|
| 1 | +[metadata] |
| 2 | +creation_date = "2025/11/28" |
| 3 | +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] |
| 4 | +maturity = "production" |
| 5 | +updated_date = "2025/11/28" |
| 6 | + |
| 7 | +[rule] |
| 8 | +author = ["Elastic"] |
| 9 | +description = """ |
| 10 | +This rule detects the execution of Gitleaks, a tool used to search for high-entropy strings and secrets in code |
| 11 | +repositories, which may indicate an attempt to access credentials. |
| 12 | +""" |
| 13 | +false_positives = [ |
| 14 | + """ |
| 15 | + Gitleaks is a legitimate open-source tool used by security professionals and developers to search for sensitive |
| 16 | + information, such as passwords, API keys, and other secrets, within code repositories. It is commonly employed |
| 17 | + during security assessments and code reviews to identify potential vulnerabilities. |
| 18 | + """, |
| 19 | +] |
| 20 | +from = "now-9m" |
| 21 | +index = [ |
| 22 | + "endgame-*", |
| 23 | + "logs-crowdstrike.fdr*", |
| 24 | + "logs-endpoint.events.process-*", |
| 25 | + "logs-m365_defender.event-*", |
| 26 | + "logs-sentinel_one_cloud_funnel.*", |
| 27 | + "logs-system.security*", |
| 28 | + "logs-windows.forwarded*", |
| 29 | + "logs-windows.sysmon_operational-*", |
| 30 | + "winlogbeat-*", |
| 31 | + "auditbeat-*", |
| 32 | + "logs-auditd_manager.auditd-*" |
| 33 | +] |
| 34 | +language = "eql" |
| 35 | +license = "Elastic License v2" |
| 36 | +name = "Potential Secret Scanning via Gitleaks" |
| 37 | +note = """ |
| 38 | +
|
| 39 | +""" |
| 40 | +references = [ |
| 41 | + "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", |
| 42 | + "https://socket.dev/blog/shai-hulud-strikes-again-v2", |
| 43 | +] |
| 44 | +risk_score = 47 |
| 45 | +rule_id = "f92171ed-a4d3-4baa-98f9-4df1652cb11b" |
| 46 | +severity = "medium" |
| 47 | +tags = [ |
| 48 | + "Domain: Endpoint", |
| 49 | + "OS: Linux", |
| 50 | + "OS: Windows", |
| 51 | + "OS: macOS", |
| 52 | + "Use Case: Threat Detection", |
| 53 | + "Tactic: Credential Access", |
| 54 | + "Data Source: Elastic Endgame", |
| 55 | + "Data Source: Elastic Defend", |
| 56 | + "Data Source: Windows Security Event Logs", |
| 57 | + "Data Source: Microsoft Defender for Endpoint", |
| 58 | + "Data Source: Sysmon", |
| 59 | + "Data Source: SentinelOne", |
| 60 | + "Data Source: Crowdstrike", |
| 61 | + "Data Source: Auditd Manager", |
| 62 | + "Resources: Investigation Guide", |
| 63 | +] |
| 64 | +timestamp_override = "event.ingested" |
| 65 | +type = "eql" |
| 66 | +query = ''' |
| 67 | +process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and |
| 68 | +process.name : ("gitleaks.exe", "gitleaks") |
| 69 | +''' |
| 70 | + |
| 71 | +[[rule.threat]] |
| 72 | +framework = "MITRE ATT&CK" |
| 73 | + |
| 74 | +[[rule.threat.technique]] |
| 75 | +id = "T1003" |
| 76 | +name = "OS Credential Dumping" |
| 77 | +reference = "https://attack.mitre.org/techniques/T1003/" |
| 78 | + |
| 79 | +[[rule.threat.technique]] |
| 80 | +id = "T1555" |
| 81 | +name = "Credentials from Password Stores" |
| 82 | +reference = "https://attack.mitre.org/techniques/T1555/" |
| 83 | + |
| 84 | +[rule.threat.tactic] |
| 85 | +id = "TA0006" |
| 86 | +name = "Credential Access" |
| 87 | +reference = "https://attack.mitre.org/tactics/TA0006/" |
0 commit comments