-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cleanup(rules): initial tagging of stable rules round3 #109
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -980,11 +980,12 @@ | |
condition: (open_read or open_file_failed) and (etc_dir or user_ssh_directory or fd.name startswith /root/.ssh or fd.name contains "id_rsa") and directory_traversal and not proc.pname in (shell_binaries) | ||
enabled: true | ||
output: > | ||
Read monitored file via directory traversal (username=%user.name useruid=%user.uid user_loginuid=%user.loginuid program=%proc.name exe=%proc.exepath | ||
command=%proc.cmdline pid=%proc.pid parent=%proc.pname file=%fd.name fileraw=%fd.nameraw parent=%proc.pname | ||
gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository returncode=%evt.res cwd=%proc.cwd) | ||
Read monitored file via directory traversal (user=%user.name uid=%user.uid user_loginuid=%user.loginuid | ||
process=%proc.name proc_exepath=%proc.exepath command=%proc.cmdline pid=%proc.pid parent=%proc.pname | ||
file=%fd.name fileraw=%fd.nameraw gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] | ||
terminal=%proc.tty container_id=%container.id image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name) | ||
priority: WARNING | ||
tags: [host, container, filesystem, mitre_discovery, mitre_exfiltration, mitre_credential_access, T1555, T1212, T1020, T1552, T1083] | ||
tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555] | ||
|
||
# The rule below is disabled by default as many system management tools | ||
# like ansible, etc can read these files/paths. Enable it using this macro. | ||
|
@@ -1396,15 +1397,17 @@ | |
|
||
- rule: Read sensitive file trusted after startup | ||
desc: > | ||
an attempt to read any sensitive file (e.g. files containing user/password/authentication | ||
An attempt to read any sensitive file (e.g. files containing user/password/authentication | ||
information) by a trusted program after startup. Trusted programs might read these files | ||
at startup to load initial state, but not afterwards. | ||
at startup to load initial state, but not afterwards. Can be customized as needed. | ||
condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" and not user_known_read_sensitive_files_activities | ||
output: > | ||
Sensitive file opened for reading by trusted program after startup (user=%user.name user_loginuid=%user.loginuid | ||
command=%proc.cmdline pid=%proc.pid parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository) | ||
Sensitive file opened for reading by trusted program after startup (user=%user.name uid=%user.uid user_loginuid=%user.loginuid | ||
process=%proc.name proc_exepath=%proc.exepath command=%proc.cmdline pid=%proc.pid parent=%proc.pname | ||
file=%fd.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] terminal=%proc.tty | ||
container_id=%container.id image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name) | ||
priority: WARNING | ||
tags: [host, container, filesystem, mitre_credential_access, T1555, T1212, T1020, T1552, T1083] | ||
tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555] | ||
|
||
- list: read_sensitive_file_binaries | ||
items: [ | ||
|
@@ -1443,8 +1446,8 @@ | |
|
||
- rule: Read sensitive file untrusted | ||
desc: > | ||
an attempt to read any sensitive file (e.g. files containing user/password/authentication | ||
information). Exceptions are made for known trusted programs. | ||
An attempt to read any sensitive file (e.g. files containing user/password/authentication | ||
information). Exceptions are made for known trusted programs. Can be customized as needed. | ||
condition: > | ||
sensitive_files and open_read | ||
and proc_name_exists | ||
|
@@ -1470,10 +1473,12 @@ | |
and not user_known_read_sensitive_files_activities | ||
and not user_read_sensitive_file_containers | ||
output: > | ||
Sensitive file opened for reading by non-trusted program (user=%user.name user_loginuid=%user.loginuid program=%proc.name | ||
command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository) | ||
Sensitive file opened for reading by non-trusted program (user=%user.name uid=%user.uid user_loginuid=%user.loginuid | ||
process=%proc.name proc_exepath=%proc.exepath command=%proc.cmdline pid=%proc.pid parent=%proc.pname | ||
file=%fd.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] terminal=%proc.tty container_id=%container.id | ||
Comment on lines
+1476
to
+1478
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This one sounds a bit noisy. Do you think the default exception list is comprehensive enough to be considered stable? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Answering here for both. I would say it's ok for now. At the same time added a note to the tracking ticket and we can tune them in a follow up PR? These rules have been around for a very long time and they are commonly referred to in tutorials. On the flip side some template macros for custom sensitive files would make sense as well to address FNs? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Agree! Thanks for this! |
||
image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name) | ||
priority: WARNING | ||
tags: [host, container, filesystem, mitre_credential_access, mitre_discovery, T1555, T1212, T1020, T1552, T1083] | ||
tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555] | ||
|
||
- macro: amazon_linux_running_python_yum | ||
condition: > | ||
|
@@ -2804,24 +2809,34 @@ | |
tags: [container, network, process, mitre_lateral_movement, mitre_exfiltration, T1020, T1210] | ||
|
||
- rule: Create Symlink Over Sensitive Files | ||
desc: Detect symlink created over sensitive files | ||
desc: > | ||
Detect symlinks created over a curated list of sensitive files or subdirectories under /etc/ or | ||
root directories. Can be customized as needed. | ||
condition: > | ||
create_symlink and | ||
(evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names)) | ||
output: > | ||
Symlinks created over sensitive files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname) | ||
Symlinks created over sensitive files (user=%user.name uid=%user.uid user_loginuid=%user.loginuid | ||
proc_exepath=%proc.exepath command=%proc.cmdline pid=%proc.pid target=%evt.arg.target | ||
linkpath=%evt.arg.linkpath parent_process=%proc.pname terminal=%proc.tty container_id=%container.id | ||
image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name) | ||
priority: WARNING | ||
tags: [host, container, filesystem, mitre_exfiltration, mitre_credential_access, T1020, T1083, T1212, T1552, T1555] | ||
tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555] | ||
|
||
- rule: Create Hardlink Over Sensitive Files | ||
desc: Detect hardlink created over sensitive files | ||
desc: > | ||
Detect hardlink created over a curated list of sensitive files or subdirectories under /etc/ or | ||
root directories. Can be customized as needed. | ||
condition: > | ||
create_hardlink and | ||
(evt.arg.oldpath in (sensitive_file_names)) | ||
output: > | ||
Hardlinks created over sensitive files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid target=%evt.arg.oldpath linkpath=%evt.arg.newpath parent_process=%proc.pname) | ||
Hardlinks created over sensitive files (user=%user.name uid=%user.uid user_loginuid=%user.loginuid | ||
proc_exepath=%proc.exepath command=%proc.cmdline pid=%proc.pid target=%evt.arg.oldpath | ||
linkpath=%evt.arg.newpath parent_process=%proc.pname terminal=%proc.tty container_id=%container.id | ||
image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name) | ||
priority: WARNING | ||
tags: [host, container, filesystem, mitre_exfiltration, mitre_credential_access, T1020, T1083, T1212, T1552, T1555] | ||
tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555] | ||
|
||
- list: miner_ports | ||
items: [ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one did sound a little bit noisy but I see that the list of programs that are involved is limited (server, db, ...). Makes sense to me.