Add references to rules (crowdstrike_rules)

panther-labs · Dec 11, 2023 · cc9f42e · cc9f42e
1 parent e82cd63
commit cc9f42e
Show file tree

Hide file tree

Showing 15 changed files with 15 additions and 1 deletion.
diff --git a/rules/crowdstrike_rules/aws_authentication_from_crowdstrike_unmanaged_device.yml b/rules/crowdstrike_rules/aws_authentication_from_crowdstrike_unmanaged_device.yml
@@ -3,6 +3,7 @@ Description: Detects AWS Logins from IP addresses not found in CrowdStrike's AIP
 DisplayName: "AWS Authentication From CrowdStrike Unmanaged Device"
 Enabled: false
 Filename: aws_authentication_from_crowdstrike_unmanaged_device.py
+Reference: https://www.crowdstrike.com/wp-content/uploads/2023/05/crowdstrike-falcon-device-control-data-sheet.pdf
 Severity: Medium
 Tests:
     - ExpectedResult: true

diff --git a/rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml b/rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml
@@ -11,7 +11,7 @@ Tags:
 Severity: Medium
 Description: Detects the execution of common command line tools (e.g., PowerShell, cmd.exe) with Base64 encoded arguments, which could indicate an attempt to obfuscate malicious commands.
 Runbook: Investigate the endpoint for signs of command line tool execution with Base64 encoded arguments. Review the executed command, decode the Base64 string, and analyze the original content.
-Reference: N/A
+Reference: https://www.crowdstrike.com/blog/blocking-fileless-script-based-attacks-using-falcon-script-control-feature/
 DedupPeriodMinutes: 60
 Tests:
   -

diff --git a/rules/crowdstrike_rules/crowdstrike_credential_dumping_tool.yml b/rules/crowdstrike_rules/crowdstrike_credential_dumping_tool.yml
@@ -3,6 +3,7 @@ Description: Detects usage of tools commonly used for credential dumping.
 DisplayName: "Crowdstrike Credential Dumping Tool"
 Enabled: true
 Filename: crowdstrike_credential_dumping_tool.py
+Reference: https://www.crowdstrike.com/blog/adversary-credential-theft/
 Severity: Critical
 Tests:
     - ExpectedResult: true

diff --git a/rules/crowdstrike_rules/crowdstrike_cryptomining_tools.yml b/rules/crowdstrike_rules/crowdstrike_cryptomining_tools.yml
@@ -3,6 +3,7 @@ Description: Detects the execution of known crytocurrency mining tools.
 DisplayName: "Crowdstrike Cryptomining Tools "
 Enabled: true
 Filename: crowdstrike_cryptomining_tools.py
+Reference: https://www.crowdstrike.com/cybersecurity-101/cryptojacking/
 Severity: Critical
 Tests:
     - ExpectedResult: true

diff --git a/rules/crowdstrike_rules/crowdstrike_detection_passthrough.yml b/rules/crowdstrike_rules/crowdstrike_detection_passthrough.yml
@@ -11,6 +11,7 @@ Tags:
   - Crowdstrike
 Description: Crowdstrike Falcon has detected malicious activity on a host.
 Runbook: Follow the Falcon console link and follow the IR process as needed.
+Reference: https://www.crowdstrike.com/blog/tech-center/hunt-threat-activity-falcon-endpoint-protection/
 DedupPeriodMinutes: 0
 SummaryAttributes:
   - p_any_ip_addresses

diff --git a/rules/crowdstrike_rules/crowdstrike_macos_add_trusted_cert.yml b/rules/crowdstrike_rules/crowdstrike_macos_add_trusted_cert.yml
@@ -4,6 +4,7 @@ Description: Detects attempt to install a root certificate on MacOS
 Enabled: true
 Filename: crowdstrike_macos_add_trusted_cert.py
 RuleID: Crowdstrike.Macos.Add.Trusted.Cert
+Reference: https://docs.panther.com/data-onboarding/supported-logs/crowdstrike#crowdstrike.processrollup2
 Severity: Medium
 LogTypes:
     - Crowdstrike.FDREvent

diff --git a/rules/crowdstrike_rules/crowdstrike_macos_osascript_administrator.yml b/rules/crowdstrike_rules/crowdstrike_macos_osascript_administrator.yml
@@ -4,6 +4,7 @@ Description: Detects usage of osascript with administrator privileges
 Enabled: true
 Filename: crowdstrike_macos_osascript_administrator.py
 RuleID: Crowdstrike.Macos.Osascript.Administrator
+Reference: https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
 Severity: Medium
 LogTypes:
     - Crowdstrike.FDREvent

diff --git a/rules/crowdstrike_rules/crowdstrike_macos_plutil_usage.yml b/rules/crowdstrike_rules/crowdstrike_macos_plutil_usage.yml
@@ -4,6 +4,7 @@ Description: Detects the usage of plutil to modify plist files. Plist files run
 Enabled: true
 Filename: crowdstrike_macos_plutil_usage.py
 RuleID: Crowdstrike.Macos.Plutil.Usage
+Reference: https://www.crowdstrike.com/blog/reconstructing-command-line-activity-on-macos/#:~:text=Terminal.savedState/.-,Windows.plist,-The%20file%20windows
 Severity: Medium
 LogTypes:
     - Crowdstrike.FDREvent

diff --git a/rules/crowdstrike_rules/crowdstrike_remote_access_tool_execution.yml b/rules/crowdstrike_rules/crowdstrike_remote_access_tool_execution.yml
@@ -3,6 +3,7 @@ Description: Detects usage of common remote access tools.
 DisplayName: "Crowdstrike Remote Access Tool Execution"
 Enabled: true
 Filename: crowdstrike_remote_access_tool_execution.py
+Reference: https://attack.mitre.org/techniques/T1219/
 Severity: Medium
 Tests:
     - ExpectedResult: true

diff --git a/rules/crowdstrike_rules/crowdstrike_reverse_shell_tool_executed.yml b/rules/crowdstrike_rules/crowdstrike_reverse_shell_tool_executed.yml
@@ -3,6 +3,7 @@ Description: Detects usage of tools commonly used to to establish reverse shells
 DisplayName: "Crowdstrike Reverse Shell Tool Executed"
 Enabled: true
 Filename: crowdstrike_reverse_shell_tool_executed.py
+Reference: https://attack.mitre.org/techniques/T1059/
 Severity: High
 Tests:
     - ExpectedResult: true

diff --git a/rules/crowdstrike_rules/crowdstrike_systemlog_tampering.yml b/rules/crowdstrike_rules/crowdstrike_systemlog_tampering.yml
@@ -3,6 +3,7 @@ Description: 'Detects when a user attempts to clear system logs. '
 DisplayName: "Crowdstrike Systemlog Tampering"
 Enabled: true
 Filename: crowdstrike_systemlog_tampering.py
+Reference: https://attack.mitre.org/techniques/T1070/001/
 Severity: High
 Tests:
     - ExpectedResult: true

diff --git a/rules/crowdstrike_rules/crowdstrike_unusual_parent_child_processes.yml b/rules/crowdstrike_rules/crowdstrike_unusual_parent_child_processes.yml
@@ -3,6 +3,7 @@ Description: Detects unusual parent child process pairings.
 DisplayName: "Crowdstrike Unusual Parent Child Processes"
 Enabled: true
 Filename: crowdstrike_unusual_parent_child_processes.py
+Reference: https://medium.com/falconforce/falconfriday-e4554e9e6665
 Severity: Critical
 Tests:
     - ExpectedResult: true

diff --git a/rules/crowdstrike_rules/crowdstrike_wmi_query_detection.yml b/rules/crowdstrike_rules/crowdstrike_wmi_query_detection.yml
@@ -4,6 +4,7 @@ DisplayName: "Crowdstrike WMI Query Detection"
 Enabled: true
 Filename: crowdstrike_wmi_query_detection.py
 Runbook: Investigate the endpoint for signs of WMI query execution. Review the executed query and the associated user account.
+Reference: https://learn.microsoft.com/en-us/windows/win32/wmisdk/querying-wmi
 Severity: Low
 Tests:
     - ExpectedResult: false

diff --git a/rules/crowdstrike_rules/okta_login_from_crowdstrike_unmanaged_device.yml b/rules/crowdstrike_rules/okta_login_from_crowdstrike_unmanaged_device.yml
@@ -3,6 +3,7 @@ Description: Detects Okta Logins from IP addresses not found in CrowdStrike''s A
 DisplayName: "Okta Login From CrowdStrike Unmanaged Device"
 Enabled: false
 Filename: okta_login_from_crowdstrike_unmanaged_device.py
+Reference: https://www.crowdstrike.com/wp-content/uploads/2023/05/crowdstrike-falcon-device-control-data-sheet.pdf
 Severity: Medium
 Tests:
     - ExpectedResult: true

diff --git a/rules/crowdstrike_rules/onepassword_login_from_crowdstrike_unmanaged_device.yml b/rules/crowdstrike_rules/onepassword_login_from_crowdstrike_unmanaged_device.yml
@@ -3,6 +3,7 @@ Description: Detects 1Password Logins from IP addresses not found in CrowdStrike
 DisplayName: "1Password Login From CrowdStrike Unmanaged Device"
 Enabled: false
 Filename: onepassword_login_from_crowdstrike_unmanaged_device.py
+Reference: https://www.crowdstrike.com/wp-content/uploads/2023/05/crowdstrike-falcon-device-control-data-sheet.pdf
 Severity: Medium
 Tests:
     - ExpectedResult: true