/
osquery_linux_logins_non_office.yml
57 lines (57 loc) · 1.49 KB
/
osquery_linux_logins_non_office.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
AnalysisType: rule
Filename: osquery_linux_logins_non_office.py
RuleID: "Osquery.Linux.LoginFromNonOffice"
DisplayName: "A Login from Outside the Corporate Office"
Enabled: false
LogTypes:
- Osquery.Differential
Tags:
- Configuration Required
- Osquery
- Linux
- Initial Access:Valid Accounts
Reports:
MITRE ATT&CK:
- TA0001:T1078
Severity: High
Description: A system has been logged into from a non approved IP space.
Runbook: Analyze the host IP, and if possible, update allowlist or fix ACL.
Reference: https://attack.mitre.org/techniques/T1078/
SummaryAttributes:
- name
- action
- p_any_ip_addresses
- p_any_domain_names
Tests:
- Name: Non-office network login (logged_in_users)
ExpectedResult: true
Log:
{
"name": "pack/incident_response/logged_in_users",
"action": "added",
"columns": { "host": "10.0.3.1", "type": "user", "user": "ubuntu" },
}
- Name: Non-office network login (last)
ExpectedResult: true
Log:
{
"name": "pack-incident_response-last",
"action": "added",
"columns":
{
"host": "10.0.3.1",
"type": "8",
"username": "ubuntu",
"tty": "ttys008",
"pid": "648",
"time": "1587502574",
},
}
- Name: Office network login
ExpectedResult: false
Log:
{
"name": "pack-logged_in_users",
"action": "added",
"columns": { "host": "192.168.1.200", "user": "ubuntu" },
}