From d3aa31b41551187bcae177cc5d538f975ee2680a Mon Sep 17 00:00:00 2001 From: Rahul pandey <33161951+rahulisationn@users.noreply.github.com> Date: Mon, 7 Apr 2025 08:36:28 -0500 Subject: [PATCH 1/4] Add files via upload Detects the activation of a Wi-Fi hotspot on Ubuntu systems via NetworkManager, based on syslog logs. When a user enables the "Hotspot" feature, it effectively shares the machine's internet connection with nearby devices using wireless tethering. Monitoring for hotspot activations helps enforce network security policies and detect potential misuse, insider threats, or policy violations. --- ...slog_networkmanager_hotspot_activation.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml diff --git a/rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml b/rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml new file mode 100644 index 00000000000..a634fa5385b --- /dev/null +++ b/rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml @@ -0,0 +1,33 @@ +title: Ubuntu Hotspot Activation via NetworkManager +id: 9b741eb3-8f1d-4f8e-8e28-4377d8e537c4 +status: experimental +description: Detects when a user enables a WiFi hotspot on Ubuntu using NetworkManager, based on syslog entries. +author: Rahul Pandey +date: 2025/04/07 +references: [] +logsource: + product: linux + service: syslog + category: operating-system +detection: + selection: + message|contains: + - 'connection-activate' + - 'name="Hotspot"' + - 'result="success"' + condition: selection +fields: + - message + - uid + - pid + - hostname +falsepositives: + - Users intentionally using hotspot for legitimate reasons + - Admins testing hotspot configurations +level: medium +tags: + - attack.collection + - attack.t1040 + - network + - hotspot + From adb9be4c9b6a5bbcfe762381376fb85ae9572cc1 Mon Sep 17 00:00:00 2001 From: Rahul pandey <33161951+rahulisationn@users.noreply.github.com> Date: Mon, 7 Apr 2025 10:35:36 -0500 Subject: [PATCH 2/4] Update linux_syslog_networkmanager_hotspot_activation.yml "Fix indentation and YAML formatting for Sigma rule" --- ...slog_networkmanager_hotspot_activation.yml | 46 +++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml b/rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml index a634fa5385b..381c05e3604 100644 --- a/rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml +++ b/rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml @@ -1,33 +1,33 @@ -title: Ubuntu Hotspot Activation via NetworkManager +title: 'Ubuntu Hotspot Activation via NetworkManager' id: 9b741eb3-8f1d-4f8e-8e28-4377d8e537c4 status: experimental -description: Detects when a user enables a WiFi hotspot on Ubuntu using NetworkManager, based on syslog entries. -author: Rahul Pandey -date: 2025/04/07 +description: 'Detects when a user enables a WiFi hotspot on Ubuntu using NetworkManager, based on syslog entries.' +author: 'Rahul Pandey' +date: 2025-04-07 references: [] logsource: - product: linux - service: syslog - category: operating-system + product: linux + service: syslog + category: operating-system detection: - selection: - message|contains: - - 'connection-activate' - - 'name="Hotspot"' - - 'result="success"' - condition: selection + selection: + message|contains: + - 'connection-activate' + - 'name="Hotspot"' + - 'result="success"' + condition: selection fields: - - message - - uid - - pid - - hostname + - message + - uid + - pid + - hostname falsepositives: - - Users intentionally using hotspot for legitimate reasons - - Admins testing hotspot configurations + - 'Users intentionally using hotspot for legitimate reasons' + - 'Admins testing hotspot configurations' level: medium tags: - - attack.collection - - attack.t1040 - - network - - hotspot + - attack.collection + - attack.t1040 + - network + - hotspot From 5cae46129bccea7fbe6087948a22e9a018623e27 Mon Sep 17 00:00:00 2001 From: Rahul pandey <33161951+rahulisationn@users.noreply.github.com> Date: Mon, 7 Apr 2025 10:48:57 -0500 Subject: [PATCH 3/4] Update linux_syslog_networkmanager_hotspot_activation.yml Tags Updated --- .../linux_syslog_networkmanager_hotspot_activation.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml b/rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml index 381c05e3604..2b05f4a8510 100644 --- a/rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml +++ b/rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml @@ -28,6 +28,5 @@ level: medium tags: - attack.collection - attack.t1040 - - network - - hotspot + From 516f1146abbb1484960b73e99c7f6aa864ab83b4 Mon Sep 17 00:00:00 2001 From: Rahul pandey <33161951+rahulisationn@users.noreply.github.com> Date: Mon, 7 Apr 2025 10:51:03 -0500 Subject: [PATCH 4/4] Update linux_syslog_networkmanager_hotspot_activation.yml Trailing space removed --- .../linux_syslog_networkmanager_hotspot_activation.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml b/rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml index 2b05f4a8510..df56aaac8b4 100644 --- a/rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml +++ b/rules/linux/network_connection/linux_syslog_networkmanager_hotspot_activation.yml @@ -28,5 +28,4 @@ level: medium tags: - attack.collection - attack.t1040 -