From 4be0973293711f301aa019a0e43bb0604c41028d Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Sat, 30 Nov 2024 22:34:38 +0330 Subject: [PATCH 1/2] Add new binaries --- rules/linux/auditd/lnx_auditd_user_discovery.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml index 0bfbbf39799..001e66b6ce2 100644 --- a/rules/linux/auditd/lnx_auditd_user_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -4,9 +4,9 @@ status: test description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md -author: Timur Zinniatullin, oscd.community +author: Timur Zinniatullin, oscd.community, CheraghiMilad date: 2019-10-21 -modified: 2021-11-27 +modified: 2024-11-30 tags: - attack.discovery - attack.t1033 @@ -20,6 +20,10 @@ detection: - 'users' - 'w' - 'who' + - 'whoami' + - 'hostname' + - 'id' + - 'last' condition: selection falsepositives: - Admin activity From cedb7ee2ea348487e1849e02b8f77a28a9fca90f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 1 Dec 2024 13:46:36 +0100 Subject: [PATCH 2/2] Update lnx_auditd_user_discovery.yml --- rules/linux/auditd/lnx_auditd_user_discovery.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml index 001e66b6ce2..90ff5695e41 100644 --- a/rules/linux/auditd/lnx_auditd_user_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -1,10 +1,12 @@ -title: System Owner or User Discovery +title: System Owner or User Discovery - Linux id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3 status: test -description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. +description: | + Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. + Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md -author: Timur Zinniatullin, oscd.community, CheraghiMilad +author: Timur Zinniatullin, oscd.community date: 2019-10-21 modified: 2024-11-30 tags: @@ -17,13 +19,13 @@ detection: selection: type: 'EXECVE' a0: + - 'hostname' + - 'id' + - 'last' - 'users' - 'w' - 'who' - 'whoami' - - 'hostname' - - 'id' - - 'last' condition: selection falsepositives: - Admin activity