LoFP LoFP / there are no known false positives.

Techniques

Sample rules

Osquery pack - ColdRoot detection

Description

This search looks for ColdRoot events from the osx-attacks osquery pack.

Detection logic


| from datamodel Alerts.Alerts 
| search app=osquery:results (name=pack_osx-attacks_OSX_ColdRoot_RAT_Launchd OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files) 
| rename columns.path as path 
| bucket _time span=30s 
| stats count(path) by _time, host, user, path 
| `osquery_pack___coldroot_detection_filter`

Suspicious Java Classes

Description

This search looks for suspicious Java classes that are often used to exploit remote command execution in common Java frameworks, such as Apache Struts.

Detection logic

`stream_http` http_method=POST http_content_length>1 
| regex form_data="(?i)java\.lang\.(?:runtime
|processbuilder)" 
| rename src_ip as src 
| stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `suspicious_java_classes_filter`