From 2b5715303ff2d57418433854aa45b62723d7ba14 Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Tue, 28 Apr 2026 04:57:30 +0545 Subject: [PATCH] Merge PR #5908 from @swachchhanda000 - Fix fps and improve metadata of several Linux rules fix: Linux Logs Clearing Attempts - Add new filters for sysstat and dmesg legitimate command deletion fix: Disable Or Stop Services - Add new filters for legitimate service stoppoing via systemctl for snapd, asw and others fix: Potential Suspicious Change To Sensitive/Critical Files - Add filters for `/^*` and `s/^` usage with sed fix: Persistence Via Sudoers.d Files - Add filter for dpkg writing README fix: Chmod Targeting Sensitive Directories - enhance metadata and add multipel filters for legit use cases --- ...le_event_lnx_persistence_sudoers_files.yml | 20 +++++--- ..._chmod_targeting_sensitive_directories.yml | 46 +++++++++++++++++++ .../proc_creation_lnx_clear_logs.yml | 17 +++++-- ...creation_lnx_services_stop_and_disable.yml | 32 +++++++++++-- ...oc_creation_lnx_susp_chmod_directories.yml | 27 ----------- ...reation_lnx_susp_sensitive_file_access.yml | 14 +++++- 6 files changed, 112 insertions(+), 44 deletions(-) create mode 100644 rules/linux/process_creation/proc_creation_lnx_chmod_targeting_sensitive_directories.yml delete mode 100644 rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml diff --git a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml index 0ec367ad4..cd8cba5aa 100644 --- a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml +++ b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml @@ -1,24 +1,30 @@ -title: Persistence Via Sudoers Files +title: Persistence Via Sudoers.d Files id: ddb26b76-4447-4807-871f-1b035b2bfa5d status: test -description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user. +description: | + Detects the creation or modification of files within the "sudoers.d" directory on Linux systems. + Such activity may indicate an attempt to establish or maintain privilege escalation by granting specific users elevated permissions. + Unauthorized changes to sudoers files are a common technique used by attackers to persist administrative access. references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-05 -modified: 2022-12-31 +modified: 2026-03-18 tags: - attack.privilege-escalation - - attack.execution - attack.persistence - - attack.t1053.003 + - attack.defense-evasion + - attack.t1548.003 logsource: product: linux category: file_event detection: selection: TargetFilename|startswith: '/etc/sudoers.d/' - condition: selection + filter_main_dpkg: + Image|endswith: '/usr/bin/dpkg' + TargetFilename: '/etc/sudoers.d/README.dpkg-new' + condition: selection and not 1 of filter_main_* falsepositives: - - Creation of legitimate files in sudoers.d folder part of administrator work + - Creation of legitimate files in sudoers.d folder as part of administrator work level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_chmod_targeting_sensitive_directories.yml b/rules/linux/process_creation/proc_creation_lnx_chmod_targeting_sensitive_directories.yml new file mode 100644 index 000000000..e546b8b02 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_chmod_targeting_sensitive_directories.yml @@ -0,0 +1,46 @@ +title: Chmod Targeting Sensitive Directories +id: 6419afd1-3742-47a5-a7e6-b50386cd15f8 +status: test +description: | + Detects chmod targeting files in sensitive directory paths on Linux systems. + Attackers may use chmod to change permissions of files in these directories to maintain persistence, escalate privileges, or disrupt system operations. +references: + - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md +author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' +date: 2022-06-03 +modified: 2026-03-18 +tags: + - attack.defense-evasion + - attack.t1222.002 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/chmod' + CommandLine|contains: + - '/tmp/' + - '/.Library/' + - '/etc/' + - '/opt/' + filter_main_update_shells: + CommandLine|contains: 'chmod --reference=/etc/shells' + ParentCommandLine|endswith: '/update-shells' + filter_main_postinst: + CommandLine|contains: '/etc/' + ParentCommandLine|contains|all: + - '/var/lib/dpkg/info/' + - '.postinst configure' + filter_main_apt_key: + CommandLine|startswith: 'chmod 700 /tmp/apt-key-gpghome.' + filter_main_mkinitramfs: + CommandLine|startswith: 'chmod 755 /var/tmp/mkinitramfs' + filter_main_landscape: + CommandLine: 'chmod 0775 /etc/landscape/' + filter_main_ubuntu_apparmor: + CommandLine: 'chmod 644 /etc/apparmor.d/tunables/home.d/ubuntu' + condition: selection and not 1 of filter_main_* +falsepositives: + - Some false positives are to be expected. Apply additional filters as needed before pushing to production. +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml b/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml index 202156876..6eb667775 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml @@ -1,12 +1,14 @@ -title: Clear Linux Logs +title: Linux Logs Clearing Attempts id: 80915f59-9b56-4616-9de0-fd0dea6c12fe status: stable -description: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion +description: | + Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories. + Adversaries often try to clear logs to cover their tracks after performing malicious activities. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md author: Ömer Günal, oscd.community date: 2020-10-07 -modified: 2022-09-15 +modified: 2026-03-18 tags: - attack.defense-evasion - attack.t1070.002 @@ -17,12 +19,19 @@ detection: selection: Image|endswith: - '/rm' # covers /rmdir as well + - '/rmdir' - '/shred' - '/unlink' CommandLine|contains: - '/var/log' - '/var/spool/mail' - condition: selection + filter_main_legit_systat: + Image|endswith: '/rm' + CommandLine|startswith: 'rm -f /var/log/sysstat/' + filter_main_dmseg: + Image|endswith: '/rm' + CommandLine|startswith: 'rm -f -- /var/log//dmesg' # // before dmesg is not typo + condition: selection and not 1 of filter_main_* falsepositives: - Legitimate administration activities level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml index 4d5599781..27f84ad35 100644 --- a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml +++ b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml @@ -1,13 +1,19 @@ title: Disable Or Stop Services id: de25eeb8-3655-4643-ac3a-b662d3f26b6b status: test -description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services +description: | + Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems. + Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations. references: - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-15 +modified: 2025-03-18 tags: - attack.defense-evasion + - attack.t1562 + - attack.impact + - attack.t1489 logsource: category: process_creation product: linux @@ -18,9 +24,27 @@ detection: - '/systemctl' - '/chkconfig' CommandLine|contains: - - 'stop' - - 'disable' - condition: selection + - ' stop ' + - ' disable ' + filter_main_legit_snapd: + Image|endswith: '/systemctl' + CommandLine|contains: + - '--no-reload disable snap-snapd-' + - ' stop snap-snapd-' + filter_main_ssh_preinstall: + Image|endswith: '/systemctl' + ParentCommandLine|contains: 'tmp.ci/preinst upgrade' + CommandLine|contains|all: + - ' stop ' + - 'ssh.' + filter_main_ubuntu_upgrade: + ParentCommandLine|contains: '/dpkg/info/ubuntu-pro-client.prerm upgrade' + Image|endswith: '/systemctl' + filter_optional_aws_agent: + Image|endswith: '/systemctl' + CommandLine|endswith: 'snap.amazon-ssm-agent.amazon-ssm-agent.service' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate administration activities + - Some false positives are to be expected. Apply additional filters as needed before pushing to production. level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml b/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml deleted file mode 100644 index b24b41b5b..000000000 --- a/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Chmod Suspicious Directory -id: 6419afd1-3742-47a5-a7e6-b50386cd15f8 -status: test -description: Detects chmod targeting files in abnormal directory paths. -references: - - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md -author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' -date: 2022-06-03 -tags: - - attack.defense-evasion - - attack.t1222.002 -logsource: - product: linux - category: process_creation -detection: - selection: - Image|endswith: '/chmod' - CommandLine|contains: - - '/tmp/' - - '/.Library/' - - '/etc/' - - '/opt/' - condition: selection -falsepositives: - - Admin changing file permissions. -level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml b/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml index d56ff8274..4a8ab15c0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml @@ -1,11 +1,15 @@ title: Potential Suspicious Change To Sensitive/Critical Files id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4 status: test -description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. +description: | + Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. + These files include, but are not limited to, system configuration files, authentication files, and critical application files. + Attackers often target these files to maintain persistence, escalate privileges, or disrupt system operations. references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor author: '@d4ns4n_ (Wuerth-Phoenix)' date: 2023-05-30 +modified: 2026-03-18 tags: - attack.impact - attack.t1565.001 @@ -44,7 +48,13 @@ detection: - '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/' - '/usr/bin/' - '/usr/local/bin/' - condition: 1 of selection_img_* and selection_paths + filter_main_mdadm.conf: + Image|endswith: '/bin/sed' + CommandLine|startswith: + - 'sed -i /^*' + - 'sed -ne s/^' + CommandLine|endswith: '/etc/mdadm/mdadm.conf' + condition: 1 of selection_img_* and selection_paths and not 1 of filter_main_* falsepositives: - Some false positives are to be expected on user or administrator machines. Apply additional filters as needed. level: medium