Skip to content

Converted Auditd rules #5059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Converted Auditd rules #5059

wants to merge 11 commits into from

Conversation

defensivedepth
Copy link
Contributor

@defensivedepth defensivedepth commented Oct 22, 2024
edited
Loading

Summary of the Pull Request

Reviewed EXECVE Auditd rules to see if they have process_creation counterparts. Created new process_creation rule if needed, added related field to existing process_creation rules and updated Audited rule as needed.

Changelog

Process Creation:
new: Bpfdoor TCP Ports Redirect - Process Creation
new: File Time Attribute Change - Process Creation
new: Possible Coin Miner CPU Priority Param - Process Creation
new: Steganography Embed or Extract Files with Steghide - Process Creation

chore: Remove Immutable File Attribute - Title
chore: Clipboard Collection with Xclip Tool - Title + Related id
chore: DD File Overwrite - Process Creation - Title + Related id

Auditd:
chore: Bpfdoor TCP Ports Redirect - Title
chore: File Time Attribute Change - Title
chore: Possible Coin Miner CPU Priority Param - Title
chore: Overwriting the File with Dev Zero or Null - Title
chore: Steganography Hide Files with Steghide - Title
chore: Steganography Extract Files with Steghide - Title

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Linux Pull request add/update linux related rules labels Oct 22, 2024
@defensivedepth defensivedepth marked this pull request as ready for review October 27, 2024 14:45
@defensivedepth defensivedepth changed the title Draft: Auditd Converted Auditd rules Oct 27, 2024
frack113
frack113 reviewed Nov 30, 2024
View reviewed changes
rules/linux/process_creation/proc_creation_lnx_bfpdoor_redirect.yml
CommandLine|contains:
- '--to-ports 42'
- '--to-ports 43'
condition: selection_cmd and selection_keywords
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
condition: selection_cmd and selection_keywords
condition: all of selection_*

rules/linux/process_creation/proc_creation_lnx_steghide_embed_extract_steganography.yml
Comment on lines +29 to +31
CommandLine|contains|all:
- 'extract'
- '-sf'
Copy link
Member

@frack113 frack113 Nov 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a5a827d9-1bbe-4952-9293-c59d897eb41b check '.jpg' and '.png' too.
From ref can use MP, GIF, JPG or PNG format.

rules/linux/process_creation/proc_creation_lnx_steghide_embed_extract_steganography.yml
condition: selection_image and 1 of parameters_*
falsepositives:
- Unknown
level: medium
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ce446a9e-30b9-4483-8e38-d2c9ad0a2280 and a5a827d9-1bbe-4952-9293-c59d897eb41b are low

@frack113 frack113 added the Author Input Required changes the require information from original author of the rules label Nov 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frack113 frack113 frack113 left review comments

Assignees
No one assigned
Labels
Author Input Required changes the require information from original author of the rules Linux Pull request add/update linux related rules Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@defensivedepth @frack113