forked from chainguard-dev/malcontent
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Address Kibana false positives (chainguard-dev#391)
Signed-off-by: egibs <[email protected]>
- Loading branch information
Showing
8 changed files
with
12,998 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
# Javascript/clean/php.js | ||
combo/net/tunnel_proxy | ||
compression/gzip | ||
databases/mysql | ||
databases/sqlite | ||
encoding/base64 | ||
encoding/reverse | ||
env/USER | ||
evasion/base64/decode | ||
exec/program | ||
exec/program/background | ||
exec/shell_command | ||
fs/directory/create | ||
fs/directory/remove | ||
fs/fifo/create | ||
fs/file/delete | ||
fs/file/truncate | ||
fs/link/read | ||
fs/lock/update | ||
fs/node/create | ||
fs/permission/modify | ||
fs/symlink/resolve | ||
fs/watch | ||
kernel/acct | ||
kernel/hostname/get | ||
kernel/platform | ||
net/hostname/resolve | ||
net/http/cookies | ||
net/http/form/upload | ||
net/http/post | ||
net/ip/parse | ||
net/ip/resolve | ||
net/ip/string | ||
net/socket/connect | ||
net/socket/listen | ||
net/socket/local/address | ||
net/socket/peer/address | ||
net/socket/receive | ||
net/socket/send | ||
net/upload | ||
net/url/encode | ||
process/chroot | ||
process/effective/groupid/get | ||
process/groupid/set | ||
process/parent_pid/get | ||
process/userid/set | ||
process/username/get | ||
random/insecure | ||
ref/ip_port | ||
ref/path/etc | ||
ref/path/hidden | ||
ref/site/url | ||
ref/words/agent | ||
ref/words/password | ||
ref/words/plugin | ||
ref/words/spoof | ||
secrets/private_key | ||
techniques/code_eval | ||
tty/pathname |
55 changes: 55 additions & 0 deletions
55
samples/Linux/clean/credential_access_dumping_keychain_security.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
{ | ||
"author": [ | ||
"Elastic" | ||
], | ||
"description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", | ||
"from": "now-9m", | ||
"index": [ | ||
"auditbeat-*", | ||
"logs-endpoint.events.*" | ||
], | ||
"language": "eql", | ||
"license": "Elastic License v2", | ||
"name": "Dumping of Keychain Content via Security Command", | ||
"query": "process where event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n", | ||
"references": [ | ||
"https://ss64.com/osx/security.html" | ||
], | ||
"risk_score": 73, | ||
"rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", | ||
"severity": "high", | ||
"tags": [ | ||
"Elastic", | ||
"Host", | ||
"macOS", | ||
"Threat Detection", | ||
"Credential Access" | ||
], | ||
"threat": [ | ||
{ | ||
"framework": "MITRE ATT&CK", | ||
"tactic": { | ||
"id": "TA0006", | ||
"name": "Credential Access", | ||
"reference": "https://attack.mitre.org/tactics/TA0006/" | ||
}, | ||
"technique": [ | ||
{ | ||
"id": "T1555", | ||
"name": "Credentials from Password Stores", | ||
"reference": "https://attack.mitre.org/techniques/T1555/", | ||
"subtechnique": [ | ||
{ | ||
"id": "T1555.001", | ||
"name": "Keychain", | ||
"reference": "https://attack.mitre.org/techniques/T1555/001/" | ||
} | ||
] | ||
} | ||
] | ||
} | ||
], | ||
"timestamp_override": "event.ingested", | ||
"type": "eql", | ||
"version": 1 | ||
} |
3 changes: 3 additions & 0 deletions
3
samples/Linux/clean/credential_access_dumping_keychain_security.json.simple
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# Linux/clean/credential_access_dumping_keychain_security.json | ||
ref/site/url | ||
ref/words/password |