diff --git a/queries/linux/dd_data_destruction.yml b/queries/linux/dd_data_destruction.yml index 5e207ac..872adda 100644 --- a/queries/linux/dd_data_destruction.yml +++ b/queries/linux/dd_data_destruction.yml @@ -1,14 +1,15 @@ title: DD Data Destruction -description: Detection of data destruction with the DD command on *nix operating systems. Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with *FileType* for filtering. +description: Detect data destruction with the DD command on *nix operating systems. Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with *FileType* for filtering. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Impact technique: T1485 - subtechnique: null + subtechnique: operating_system: linux query: AgentOS In ("linux","osx") AND TgtProcName = "dd" AND TgtProcCmdLine ContainsCIS "of=" -false_positives: null -tags: null - +false_positives: + - Disk image captures +tags: +references: diff --git a/queries/linux/disabling_linux_firewall.yml b/queries/linux/linux_firewall_disabled.yml similarity index 76% rename from queries/linux/disabling_linux_firewall.yml rename to queries/linux/linux_firewall_disabled.yml index e242949..1392254 100644 --- a/queries/linux/disabling_linux_firewall.yml +++ b/queries/linux/linux_firewall_disabled.yml @@ -1,16 +1,16 @@ title: Disabling Linux Firewall author: keyboardcrunch date: 10/10/2020 -modified: null -description: Detection of Linux firewall being disabled. +modified: 05/12/2020 +description: Detects Linux firewall being disabled. mitre: tactic: Defense Evasion technique: T1562 - subtechnique: null + subtechnique: operating_system: linux query: (SrcProcName In Contains ("service","chkconfig") AND SrcProcCmdLine In Contains ("off","stop") AND SrcProcCmdLine ContainsCIS "tables") OR (TgtProcName = "systemctl" AND TgtProcCmdLine In Contains ("stop","disable") AND TgtProcCmdLine Contains "firewalld") -false_positives: null -tags: null - +false_positives: +tags: +references: diff --git a/queries/linux/local_account_added_nix.yml b/queries/linux/local_account_added_nix.yml index 6a476e6..643927d 100644 --- a/queries/linux/local_account_added_nix.yml +++ b/queries/linux/local_account_added_nix.yml @@ -2,13 +2,13 @@ title: Local Account Added Linux description: Query all instances of local accounts being Linux and OSX. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Persistence technique: T1136 - subtechnique: null + subtechnique: operating_system: linux query: SrcProcCmdLine In Contains Anycase ("useradd") false_positives: General account maintenance. -tags: null - +tags: +references: diff --git a/queries/linux/disable_syslog.yml b/queries/linux/syslog_disabled.yml similarity index 83% rename from queries/linux/disable_syslog.yml rename to queries/linux/syslog_disabled.yml index cc52157..0e46267 100644 --- a/queries/linux/disable_syslog.yml +++ b/queries/linux/syslog_disabled.yml @@ -2,14 +2,14 @@ title: Disable Syslog description: Detect disabling of Linux Syslog service. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: mitre: tactic: Defense Evasion technique: T1562 - subtechnique: null + subtechnique: operating_system: linux query: TgtProcName In Contains ("service","chkconfig","systemctl") AND TgtProcCmdLine In Contains ("rsyslog stop","off rsyslog","stop rsyslog","disable rsyslog") -false_positives: null -tags: null - +false_positives: +tags: +references: