Techniques
Sample rules
Osquery pack - ColdRoot detection
- source: splunk
- technicques:
Description
This search looks for ColdRoot events from the osx-attacks osquery pack.
Detection logic
| from datamodel Alerts.Alerts
| search app=osquery:results (name=pack_osx-attacks_OSX_ColdRoot_RAT_Launchd OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files)
| rename columns.path as path
| bucket _time span=30s
| stats count(path) by _time, host, user, path
| `osquery_pack___coldroot_detection_filter`
Suspicious Java Classes
- source: splunk
- technicques:
Description
This search looks for suspicious Java classes that are often used to exploit remote command execution in common Java frameworks, such as Apache Struts.
Detection logic
`stream_http` http_method=POST http_content_length>1
| regex form_data="(?i)java\.lang\.(?:runtime
|processbuilder)"
| rename src_ip as src
| stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `suspicious_java_classes_filter`