From b0b72de94d03475f7cbf33ab9d0f9a0158402f1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Tue, 6 Oct 2020 23:52:06 +0300 Subject: [PATCH 1/7] Create lnx_process_discovery.yml --- rules/linux/lnx_process_discovery.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/linux/lnx_process_discovery.yml diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml new file mode 100644 index 00000000..d9cb82b7 --- /dev/null +++ b/rules/linux/lnx_process_discovery.yml @@ -0,0 +1,21 @@ +title: Process Discovery +id: 4e2f5868-08d4-413d-899f-dc2f1508627b +status: stable +description: Detects process discovery commands +author: Ömer Günal +date: 2020/10/06 +references: + - https://attack.mitre.org/techniques/T1057/ +logsource: + product: linux +detection: + keywords: + - commands|contains: + - 'ps *' + - 'top' + condition: keywords +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery From d44ef84b553ba4240cc51eb8990c95a7c00a0e43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 7 Oct 2020 22:26:02 +0300 Subject: [PATCH 2/7] Update lnx_process_discovery.yml --- rules/linux/lnx_process_discovery.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml index d9cb82b7..850c97da 100644 --- a/rules/linux/lnx_process_discovery.yml +++ b/rules/linux/lnx_process_discovery.yml @@ -2,7 +2,7 @@ title: Process Discovery id: 4e2f5868-08d4-413d-899f-dc2f1508627b status: stable description: Detects process discovery commands -author: Ömer Günal +author: Ömer Günal, oscd.community date: 2020/10/06 references: - https://attack.mitre.org/techniques/T1057/ @@ -11,7 +11,7 @@ logsource: detection: keywords: - commands|contains: - - 'ps *' + - 'ps ' - 'top' condition: keywords falsepositives: @@ -19,3 +19,4 @@ falsepositives: level: low tags: - attack.discovery + - attack.t1057 From 27dcad8ffe96d64955b9c038d07a34f128e82690 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 10:52:54 +0300 Subject: [PATCH 3/7] Update lnx_process_discovery.yml --- rules/linux/lnx_process_discovery.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml index 850c97da..061e30bd 100644 --- a/rules/linux/lnx_process_discovery.yml +++ b/rules/linux/lnx_process_discovery.yml @@ -9,11 +9,11 @@ references: logsource: product: linux detection: - keywords: - - commands|contains: + selection: + - CommandLine|contains: - 'ps ' - 'top' - condition: keywords + condition: selection falsepositives: - Legitimate administration activities level: low From 5c34e69fc9a01e92228bda9ab2a34993a082792f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Fri, 16 Oct 2020 10:58:51 +0300 Subject: [PATCH 4/7] Update lnx_process_discovery.yml --- rules/linux/lnx_process_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml index 061e30bd..5ca621ea 100644 --- a/rules/linux/lnx_process_discovery.yml +++ b/rules/linux/lnx_process_discovery.yml @@ -5,7 +5,7 @@ description: Detects process discovery commands author: Ömer Günal, oscd.community date: 2020/10/06 references: - - https://attack.mitre.org/techniques/T1057/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md logsource: product: linux detection: From a2a1b203355da71caac0a40a285eb67a0cde4fa0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 21 Oct 2020 21:40:46 +0300 Subject: [PATCH 5/7] Update lnx_process_discovery.yml --- rules/linux/lnx_process_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml index 5ca621ea..a6bf0eec 100644 --- a/rules/linux/lnx_process_discovery.yml +++ b/rules/linux/lnx_process_discovery.yml @@ -10,7 +10,7 @@ logsource: product: linux detection: selection: - - CommandLine|contains: + - ProcessName|contains: - 'ps ' - 'top' condition: selection From 1582c5230ab93fc765d4d154fab508086691e8bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= Date: Wed, 18 Nov 2020 23:25:15 +0300 Subject: [PATCH 6/7] Update lnx_process_discovery.yml --- rules/linux/lnx_process_discovery.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml index a6bf0eec..86387992 100644 --- a/rules/linux/lnx_process_discovery.yml +++ b/rules/linux/lnx_process_discovery.yml @@ -8,11 +8,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md logsource: product: linux + category: process_creation detection: selection: - - ProcessName|contains: - - 'ps ' - - 'top' + - ProcessName|endswith: + - '/ps' + - '/top' condition: selection falsepositives: - Legitimate administration activities From 1417d0332dd0ed318582d9b0b181f5b732e193cd Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 2 Nov 2020 22:57:01 +0100 Subject: [PATCH 7/7] Removed ES query tests --- .github/workflows/sigma-test.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index ee0c317a..28931b92 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -23,18 +23,9 @@ jobs: run: | python -m pip install --upgrade pip pip install -r tools/requirements.txt -r tools/requirements-devel.txt - wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - - sudo apt install -y apt-transport-https - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic.list - sudo apt update - sudo apt install -y elasticsearch - sudo systemctl start elasticsearch - name: Test Sigma Tools and Rules run: | make test - - name: Test Generated Elasticsearch Query Strings - run: | - make test-backend-es-qs - name: Test SQL(ite) Backend run: | make test-backend-sql