- name: Unshadow execution start
type: Exec
condition: header.image ENDS_WITH "/unshadow" AND payload.argc >= 2
category: credential_access
severity: medium
description: Identifies the execution of the unshadow utility which is part of John the Ripper,
a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve
the combined contents of the '/etc/shadow' and '/etc/password' files.
Using the combined file generated from the utility, the malicious threat actors can use them as input
for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.
Valid severity values are low, medium, high, and critical.
Valid category values are from the MITRE ATT&CK framework:
command_and_control
credential_access
defense_evasion
discovery
execution
exfiltration
generic
impact
initial_access
lateral_movement
persistence
privilege_escalation
reconnaissance
resource_development
I have
[x] run cargo fmt;
[x] run cargo clippy;
[x] run cargo testand all tests pass;
[ ] linked to the originating issue (if applicable).
Add new metadata fields to rules
This PR implements the parsing of new metadata to enrich security rules. Currently, we would like to add these new fields:
description
: a brief description of the rulecategory
: threat category (e.g. Command and Control, Persistence, etc.)severity
: severity of the rule (e.g. low, medium, high, critical)mitre_tactic
: MITRE ATT&CK tactic (e.g. TA0004 - Privilege Escalation - https://attack.mitre.org/tactics/TA0004/)mitre_technique
: MITRE ATT&CK technique (e.g. T1053 - Scheduled Task/Job - https://attack.mitre.org/techniques/T1053/)The rule syntax will be as follows:
Valid
severity
values arelow
,medium
,high
, andcritical
.Valid
category
values are from the MITRE ATT&CK framework:command_and_control
credential_access
defense_evasion
discovery
execution
exfiltration
generic
impact
initial_access
lateral_movement
persistence
privilege_escalation
reconnaissance
resource_development
I have
cargo fmt
;cargo clippy
;cargo test
and all tests pass;