Skip to content

Commit

Permalink
Add Kibana overrides (chainguard-dev#594)
Browse files Browse the repository at this point in the history
* Add Kibana overrides

Signed-off-by: egibs <[email protected]>

* Run make yara-x-fmt

Signed-off-by: egibs <[email protected]>

* Bump commit

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
  • Loading branch information
egibs authored Nov 6, 2024
1 parent 19b5f8a commit 7847a94
Show file tree
Hide file tree
Showing 4 changed files with 136 additions and 1 deletion.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@


SAMPLES_REPO ?= chainguard-dev/malcontent-samples
SAMPLES_COMMIT ?= c1444cfe7941f0db6ef8ae3f75605fd5dc0c411e
SAMPLES_COMMIT ?= 8320e105a3b68ff63b8a840fea43ac9a858e4ea9

# BEGIN: lint-install ../malcontent
# http://github.com/tinkerbell/lint-install
Expand Down
28 changes: 28 additions & 0 deletions rules/false_positives/kibana.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
rule kibana_powershell_evasion_rule: override {
meta:
description = "defense_evasion_defender_exclusion_via_powershell.json"
win_defender_exclusion = "low"

strings:
$elastic = "Elastic"
$eql = "\"language\": \"eql\""
$name = "Windows Defender Exclusions Added via PowerShell"
condition:
filesize < 8KB and all of them
}

rule security_solution_plugin: override {
meta:
linux_rootkit_terms = "low"
description = "securitySolution.chunk.9.js"

strings:
$license = "Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V."
$license2 = "Licensed under the Elastic License 2.0"
$security_solution = "securitySolution"
$xpac = "xpac"
condition:
filesize < 5MB and all of them
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# linux/clean/defense_evasion_defender_exclusion_via_powershell.json: medium
exec/shell/power: medium
impact/degrade/win_defender: low
impact/exploit: medium
net/url/embedded: low
sus/malicious: medium
101 changes: 101 additions & 0 deletions tests/linux/clean/securitySolution.chunk.9.js.simple
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
# linux/clean/securitySolution.chunk.9.js: critical
3P/threat_hunting/: medium
3P/threat_hunting/arsenal: medium
3P/threat_hunting/backdoor: medium
3P/threat_hunting/beef: medium
3P/threat_hunting/blackshades: medium
3P/threat_hunting/burpsuite: medium
3P/threat_hunting/dbc2: medium
3P/threat_hunting/earth_lusca_operations: medium
3P/threat_hunting/generate_macro: medium
3P/threat_hunting/github_username: medium
3P/threat_hunting/heartbleed: medium
3P/threat_hunting/impacket: medium
3P/threat_hunting/keylogger: medium
3P/threat_hunting/kubesploit: medium
3P/threat_hunting/localtunnel: medium
3P/threat_hunting/localtunnels: medium
3P/threat_hunting/merlin_agent_dll: medium
3P/threat_hunting/metasploit: medium
3P/threat_hunting/metasploitcoop: medium
3P/threat_hunting/openvas: medium
3P/threat_hunting/owasp: medium
3P/threat_hunting/phishery: medium
3P/threat_hunting/powershell_scripts_for: medium
3P/threat_hunting/powersploit: medium
3P/threat_hunting/pupy: medium
3P/threat_hunting/pwdump: medium
3P/threat_hunting/rapid7: medium
3P/threat_hunting/routersploit: medium
3P/threat_hunting/seclists: medium
3P/threat_hunting/sqlmap: medium
3P/threat_hunting/sqlninja: medium
3P/threat_hunting/thc_hydra: medium
3P/threat_hunting/torproject: medium
3P/threat_hunting/traitor: medium
3P/threat_hunting/wpscan: medium
anti-static/obfuscation/js/char_codes: medium
c2/addr/ip: medium
c2/addr/ip_port: medium
c2/addr/php: medium
c2/addr/url_unusual: high
c2/discovery/dyndns: medium
c2/tool_transfer/download: high
c2/tool_transfer/dropper: medium
c2/tool_transfer/exe_url: high
c2/tool_transfer/grayware: high
collect/databases/mysql: medium
credential/keylogger: medium
credential/password: low
crypto/blockchain: medium
data/embedded/base64_url: medium
data/encoding/base64: low
data/encoding/json_decode: low
data/encoding/json_encode: low
data/hash/md5: low
discover/network/mac_address: medium
evasion/hidden_paths/hidden: medium
exec/cmd: medium
exec/plugin: low
exec/shell/power: medium
exec/system_controls/apparmor: medium
exfil/upload: medium
fs/lock_update: low
fs/mount: low
fs/path/dev: medium
impact/cryptojacking/monero_pool: medium
impact/ddos: medium
impact/exploit: medium
impact/exploit/cve: medium
impact/exploit/known_s: medium
impact/exploit/overflow_shellcode: high
impact/infection/infected: medium
impact/remote_access/backdoor: high
impact/remote_access/botnet: medium
impact/remote_access/iptables: medium
impact/remote_access/reverse_shell: high
impact/remote_access/trojan: medium
impact/rootkit: low
impact/rootkit/refs: medium
lateral/scan/brute_force: low
net/dns/txt: low
net/download: medium
net/http/post: medium
net/http/request: low
net/ip/addr: medium
net/socket/listen: medium
net/socket/send: low
net/tcp/sftp: medium
net/url/embedded: low
net/url/parse: low
net/url/request: medium
os/kernel/seccomp: low
persist/daemon: medium
process/chroot: low
process/name_get: medium
process/parent_pid_get: low
sec-tool/net/masscan: high
sec-tool/net/nmap: medium
sec-tool/pentest/metasploit_ref: medium
sus/leetspeak: medium
sus/malicious: medium

0 comments on commit 7847a94

Please sign in to comment.