Lin/Mac T1552.003

2024-11-07 01:45:21 +00:00 · 2020-10-17 02:06:01 +03:00 · 2020-10-17 02:06:01 +03:00 · 9b568df527
commit 9b568df527
parent cc2f48b4a3
2 changed files with 70 additions and 0 deletions
--- a/rules/linux/lnx_susp_histfile_operations.yml
+++ b/rules/linux/lnx_susp_histfile_operations.yml
@ -0,0 +1,41 @@
+title: 'Suspicious history file operations'
+id: eae8ce9f-bde9-47a6-8e79-f20d18419910
+status: experimental
+description: 'Detects commandline operations on shell history files'
+    # Rule detects presence of various shell history files in process commandline
+    # Normally user expected to view own history with dedicated 'history' command and not some other tools
+    # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared)
+    # For this rule to work execve auditing must be configured
+    # Example config (place it at the bottom of audit.rules)
+    # -a always,exit -F arch=b32 -S execve -k execve
+    # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Mikhail Larin, oscd.community'
+date: 2020/10/17
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: EXECVE
+        keywords|contains:
+            - '.bash_history'
+            - '.zsh_history'
+            - '.history'
+            - '.sh_history'
+            - 'fish_history'
+    condition: selection
+fields:
+    - a0
+    - a1
+    - a2
+    - a3
+    - key
+falsepositives:
+    - 'Legitimate administrative activity'
+    - 'Ligitimate software, cleaning hist file'
+level: medium
+tags:
+    - attack.credential_access
+    - attack.t1552.003
--- a/rules/linux/macos_susp_histfile_operations.yml
+++ b/rules/linux/macos_susp_histfile_operations.yml
@ -0,0 +1,29 @@
+title: 'Suspicious history file operations'
+id: 508a9374-ad52-4789-b568-fc358def2c65
+status: experimental
+description: 'Detects commandline operations on shell history files'
+    # Rule detects presence of various shell history files in process commandline
+    # Normally user expected to view own history with dedicated 'history' command and not some other tools
+    # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared)
+    # For this rule to work you must enable audit of process execution in OpenBSM, see
+    # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Mikhail Larin, oscd.community'
+date: 2020/10/17
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection:
+        CommandLine|contains:
+            - '.bash_history'
+            - '.zsh_history'
+    condition: selection
+falsepositives:
+    - 'Legitimate administrative activity'
+    - 'Ligitimate software, cleaning hist file'
+level: medium
+tags:
+    - attack.credential_access
+    - attack.t1552.003