Techniques
Sample rules
GCP Access Policy Deleted
- source: sigma
- technicques:
- t1098
Description
Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.
Detection logic
condition: selection
selection:
data.protoPayload.authorizationInfo.granted: 'true'
data.protoPayload.authorizationInfo.permission:
- accesscontextmanager.accessPolicies.delete
- accesscontextmanager.accessPolicies.accessLevels.delete
- accesscontextmanager.accessPolicies.accessZones.delete
- accesscontextmanager.accessPolicies.authorizedOrgsDescs.delete
data.protoPayload.serviceName: accesscontextmanager.googleapis.com
System Information Discovery Using System_Profiler
- source: sigma
- technicques:
- t1082
- t1497
- t1497.001
Description
Detects the execution of “system_profiler” with specific “Data Types” that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, “system_profiler” can also be used to determine if virtualization software is being run for defense evasion purposes.
Detection logic
condition: all of selection_*
selection_cmd:
CommandLine|contains:
- SPApplicationsDataType
- SPHardwareDataType
- SPNetworkDataType
- SPUSBDataType
selection_img:
- Image|endswith: /system_profiler
- CommandLine|contains: system_profiler
System Information Discovery Via Sysctl - MacOS
- source: sigma
- technicques:
- t1082
- t1497
- t1497.001
Description
Detects the execution of “sysctl” with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.
Detection logic
condition: all of selection_*
selection_cmd:
CommandLine|contains:
- hw.
- kern.
- machdep.
selection_img:
- Image|endswith: /sysctl
- CommandLine|contains: sysctl
System Information Discovery Using sw_vers
- source: sigma
- technicques:
- t1082
Description
Detects the use of “sw_vers” for system information discovery
Detection logic
condition: all of selection_*
selection_image:
Image|endswith: /sw_vers
selection_options:
CommandLine|contains:
- -buildVersion
- -productName
- -productVersion
System Information Discovery Using Ioreg
- source: sigma
- technicques:
- t1082
Description
Detects the use of “ioreg” which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
Detection logic
condition: all of selection_*
selection_cmd1:
CommandLine|contains:
- -l
- -c
selection_cmd2:
CommandLine|contains:
- AppleAHCIDiskDriver
- IOPlatformExpertDevice
- Oracle
- Parallels
- USB Vendor Name
- VirtualBox
- VMware
selection_img:
- Image|endswith: /ioreg
- CommandLine|contains: ioreg
ESXi Syslog Configuration Change Via ESXCLI
- source: sigma
- technicques:
- t1562
- t1562.001
- t1562.003
Description
Detects changes to the ESXi syslog configuration via “esxcli”
Detection logic
condition: selection
selection:
CommandLine|contains: ' set'
CommandLine|contains|all:
- system
- syslog
- config
Image|endswith: /esxcli