl.yaml new file mode 100644 index 00000000..c90ec7a6 --- /dev/null +++ b/rules /impact/data_encrypted_via_openssl.yaml @@ -0,0 +1,47 @@ +# Title: Data Encrypted Via Openssl + +# Creation date: 2023/06/26 + +# Category: Impact + +# Severity: Medium + +# Description: Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. +# Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data +# and may attempt to hold the organization's data to ransom for the purposes of extortion. + +# MITRE ATT&CK Tactic: TA0040 - Impact - https://attack.mitre.org/tactics/TA0040/ + +# MITRE ATT&CK Technique: T1486 - Data Encrypted for Impact - https://attack.mitre.org/techniques/T1486/ + +- name: OpenSSL execution by shell + type: Exec + condition: payload.filename ENDS_WITH "/openssl" + AND + header.image ENDS_WITH "/bash" OR header.image ENDS_WITH "/dash" OR header.image ENDS_WITH "/ash" OR header.image ENDS_WITH "/sh" OR header.image ENDS_WITH "/tcsh" OR header.image ENDS_WITH "/csh" OR header.image ENDS_WITH "/zsh" OR header.image ENDS_WITH "/ksh" OR header.image ENDS_WITH "/fish" OR header.image ENDS_WITH "/perl" OR header.image ENDS_WITH "/perl5" OR header.image ENDS_WITH "/php" OR header.image ENDS_WITH "/php5" OR header.image ENDS_WITH "/php7" OR header.image ENDS_WITH "/python" OR header.image ENDS_WITH "/python2" OR header.image ENDS_WITH "/python3" OR header.image ENDS_WITH "/xargs" + AND + payload.argv CONTAINS "-in" + AND + payload.argv CONTAINS "-out" + AND + ( + payload.argv CONTAINS "-k" + OR + payload.argv CONTAINS "-K" + OR + payload.argv CONTAINS "-kfile" + OR + payload.argv CONTAINS "-pass" + OR + payload.argv CONTAINS "-iv" + OR + payload.argv CONTAINS "-md" + ) + AND NOT payload.argv CONTAINS "-d" + AND NOT payload.argv CONTAINS "-a" + AND NOT payload.argv CONTAINS "-A" + AND NOT payload.argv CONTAINS "-base64" + AND NOT payload.argv CONTAINS "-none" + AND NOT payload.argv CONTAINS "-nosalt" + + diff --git a/rules /impact/esxi_process_kill.yaml b/rules /impact/esxi_process_kill.yaml new file mode 100644 index 00000000..c921c2ea --- /dev/null +++ b/rules /impact/esxi_process_kill.yaml @@ -0,0 +1,22 @@ +# Title: Esxi Process Kill + +# Creation date: 2023/04/11 + +# Category: Impact + +# Severity: Medium + +# Description: Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system +# by a "kill" command. The rule monitors for the "end" event type, which signifies the termination of a process. +# The presence of a "kill" command as the parent process for terminating VMware processes may indicate that a +# threat actor is attempting to interfere with the virtualized environment on the targeted system. + +# MITRE ATT&CK Tactic: TA0040 - Impact - https://attack.mitre.org/tactics/TA0040/ + +# MITRE ATT&CK Technique: T1489 - Service Stop - https://attack.mitre.org/techniques/T1489/ + +- name: Termination of VMware process by kill command + type: Exec + condition: header.image IN ["/usr/bin/kill", "/bin/kill"] + AND payload.filename IN ["/usr/bin/vmware-vmx", "/usr/bin/vmx", "/bin/vmware-vmx", "/bin/vmx"] + \ No newline at end of file diff --git a/rules /lateral_movement/ssh_it_worm_download.yaml b/rules /lateral_movement/ssh_it_worm_download.yaml new file mode 100644 index 00000000..ac3f0081 --- /dev/null +++ b/rules /lateral_movement/ssh_it_worm_download.yaml @@ -0,0 +1,19 @@ +# Title: Ssh It Worm Download + +# Creation date: 2023/09/21 + +# Category: Lateral movement + +# Severity: Medium + +# Description: Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's +# autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. + +# MITRE ATT&CK Tactic: TA0008 - Lateral Movement - https://attack.mitre.org/tactics/TA0008/ + +# MITRE ATT&CK Technique: T1021 - Remote Services - https://attack.mitre.org/techniques/T1021/ + +- name: Execution of curl or wget with specific arguments + type: Exec + condition: (payload.filename ENDS_WITH "/curl" OR payload.filename ENDS_WITH "/wget") + AND (payload.argv CONTAINS "https://thc.org/ssh-it/x" OR payload.argv CONTAINS "http://nossl.segfault.net/ssh-it-deploy.sh" OR payload.argv CONTAINS "https://gsocket.io/x" OR payload.argv CONTAINS "https://thc.org/ssh-it/bs" OR payload.argv CONTAINS "http://nossl.segfault.net/bs") \ No newline at end of file diff --git a/rules /lateral_movement/telnet_network_activity.yaml b/rules /lateral_movement/telnet_network_activity.yaml new file mode 100644 index 00000000..edfa187a --- /dev/null +++ b/rules /lateral_movement/telnet_network_activity.yaml @@ -0,0 +1,26 @@ +# Title: Telnet Network Activity External + +# Creation date: 2020/04/23 + +# Category: Lateral movement + +# Severity: Medium + +# Description: Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet +# network connections to routable IP addresses. + +# MITRE ATT&CK Tactic: TA0008 - Lateral Movement - https://attack.mitre.org/tactics/TA0008/ + +# MITRE ATT&CK Technique: T1021 - Remote Services - https://attack.mitre.org/techniques/T1021/ + +- name: Telnet execution + type: Exec + condition: payload.filename == "/usr/bin/telnet" + +- name: Telnet network activity - Accept + type: Accept + condition: header.image == "/usr/bin/telnet" + +- name: Telnet network activity - Connect + type: Connect + condition: header.image == "/usr/bin/telnet" \ No newline at end of file diff --git a/rules /persistence/chkconfig_service_add.yaml b/rules /persistence/chkconfig_service_add.yaml new file mode 100644 index 00000000..43543cd0 --- /dev/null +++ b/rules /persistence/chkconfig_service_add.yaml @@ -0,0 +1,22 @@ +# Title: Chkconfig Service Add + +# Creation date: 2022/07/22 + +# Category: Persistence + +# Severity: Medium + +# Description: Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize +# this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has +# either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run +# providing long-term persistence. + +# MITRE ATT&CK Tactic: TA0003 - Persistence - https://attack.mitre.org/tactics/TA0003/ + +# MITRE ATT&CK Technique: T1037 - Boot or Logon Initialization Scripts - https://attack.mitre.org/techniques/T1037/ + +- name: Chkconfig with add argument + type: Exec + condition: (payload.filename ENDS_WITH "/chkconfig" AND payload.argv CONTAINS "--add") OR (payload.argv CONTAINS "*chkconfig" AND payload.argv CONTAINS "--add") + AND NOT header.image ENDS_WITH "/rpm" AND NOT header.image ENDS_WITH "qualys-scan-util" AND NOT header.image ENDS_WITH "qualys-cloud-agent" AND NOT header.image ENDS_WITH "update-alternatives" + AND NOT (header.image STARTS_WITH "/var/tmp/rpm" OR header.image STARTS_WITH "/var/lib/waagent") \ No newline at end of file diff --git a/rules /persistence/credential_access_modify_ssh_binaries.yaml b/rules /persistence/credential_access_modify_ssh_binaries.yaml new file mode 100644 index 00000000..7f4a1a6b --- /dev/null +++ b/rules /persistence/credential_access_modify_ssh_binaries.yaml @@ -0,0 +1,18 @@ +# Title: Credential Access Modify Ssh Binaries + +# Creation date: 2020/12/21 + +# Category: Persistence + +# Severity: Medium + +# Description: Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to +# enable unauthorized access or by logging SSH credentials for exfiltration. + +# MITRE ATT&CK Tactic: TA0003 - Persistence - https://attack.mitre.org/tactics/TA0003/ + +# MITRE ATT&CK Technique: T1543 - Create or Modify System Process - https://attack.mitre.org/techniques/T1543/ + +- name: File change by non-package management process + type: FileOpened + condition: (payload.filename IN ["/usr/bin/scp", "/usr/bin/sftp", "/usr/bin/ssh", "/usr/sbin/sshd", "/libkeyutils.so"]) AND NOT header.image IN ["/usr/bin/dnf", "/usr/bin/dnf-automatic", "/usr/bin/dpkg", "/usr/bin/yum", "/usr/bin/rpm", "/usr/bin/yum-cron", "/usr/bin/anacron"] diff --git a/rules /persistence/kworker_file_creation.yaml b/rules /persistence/kworker_file_creation.yaml new file mode 100644 index 00000000..39d4572c --- /dev/null +++ b/rules /persistence/kworker_file_creation.yaml @@ -0,0 +1,24 @@ +# Title: Kworker File Creation + +# Creation date: 2023/10/26 + +# Category: Persistence + +# Severity: Medium + +# Description: This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, +# processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled +# to be done in kernel space, which might include tasks like handling interrupts, background activities, and other +# kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. + +# MITRE ATT&CK Tactic: TA0003 - Persistence - https://attack.mitre.org/tactics/TA0003/ + +# MITRE ATT&CK Technique: T1547 - Boot or Logon Autostart Execution - https://attack.mitre.org/techniques/T1547/ + +- name: File creation by kworker + type: FileCreated + condition: header.image STARTS_WITH "/usr/bin/kworker" AND NOT header.image STARTS_WITH "/usr/bin/kworker*kcryptd*" + +- name: File creation not in log or crash directories + type: FileCreated + condition: NOT (payload.filename STARTS_WITH "/var/log" OR payload.filename STARTS_WITH "/var/crash") \ No newline at end of file diff --git a/rules /privilege_escalation/chown_chmod_unauthorized_file_read.yaml b/rules /privilege_escalation/chown_chmod_unauthorized_file_read.yaml new file mode 100644 index 00000000..bfd06fcf --- /dev/null +++ b/rules /privilege_escalation/chown_chmod_unauthorized_file_read.yaml @@ -0,0 +1,32 @@ +# Title: Chown Chmod Unauthorized File Read + +# Creation date: 2023/07/28 + +# Category: Privilege escalation + +# Severity: Low + +# Description: This rule monitors for the execution of the "chown" and "chmod" commands with command line flags that could indicate a +# wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate +# commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by +# tricking the system into interpreting the wildcard characters in unexpected ways. + +# MITRE ATT&CK Tactic: TA0004 - Privilege Escalation - https://attack.mitre.org/tactics/TA0004/ + +# MITRE ATT&CK Technique: T1068 - Exploitation for Privilege Escalation - https://attack.mitre.org/techniques/T1068/ + +- name: Execute chown with recursive flag + type: Exec + condition: payload.filename IN ["/usr/bin/chown", "/bin/chown"] AND payload.argv CONTAINS "-R" + +- name: Execute chmod with recursive flag + type: Exec + condition: payload.filename IN ["/usr/bin/chmod", "/bin/chmod"] AND payload.argv CONTAINS "-R" + +- name: Execute chown with reference flag + type: Exec + condition: payload.filename IN ["/usr/bin/chown", "/bin/chown"] AND payload.argv CONTAINS "--reference=" + +- name: Execute chmod with reference flag + type: Exec + condition: payload.filename IN ["/usr/bin/chmod", "/bin/chmod"] AND payload.argv CONTAINS "--reference=" \ No newline at end of file diff --git a/rules /privilege_escalation/ld_preload_shared_object_modif.yaml b/rules /privilege_escalation/ld_preload_shared_object_modif.yaml new file mode 100644 index 00000000..d527fecb --- /dev/null +++ b/rules /privilege_escalation/ld_preload_shared_object_modif.yaml @@ -0,0 +1,22 @@ +# Title: Ld Preload Shared Object Modif + +# Creation date: 2021/01/27 + +# Category: Privilege escalation + +# Severity: Medium + +# Description: Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious +# payloads by hijacking the dynamic linker used to load libraries. + +# MITRE ATT&CK Tactic: TA0004 - Privilege Escalation - https://attack.mitre.org/tactics/TA0004/ + +# MITRE ATT&CK Technique: T1574 - Hijack Execution Flow - https://attack.mitre.org/techniques/T1574/ + +- name: File updated in sensitive path + type: FileOpened + condition: payload.filename == "/etc/ld.so.preload" AND (payload.flags CONTAINS "O_WRONLY" OR payload.flags CONTAINS "O_RDWR") + +- name: File renamed in sensitive path + type: FileRename + condition: payload.source == "/etc/ld.so.preload" \ No newline at end of file