Skip to content

Commit

Permalink
[Detection Rules] Add 7.15 rules
Browse files Browse the repository at this point in the history
  • Loading branch information
brokensound77 committed Sep 7, 2021
1 parent 1466099 commit 8f71fa9
Show file tree
Hide file tree
Showing 9 changed files with 14 additions and 87 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
"query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and \n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\"\n",
"references": [
"https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/",
"https://github.com/bp88/JSS-Scripts/blob/master/TCC.db Modifier.sh",
"https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh",
"https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8"
],
"risk_score": 47,
Expand Down Expand Up @@ -53,5 +53,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 1
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
"license": "Elastic License v2",
"max_signals": 10000,
"name": "Endpoint Security",
"query": "event.kind:alert and event.module:(endpoint and not endgame) and not event.code: behavior\n",
"query": "event.kind:alert and event.module:(endpoint and not endgame)\n",
"risk_score": 47,
"risk_score_mapping": [
{
Expand Down Expand Up @@ -64,5 +64,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 4
"version": 3
}

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -580,8 +580,7 @@ import rule567 from './defense_evasion_parent_process_pid_spoofing.json';
import rule568 from './defense_evasion_defender_exclusion_via_powershell.json';
import rule569 from './defense_evasion_whitespace_padding_in_command_line.json';
import rule570 from './persistence_webshell_detection.json';
import rule571 from './elastic_endpoint_security_behavior_protection.json';
import rule572 from './persistence_via_bits_job_notify_command.json';
import rule571 from './persistence_via_bits_job_notify_command.json';

export const rawRules = [
rule1,
Expand Down Expand Up @@ -1155,5 +1154,4 @@ export const rawRules = [
rule569,
rule570,
rule571,
rule572,
];
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
"license": "Elastic License v2",
"name": "Azure Active Directory High Risk Sign-in",
"note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"query": "event.dataset:azure.signinlogs and\n azure.signinlogs.properties.risk_level_during_signin:high and\n event.outcome:(success or Success)\n",
"query": "event.dataset:azure.signinlogs and\n (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and\n event.outcome:(success or Success)\n",
"references": [
"https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk",
"https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
Expand Down Expand Up @@ -49,5 +49,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 2
"version": 3
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,6 @@
"license": "Elastic License v2",
"machine_learning_job_id": "linux_rare_kernel_module_arguments",
"name": "Anomalous Kernel Module Activity",
"references": [
"references"
],
"risk_score": 21,
"rule_id": "37b0816d-af40-40b4-885f-bb162b3c88a9",
"severity": "low",
Expand Down Expand Up @@ -50,5 +47,5 @@
}
],
"type": "machine_learning",
"version": 3
"version": 4
}
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
"name": "Persistence via Docker Shortcut Modification",
"query": "event.category : file and event.action : modification and \n file.path : /Users/*/Library/Preferences/com.apple.dock.plist and \n not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n",
"references": [
"https://github.com/specterops/presentations/raw/master/Leo Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
"https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
],
"risk_score": 47,
"rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d",
Expand Down Expand Up @@ -44,5 +44,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
"name": "Finder Sync Plugin Registered and Enabled",
"query": "sequence by host.id, user.id with maxspan = 5s\n [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and process.args : \"-a\"]\n [process where event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n not process.args :\n (\n \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n \"com.google.drivefs.findersync\",\n \"com.boxcryptor.osx.Rednif\",\n \"com.adobe.accmac.ACCFinderSync\",\n \"com.microsoft.OneDrive.FinderSync\",\n \"com.insynchq.Insync.Insync-Finder-Integration\",\n \"com.box.desktop.findersyncext\"\n )\n ]\n",
"references": [
"https://github.com/specterops/presentations/raw/master/Leo Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
"https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"
],
"risk_score": 47,
"rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906",
Expand Down Expand Up @@ -46,5 +46,5 @@
}
],
"type": "eql",
"version": 1
"version": 2
}
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
"name": "Unusual Parent-Child Relationship",
"query": "process where event.type in (\"start\", \"process_started\") and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n",
"references": [
"https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes TH.map.png",
"https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes%20TH.map.png",
"https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"
],
"risk_score": 47,
Expand Down Expand Up @@ -53,5 +53,5 @@
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 8
"version": 9
}

0 comments on commit 8f71fa9

Please sign in to comment.