Skip to content

Instantly share code, notes, and snippets.

@rylnd

rylnd/derive_import_payload_from_package_rules.sh

Last active November 21, 2024 20:32
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save rylnd/7a1bff014664925e63ededab9934dfba to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save rylnd/7a1bff014664925e63ededab9934dfba to your computer and use it in GitHub Desktop.
Download ZIP
Rule Import Benchmarking, Mark II
Raw
derive_import_payload_from_package_rules.sh
#!/bin/bash
RULE_PATH="${1:-.}"
echo "Rule Path: $RULE_PATH"
IMPORT_FILE="${2:-rules.ndjson}"
echo "Import file: $IMPORT_FILE"
rule_count=0;
for i in $RULE_PATH/*.json; do
# echo "i: $i";
# uuid="$(basename $i .json)"
modified_rule="$(jq -c '.attributes | .name |= . + " modified" | .immutable |= true' $i)"
echo "$modified_rule" >> "$IMPORT_FILE"
((rule_count++))
done
# Add newline at end of file
echo "" >> "$IMPORT_FILE"
echo "Completed modifying $rule_count rules from $RULE_PATH into $IMPORT_FILE."
Raw
generate_rules.sh
#!/usr/bin/env bash
rule_count=${1:-0};
echo "Generating [$rule_count] rule(s)...";
for i in $(seq 1 $rule_count); do
uuid="$(uuidgen | tr A-F a-f)"
# echo "uuid: $uuid"
mkdir -p out
jq -n --arg ruleid "$uuid" -f template.json > out/$uuid.json
done
Raw
template.json
{
"attributes": {
"author": [
"Elastic"
],
"description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.",
"from": "now-9m",
"index": [
"auditbeat-*",
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Rule \($ruleid)",
"note": "",
"query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n",
"required_fields": [
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.command_line",
"type": "wildcard"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "\($ruleid)",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions \u003c8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"macOS",
"Threat Detection",
"Persistence",
"Execution"
],
"threat": [
{
"framework": "MITRE ATT\u0026CK",
"tactic": {
"id": "TA0003",
"name": "Persistence",
"reference": "https://attack.mitre.org/tactics/TA0003/"
},
"technique": [
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"reference": "https://attack.mitre.org/techniques/T1547/"
}
]
},
{
"framework": "MITRE ATT\u0026CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"reference": "https://attack.mitre.org/techniques/T1059/",
"subtechnique": [
{
"id": "T1059.002",
"name": "AppleScript",
"reference": "https://attack.mitre.org/techniques/T1059/002/"
}
]
}
]
},
{
"framework": "MITRE ATT\u0026CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1647",
"name": "Plist File Modification",
"reference": "https://attack.mitre.org/techniques/T1647/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 101
},
"id": "\($ruleid)",
"type": "security-rule"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment