rules/local_purple_rules.xml · Purple Team Lab

39 lines · xml

<group name="linux,syscheck,purple-team-fim,">
 
  <rule id="100410" level="10">
    <if_group>syscheck</if_group>
    <field name="file" type="pcre2">^/etc/cron</field>
    <description>Cron file created or modified: $(file) - possible scheduled-task persistence</description>
    <mitre>
      <id>T1053.003</id>
    </mitre>
  </rule>
 
  <rule id="100411" level="10">
    <if_group>syscheck</if_group>
    <field name="file" type="pcre2">^/etc/systemd/system/.+\.service</field>
    <description>Systemd unit created or modified: $(file) - possible service persistence</description>
    <mitre>
      <id>T1543.002</id>
    </mitre>
  </rule>
 
  <rule id="100412" level="12">
    <if_group>syscheck</if_group>
    <field name="file" type="pcre2">\.ssh/authorized_keys$</field>
    <description>SSH authorized_keys modified: $(file) - possible persistence via account manipulation</description>
    <mitre>
      <id>T1098.004</id>
    </mitre>
  </rule>
 
  <rule id="100413" level="10">
    <if_group>syscheck</if_group>
    <field name="file" type="pcre2">^/usr/local/bin/</field>
    <description>Binary placed in /usr/local/bin: $(file) - possible persistence or tooling drop</description>
    <mitre>
      <id>T1543</id>
    </mitre>
  </rule>
 
</group>

1	<group name="linux,syscheck,purple-team-fim,">
2
3	<rule id="100410" level="10">
4	<if_group>syscheck</if_group>
5	<field name="file" type="pcre2">^/etc/cron</field>
6	<description>Cron file created or modified: $(file) - possible scheduled-task persistence</description>
7	<mitre>
8	<id>T1053.003</id>
9	</mitre>
10	</rule>
11
12	<rule id="100411" level="10">
13	<if_group>syscheck</if_group>
14	<field name="file" type="pcre2">^/etc/systemd/system/.+\.service</field>
15	<description>Systemd unit created or modified: $(file) - possible service persistence</description>
16	<mitre>
17	<id>T1543.002</id>
18	</mitre>
19	</rule>
20
21	<rule id="100412" level="12">
22	<if_group>syscheck</if_group>
23	<field name="file" type="pcre2">\.ssh/authorized_keys$</field>
24	<description>SSH authorized_keys modified: $(file) - possible persistence via account manipulation</description>
25	<mitre>
26	<id>T1098.004</id>
27	</mitre>
28	</rule>
29
30	<rule id="100413" level="10">
31	<if_group>syscheck</if_group>
32	<field name="file" type="pcre2">^/usr/local/bin/</field>
33	<description>Binary placed in /usr/local/bin: $(file) - possible persistence or tooling drop</description>
34	<mitre>
35	<id>T1543</id>
36	</mitre>
37	</rule>
38
39	</group>