Sigma rules for CVE-2019-9945
13 rules · scoped to cve · back to CVE-2019-9945
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Google Cloud DNS Zone Modified or Deleted
id: 28268a8f-191f-4c17-85b2-f5aa4fa829c3
status: test
description: Identifies when a DNS Zone is modified or deleted in Google Cloud.
references:
- https://cloud.google.com/dns/docs/reference/v1/managedZones
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- Dns.ManagedZones.Delete
- Dns.ManagedZones.Update
- Dns.ManagedZones.Patch
condition: selection
falsepositives:
- Unknown
level: medium
title: Google Cloud Service Account Modified
id: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc
status: test
description: Identifies when a service account is modified in Google Cloud.
references:
- https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name|endswith:
- .serviceAccounts.patch
- .serviceAccounts.create
- .serviceAccounts.update
- .serviceAccounts.enable
- .serviceAccounts.undelete
condition: selection
falsepositives:
- Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Service Account Disabled or Deleted
id: 13f81a90-a69c-4fab-8f07-b5bb55416a9f
status: test
description: Identifies when a service account is disabled or deleted in Google Cloud.
references:
- https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.impact
- attack.t1531
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name|endswith:
- .serviceAccounts.disable
- .serviceAccounts.delete
condition: selection
falsepositives:
- Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud VPN Tunnel Modified or Deleted
id: 99980a85-3a61-43d3-ac0f-b68d6b4797b1
status: test
description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
references:
- https://any-api.com/googleapis_com/compute/docs/vpnTunnels
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- compute.vpnTunnels.insert
- compute.vpnTunnels.delete
condition: selection
falsepositives:
- VPN Tunnel being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Firewall Modified or Deleted
id: fe513c69-734c-4d4a-8548-ac5f609be82b
status: test
description: Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
- https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html
author: Austin Songer @austinsonger
date: 2021-08-13
modified: 2022-10-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- v*.Compute.Firewalls.Delete
- v*.Compute.Firewalls.Patch
- v*.Compute.Firewalls.Update
- v*.Compute.Firewalls.Insert
condition: selection
falsepositives:
- Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.
- Exceptions can be added to this rule to filter expected behavior.
level: medium
title: Google Cloud Kubernetes RoleBinding
id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
status: test
description: Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
references:
- https://github.com/elastic/detection-rules/pull/1267
- https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole
- https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
author: Austin Songer @austinsonger
date: 2021-08-09
modified: 2022-10-09
tags:
- attack.credential-access
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.authorization.rbac.v*.clusterrolebindings.create
- io.k8s.authorization.rbac.v*.rolebindings.create
- io.k8s.authorization.rbac.v*.clusterrolebindings.patch
- io.k8s.authorization.rbac.v*.rolebindings.patch
- io.k8s.authorization.rbac.v*.clusterrolebindings.update
- io.k8s.authorization.rbac.v*.rolebindings.update
- io.k8s.authorization.rbac.v*.clusterrolebindings.delete
- io.k8s.authorization.rbac.v*.rolebindings.delete
condition: selection
falsepositives:
- RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud SQL Database Modified or Deleted
id: f346bbd5-2c4e-4789-a221-72de7685090d
status: test
description: Detect when a Cloud SQL DB has been modified or deleted.
references:
- https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update
author: Austin Songer @austinsonger
date: 2021-10-15
modified: 2022-12-25
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- cloudsql.instances.create
- cloudsql.instances.delete
- cloudsql.users.update
- cloudsql.users.delete
condition: selection
falsepositives:
- SQL Database being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Kubernetes Admission Controller
id: 6ad91e31-53df-4826-bd27-0166171c8040
status: test
description: |
Identifies when an admission controller is executed in GCP Kubernetes.
A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
references:
- https://cloud.google.com/kubernetes-engine/docs
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-18
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v'
gcp.audit.method_name|contains:
- '.mutatingwebhookconfigurations.'
- '.validatingwebhookconfigurations.'
gcp.audit.method_name|endswith:
- 'create'
- 'patch'
- 'replace'
condition: selection
falsepositives:
- Google Cloud Kubernetes Admission Controller may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Kubernetes Secrets Modified or Deleted
id: 2f0bae2d-bf20-4465-be86-1311addebaa3
status: test
description: Identifies when the Secrets are Modified or Deleted.
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
author: Austin Songer @austinsonger
date: 2021-08-09
modified: 2022-10-09
tags:
- attack.credential-access
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.core.v*.secrets.create
- io.k8s.core.v*.secrets.update
- io.k8s.core.v*.secrets.patch
- io.k8s.core.v*.secrets.delete
condition: selection
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Storage Buckets Modified or Deleted
id: 4d9f2ee2-c903-48ab-b9c1-8c0f474913d0
status: test
description: Detects when storage bucket is modified or deleted in Google Cloud.
references:
- https://cloud.google.com/storage/docs/json_api/v1/buckets
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- storage.buckets.delete
- storage.buckets.insert
- storage.buckets.update
- storage.buckets.patch
condition: selection
falsepositives:
- Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Re-identifies Sensitive Information
id: 234f9f48-904b-4736-a34c-55d23919e4b7
status: test
description: Identifies when sensitive information is re-identified in google Cloud.
references:
- https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
- attack.impact
- attack.t1565
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name: projects.content.reidentify
condition: selection
falsepositives:
- Unknown
level: medium
title: Google Cloud Kubernetes CronJob
id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
status: test
description: |
Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.
Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.
An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
references:
- https://cloud.google.com/kubernetes-engine/docs
- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- https://kubernetes.io/docs/concepts/workloads/controllers/job/
author: Austin Songer @austinsonger
date: 2021-11-22
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.api.batch.v*.Job
- io.k8s.api.batch.v*.CronJob
condition: selection
falsepositives:
- Google Cloud Kubernetes CronJob/Job may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Storage Buckets Enumeration
id: e2feb918-4e77-4608-9697-990a1aaf74c3
status: test
description: Detects when storage bucket is enumerated in Google Cloud.
references:
- https://cloud.google.com/storage/docs/json_api/v1/buckets
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.discovery
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- storage.buckets.list
- storage.buckets.listChannels
condition: selection
falsepositives:
- Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low