From 99f3975448b8ee28f66808e771166e0142042dee Mon Sep 17 00:00:00 2001 From: Nathan Burns Date: Wed, 20 Nov 2024 21:43:45 -0800 Subject: [PATCH 01/15] add esxcli disable firewall rule --- ...c_creation_lnx_esxcli_firewall_disable.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml new file mode 100644 index 00000000000..83200ab3402 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml @@ -0,0 +1,30 @@ +title: ESXi Firewall Disabled via ESXCLI +id: 18fba7a0-8f63-49d3-9fc4-6192fe34793c +status: experimental +description: Detects when the ESXi firewall is disabled via esxcli. +references: + - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html + - https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/esxcli/ +author: Nathan Burns +date: 2024-11-20 +tags: + - attack.t1562.004 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/esxcli' + selection_cli: + CommandLine|contains|all: + - 'network' + - 'firewall' + - 'set' + selection_enable_switch: + CommandLine|contains: + - '-e false' + - '--enabled false' + condition: 1 of selection_enable_switch and selection_img and selection_cli +falsepositives: + - Legitimate system administration actions +level: high From 17f58a0b0cc7139ad0e05997bce3a9ab3c9daada Mon Sep 17 00:00:00 2001 From: Nathan Burns Date: Wed, 20 Nov 2024 21:48:42 -0800 Subject: [PATCH 02/15] add shell yaml for firewall default action changed --- ...esxcli_firewall_default_action_changed.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml new file mode 100644 index 00000000000..a1fc7ea3b25 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml @@ -0,0 +1,20 @@ +title: ESXi Firewall Default Action Set to Pass +id: e0f2e697-0352-49a3-b488-11b3dcf1c9fd +status: experimental +description: Detects when the ESXi firewall default action is set to PASS instead of DROP +references: + - +author: Nathan Burns +date: 2024-11-20 +tags: + - attack.t1562.004 +logsource: + category: process_creation + product: linux +detection: + selection: + + condition: selection +falsepositives: + - Unknown +level: critical From 18b00a011efca67afb31134378dc73cd0cdc3be3 Mon Sep 17 00:00:00 2001 From: Nathan Burns Date: Thu, 21 Nov 2024 21:42:58 -0800 Subject: [PATCH 03/15] add firewall default action detection --- ...esxcli_firewall_default_action_changed.yml | 24 +++++++++++++------ 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml index a1fc7ea3b25..a9cfa2353af 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml @@ -1,9 +1,9 @@ title: ESXi Firewall Default Action Set to Pass id: e0f2e697-0352-49a3-b488-11b3dcf1c9fd status: experimental -description: Detects when the ESXi firewall default action is set to PASS instead of DROP +description: Detects when the ESXi firewall default action is set to PASS instead of DROP. references: - - + - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html author: Nathan Burns date: 2024-11-20 tags: @@ -12,9 +12,19 @@ logsource: category: process_creation product: linux detection: - selection: - - condition: selection + selection_img: + Image|endswith: '/esxcli' + selection_cli: + CommandLine|contains|all: + - 'network' + - 'firewall' + - 'set' + - 'false' + selection_default_action_switch: + CommandLine|contains: + - '--default-action' + - '-d' + condition: 1 of selection_default* and selection_img and selection_cli falsepositives: - - Unknown -level: critical + - Legitimate system administration actions +level: high From 010b5bf8c53c1a6e94ab57c4366de881505255c9 Mon Sep 17 00:00:00 2001 From: Nathan Burns Date: Thu, 21 Nov 2024 21:54:56 -0800 Subject: [PATCH 04/15] add rule for vim-cmd deleting all snapshots on a VM --- ..._creation_lnx_vim_cmd_delete_snapshots.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_vim_cmd_delete_snapshots.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_delete_snapshots.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_delete_snapshots.yml new file mode 100644 index 00000000000..98cf5d0273c --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_delete_snapshots.yml @@ -0,0 +1,23 @@ +title: ESXi VM Snapshots Deleted via VIM-CMD +id: c50a1afa-ce52-4ea2-9697-1b6d89e83c9a +status: experimental +description: Detects when vim-cmd is used to delete snapshots for an ESXi virtual machine. +references: + - https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/ +author: Nathan Burns +date: 2024-11-21 +tags: + - attack.t1485 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/vim-cmd' + selection_cli: + CommandLine|contains: + - 'vmsvc/snapshot.removeall' + condition: selection_img and selection_cli +falsepositives: + - Legitimate system administration actions +level: high From c6d6b80e542c98180951baf42bd78b28b1566992 Mon Sep 17 00:00:00 2001 From: Nathan Burns Date: Fri, 22 Nov 2024 16:23:29 -0800 Subject: [PATCH 05/15] add vim-cmd enable ssh detection --- .../proc_creation_lnx_vim_cmd_enable_ssh.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml new file mode 100644 index 00000000000..45d5dc5e7bd --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml @@ -0,0 +1,23 @@ +title: SSH Enable on ESXi Host via VIM-CMD +id: fefed8a8-1cc0-46b1-9e62-5b5b32df9bb7 +status: experimental +description: Detects when vim-cmd is used to enable SSH on an ESXi host. +references: + - https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/ +author: Nathan Burns +date: 2024-11-22 +tags: + - attack.t1021.004 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/vim-cmd' + selection_cli: + CommandLine|contains: + - 'hostsvc/enable_ssh' + condition: selection_* +falsepositives: + - Legitimate system administration actions +level: medium From 8784e135f88b509a0a0be93b6cd2def0a4696d0e Mon Sep 17 00:00:00 2001 From: Nathan Burns Date: Fri, 22 Nov 2024 16:34:37 -0800 Subject: [PATCH 06/15] update reference with lolesxi --- .../proc_creation_lnx_esxcli_firewall_default_action_changed.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml index a9cfa2353af..4cf0b58d5f7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml @@ -4,6 +4,7 @@ status: experimental description: Detects when the ESXi firewall default action is set to PASS instead of DROP. references: - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html + - https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/esxcli/ author: Nathan Burns date: 2024-11-20 tags: From b490be78e8ab78ebb62e33934a3f6dc95344ee72 Mon Sep 17 00:00:00 2001 From: Nathan Burns Date: Fri, 22 Nov 2024 16:34:59 -0800 Subject: [PATCH 07/15] add disable autostart detection --- ...creation_lnx_vim_cmd_disable_autostart.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml new file mode 100644 index 00000000000..efc4721b09e --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml @@ -0,0 +1,27 @@ +title: ESXi VM Autostart Disabled via VIM-CMD +id: 28f12744-6c57-4498-bfdc-aa727fbece49 +status: experimental +description: Detects when vim-cmd is used to disable the autostart of an ESXi virtual machine. +references: + - https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/ +author: Nathan Burns +date: 2024-11-22 +tags: + - attack.t1529 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/vim-cmd' + selection_cli: + CommandLine|contains: + - 'hostsvc/autostartmanager/enable_autostart' + selection_check: + CommandLine|contains: + - '0' + - 'false' + condition: selection_img and 1 of selection_cli and 1 of selection_check +falsepositives: + - Legitimate system administration actions. +level: high From fd5d7c35ff8bca092e9d99a536b976dff102a83e Mon Sep 17 00:00:00 2001 From: Nathan Burns Date: Fri, 22 Nov 2024 16:42:56 -0800 Subject: [PATCH 08/15] add vim-cmd power off vm detection --- ...proc_creation_lnx_vim_cmd_power_off_vm.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_vim_cmd_power_off_vm.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_power_off_vm.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_power_off_vm.yml new file mode 100644 index 00000000000..82458a6296b --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_power_off_vm.yml @@ -0,0 +1,23 @@ +title: ESXi VM Powered Off via VIM-CMD +id: 7e38eb5c-10b6-4853-bb8f-11163776401d +status: experimental +description: Detects when vim-cmd is used to power off an ESXi virtual machine. +references: + - https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/ +author: Nathan Burns +date: 2024-11-22 +tags: + - attack.t1529 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/vim-cmd' + selection_cli: + CommandLine|contains: + - 'vmsvc/power.off' + condition: selection_img and selection_cli +falsepositives: + - Legitimate system administration actions. +level: medium From 8f4a7bd19c64fb886d0b7c534edc6893c0a93abd Mon Sep 17 00:00:00 2001 From: Nathan Burns Date: Fri, 22 Nov 2024 16:46:58 -0800 Subject: [PATCH 09/15] add system discovery via vim-cmd --- ..._creation_lnx_vim_cmd_system_discovery.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_vim_cmd_system_discovery.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_system_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_system_discovery.yml new file mode 100644 index 00000000000..89bf76504da --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_system_discovery.yml @@ -0,0 +1,24 @@ +title: ESXi System Information Discovery via VIM-CMD +id: d1270942-f26a-476c-a391-0fa1d25315a8 +status: experimental +description: Detects when vim-cmd is used to discover information of an ESXi host. +references: + - https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/ +author: Nathan Burns +date: 2024-11-22 +tags: + - attack.t1082 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/vim-cmd' + selection_cli: + CommandLine|contains: + - 'hostsvc/hostsummary' + - 'vmsvc/getallvms' + condition: selection_img and selection_cli +falsepositives: + - Legitimate system administration actions +level: medium From 71922508cf7dae95649fb4c329cb634f7aee2140 Mon Sep 17 00:00:00 2001 From: Nathan Burns Date: Fri, 22 Nov 2024 20:38:11 -0800 Subject: [PATCH 10/15] fix using list with only 1 element --- .../proc_creation_lnx_vim_cmd_delete_snapshots.yml | 3 +-- .../proc_creation_lnx_vim_cmd_disable_autostart.yml | 3 +-- .../process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml | 3 +-- .../proc_creation_lnx_vim_cmd_power_off_vm.yml | 3 +-- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_delete_snapshots.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_delete_snapshots.yml index 98cf5d0273c..a8f5c2044ee 100644 --- a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_delete_snapshots.yml +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_delete_snapshots.yml @@ -15,8 +15,7 @@ detection: selection_img: Image|endswith: '/vim-cmd' selection_cli: - CommandLine|contains: - - 'vmsvc/snapshot.removeall' + CommandLine|contains: 'vmsvc/snapshot.removeall' condition: selection_img and selection_cli falsepositives: - Legitimate system administration actions diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml index efc4721b09e..9f77a763dc7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml @@ -15,8 +15,7 @@ detection: selection_img: Image|endswith: '/vim-cmd' selection_cli: - CommandLine|contains: - - 'hostsvc/autostartmanager/enable_autostart' + CommandLine|contains: 'hostsvc/autostartmanager/enable_autostart' selection_check: CommandLine|contains: - '0' diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml index 45d5dc5e7bd..61fcfaa2db7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml @@ -15,8 +15,7 @@ detection: selection_img: Image|endswith: '/vim-cmd' selection_cli: - CommandLine|contains: - - 'hostsvc/enable_ssh' + CommandLine|contains: 'hostsvc/enable_ssh' condition: selection_* falsepositives: - Legitimate system administration actions diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_power_off_vm.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_power_off_vm.yml index 82458a6296b..2f5ff11579d 100644 --- a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_power_off_vm.yml +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_power_off_vm.yml @@ -15,8 +15,7 @@ detection: selection_img: Image|endswith: '/vim-cmd' selection_cli: - CommandLine|contains: - - 'vmsvc/power.off' + CommandLine|contains: 'vmsvc/power.off' condition: selection_img and selection_cli falsepositives: - Legitimate system administration actions. From 48e9f68ac5279e59475a5272a5d96bab738cddec Mon Sep 17 00:00:00 2001 From: Nathan <37495851+AlbinoGazelle@users.noreply.github.com> Date: Sat, 23 Nov 2024 04:48:24 +0000 Subject: [PATCH 11/15] fix wildcard condition --- .../process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml index 61fcfaa2db7..e07b4fbca4b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml @@ -16,7 +16,7 @@ detection: Image|endswith: '/vim-cmd' selection_cli: CommandLine|contains: 'hostsvc/enable_ssh' - condition: selection_* + condition: selection_img and selection_cli falsepositives: - Legitimate system administration actions level: medium From 9afaa0723ce77ef61bb5b469d9529186e2d0feda Mon Sep 17 00:00:00 2001 From: Nathan <37495851+AlbinoGazelle@users.noreply.github.com> Date: Sat, 23 Nov 2024 04:55:56 +0000 Subject: [PATCH 12/15] fix wildcards --- .../proc_creation_lnx_esxcli_firewall_disable.yml | 2 +- .../proc_creation_lnx_vim_cmd_disable_autostart.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml index 83200ab3402..c305720d7a4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml @@ -24,7 +24,7 @@ detection: CommandLine|contains: - '-e false' - '--enabled false' - condition: 1 of selection_enable_switch and selection_img and selection_cli + condition: selection_enable_switch and selection_img and selection_cli falsepositives: - Legitimate system administration actions level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml index 9f77a763dc7..26701055033 100644 --- a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml @@ -20,7 +20,7 @@ detection: CommandLine|contains: - '0' - 'false' - condition: selection_img and 1 of selection_cli and 1 of selection_check + condition: all of selection_* falsepositives: - Legitimate system administration actions. level: high From 4a77f9a7edc9b7cfaa6d9eebfcef5c11e52a0e37 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 29 Nov 2024 17:16:13 +0100 Subject: [PATCH 13/15] =?UTF-8?q?style:=20=F0=9F=92=84=20simplifies=20cond?= =?UTF-8?q?ition?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...c_creation_lnx_esxcli_firewall_default_action_changed.yml | 3 +-- .../proc_creation_lnx_esxcli_firewall_disable.yml | 3 +-- .../proc_creation_lnx_vim_cmd_delete_snapshots.yml | 5 ++--- .../proc_creation_lnx_vim_cmd_disable_autostart.yml | 1 - .../proc_creation_lnx_vim_cmd_enable_ssh.yml | 5 ++--- .../proc_creation_lnx_vim_cmd_power_off_vm.yml | 5 ++--- .../proc_creation_lnx_vim_cmd_system_discovery.yml | 5 ++--- 7 files changed, 10 insertions(+), 17 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml index 4cf0b58d5f7..b12c65358e5 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml @@ -15,7 +15,6 @@ logsource: detection: selection_img: Image|endswith: '/esxcli' - selection_cli: CommandLine|contains|all: - 'network' - 'firewall' @@ -25,7 +24,7 @@ detection: CommandLine|contains: - '--default-action' - '-d' - condition: 1 of selection_default* and selection_img and selection_cli + condition: all of selection_* falsepositives: - Legitimate system administration actions level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml index c305720d7a4..0ff2628f9b6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml @@ -15,7 +15,6 @@ logsource: detection: selection_img: Image|endswith: '/esxcli' - selection_cli: CommandLine|contains|all: - 'network' - 'firewall' @@ -24,7 +23,7 @@ detection: CommandLine|contains: - '-e false' - '--enabled false' - condition: selection_enable_switch and selection_img and selection_cli + condition: all of selection_* falsepositives: - Legitimate system administration actions level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_delete_snapshots.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_delete_snapshots.yml index a8f5c2044ee..4959b2a8879 100644 --- a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_delete_snapshots.yml +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_delete_snapshots.yml @@ -12,11 +12,10 @@ logsource: category: process_creation product: linux detection: - selection_img: + selection: Image|endswith: '/vim-cmd' - selection_cli: CommandLine|contains: 'vmsvc/snapshot.removeall' - condition: selection_img and selection_cli + condition: selection falsepositives: - Legitimate system administration actions level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml index 26701055033..379f584a949 100644 --- a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml @@ -14,7 +14,6 @@ logsource: detection: selection_img: Image|endswith: '/vim-cmd' - selection_cli: CommandLine|contains: 'hostsvc/autostartmanager/enable_autostart' selection_check: CommandLine|contains: diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml index e07b4fbca4b..ac0fde8d449 100644 --- a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml @@ -12,11 +12,10 @@ logsource: category: process_creation product: linux detection: - selection_img: + selection: Image|endswith: '/vim-cmd' - selection_cli: CommandLine|contains: 'hostsvc/enable_ssh' - condition: selection_img and selection_cli + condition: selection falsepositives: - Legitimate system administration actions level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_power_off_vm.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_power_off_vm.yml index 2f5ff11579d..e7d7f0be218 100644 --- a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_power_off_vm.yml +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_power_off_vm.yml @@ -12,11 +12,10 @@ logsource: category: process_creation product: linux detection: - selection_img: + selection: Image|endswith: '/vim-cmd' - selection_cli: CommandLine|contains: 'vmsvc/power.off' - condition: selection_img and selection_cli + condition: selection falsepositives: - Legitimate system administration actions. level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_system_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_system_discovery.yml index 89bf76504da..5b323dc3df8 100644 --- a/rules/linux/process_creation/proc_creation_lnx_vim_cmd_system_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_vim_cmd_system_discovery.yml @@ -12,13 +12,12 @@ logsource: category: process_creation product: linux detection: - selection_img: + selection: Image|endswith: '/vim-cmd' - selection_cli: CommandLine|contains: - 'hostsvc/hostsummary' - 'vmsvc/getallvms' - condition: selection_img and selection_cli + condition: selection falsepositives: - Legitimate system administration actions level: medium From 7b0fe4cc5e34d2ea0d2418d56e6cbe73653bf478 Mon Sep 17 00:00:00 2001 From: Nathan <37495851+AlbinoGazelle@users.noreply.github.com> Date: Sun, 1 Dec 2024 19:27:24 -0800 Subject: [PATCH 14/15] Update rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../proc_creation_lnx_esxcli_firewall_disable.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml index 0ff2628f9b6..55b41e861b2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml @@ -19,10 +19,11 @@ detection: - 'network' - 'firewall' - 'set' + - 'false' selection_enable_switch: CommandLine|contains: - - '-e false' - - '--enabled false' + - '--enabled' + - '-e' condition: all of selection_* falsepositives: - Legitimate system administration actions From 3df63189b7d0ee91b598bdcfd652190f094d23d3 Mon Sep 17 00:00:00 2001 From: Nathan <37495851+AlbinoGazelle@users.noreply.github.com> Date: Sun, 1 Dec 2024 19:27:44 -0800 Subject: [PATCH 15/15] Update rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml change from false to true, opps! Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- ...proc_creation_lnx_esxcli_firewall_default_action_changed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml index b12c65358e5..b367b83fcdd 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml @@ -19,7 +19,7 @@ detection: - 'network' - 'firewall' - 'set' - - 'false' + - 'true' selection_default_action_switch: CommandLine|contains: - '--default-action'