Merge PR #5908 from @swachchhanda000 - Fix fps and improve metadata of several Linux rules

fix: Linux Logs Clearing Attempts - Add new filters for sysstat and dmesg legitimate command deletion fix: Disable Or Stop Services - Add new filters for legitimate service stoppoing via systemctl for snapd, asw and others fix: Potential Suspicious Change To Sensitive/Critical Files - Add filters for `/^*` and `s/^` usage with sed fix: Persistence Via Sudoers.d Files - Add filter for dpkg writing README fix: Chmod Targeting Sensitive Directories - enhance metadata and add multipel filters for legit use cases
2026-04-28 04:57:30 +05:45
parent 66f7ac9a4d
commit 2b5715303f
6 changed files with 112 additions and 44 deletions
@@ -1,24 +1,30 @@
-title: Persistence Via Sudoers Files
+title: Persistence Via Sudoers.d Files
 id: ddb26b76-4447-4807-871f-1b035b2bfa5d
 status: test
-description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
+description: |
+    Detects the creation or modification of files within the "sudoers.d" directory on Linux systems.
+    Such activity may indicate an attempt to establish or maintain privilege escalation by granting specific users elevated permissions.
+    Unauthorized changes to sudoers files are a common technique used by attackers to persist administrative access.
 references:
    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-07-05
-modified: 2022-12-31
+modified: 2026-03-18
 tags:
    - attack.privilege-escalation
-    - attack.execution
    - attack.persistence
-    - attack.t1053.003
+    - attack.defense-evasion
+    - attack.t1548.003
 logsource:
    product: linux
    category: file_event
 detection:
    selection:
        TargetFilename|startswith: '/etc/sudoers.d/'
-    condition: selection
+    filter_main_dpkg:
+        Image|endswith: '/usr/bin/dpkg'
+        TargetFilename: '/etc/sudoers.d/README.dpkg-new'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
-    - Creation of legitimate files in sudoers.d folder part of administrator work
+    - Creation of legitimate files in sudoers.d folder as part of administrator work
 level: medium
@@ -0,0 +1,46 @@
+title: Chmod Targeting Sensitive Directories
+id: 6419afd1-3742-47a5-a7e6-b50386cd15f8
+status: test
+description: |
+    Detects chmod targeting files in sensitive directory paths on Linux systems.
+    Attackers may use chmod to change permissions of files in these directories to maintain persistence, escalate privileges, or disrupt system operations.
+references:
+    - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
+author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
+date: 2022-06-03
+modified: 2026-03-18
+tags:
+    - attack.defense-evasion
+    - attack.t1222.002
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/chmod'
+        CommandLine|contains:
+            - '/tmp/'
+            - '/.Library/'
+            - '/etc/'
+            - '/opt/'
+    filter_main_update_shells:
+        CommandLine|contains: 'chmod --reference=/etc/shells'
+        ParentCommandLine|endswith: '/update-shells'
+    filter_main_postinst:
+        CommandLine|contains: '/etc/'
+        ParentCommandLine|contains|all:
+            - '/var/lib/dpkg/info/'
+            - '.postinst configure'
+    filter_main_apt_key:
+        CommandLine|startswith: 'chmod 700 /tmp/apt-key-gpghome.'
+    filter_main_mkinitramfs:
+        CommandLine|startswith: 'chmod 755 /var/tmp/mkinitramfs'
+    filter_main_landscape:
+        CommandLine: 'chmod 0775 /etc/landscape/'
+    filter_main_ubuntu_apparmor:
+        CommandLine: 'chmod 644 /etc/apparmor.d/tunables/home.d/ubuntu'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Some false positives are to be expected. Apply additional filters as needed before pushing to production.
+level: medium
@@ -1,12 +1,14 @@
-title: Clear Linux Logs
+title: Linux Logs Clearing Attempts
 id: 80915f59-9b56-4616-9de0-fd0dea6c12fe
 status: stable
-description: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
+description: |
+    Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories.
+    Adversaries often try to clear logs to cover their tracks after performing malicious activities.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
 author: Ömer Günal, oscd.community
 date: 2020-10-07
-modified: 2022-09-15
+modified: 2026-03-18
 tags:
    - attack.defense-evasion
    - attack.t1070.002
@@ -17,12 +19,19 @@ detection:
    selection:
        Image|endswith:
            - '/rm'    # covers /rmdir as well
+            - '/rmdir'
            - '/shred'
            - '/unlink'
        CommandLine|contains:
            - '/var/log'
            - '/var/spool/mail'
-    condition: selection
+    filter_main_legit_systat:
+        Image|endswith: '/rm'
+        CommandLine|startswith: 'rm -f /var/log/sysstat/'
+    filter_main_dmseg:
+        Image|endswith: '/rm'
+        CommandLine|startswith: 'rm -f -- /var/log//dmesg' # // before dmesg is not typo
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Legitimate administration activities
 level: medium
@@ -1,13 +1,19 @@
 title: Disable Or Stop Services
 id: de25eeb8-3655-4643-ac3a-b662d3f26b6b
 status: test
-description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services
+description: |
+    Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems.
+    Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.
 references:
    - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-09-15
+modified: 2025-03-18
 tags:
    - attack.defense-evasion
+    - attack.t1562
+    - attack.impact
+    - attack.t1489
 logsource:
    category: process_creation
    product: linux
@@ -20,7 +26,25 @@ detection:
        CommandLine|contains:
            - ' stop '
            - ' disable '
-    condition: selection
+    filter_main_legit_snapd:
+        Image|endswith: '/systemctl'
+        CommandLine|contains:
+            - '--no-reload disable snap-snapd-'
+            - ' stop snap-snapd-'
+    filter_main_ssh_preinstall:
+        Image|endswith: '/systemctl'
+        ParentCommandLine|contains: 'tmp.ci/preinst upgrade'
+        CommandLine|contains|all:
+            - ' stop '
+            - 'ssh.'
+    filter_main_ubuntu_upgrade:
+        ParentCommandLine|contains: '/dpkg/info/ubuntu-pro-client.prerm upgrade'
+        Image|endswith: '/systemctl'
+    filter_optional_aws_agent:
+        Image|endswith: '/systemctl'
+        CommandLine|endswith: 'snap.amazon-ssm-agent.amazon-ssm-agent.service'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Legitimate administration activities
+    - Some false positives are to be expected. Apply additional filters as needed before pushing to production.
 level: medium
@@ -1,27 +0,0 @@
-title: Chmod Suspicious Directory
-id: 6419afd1-3742-47a5-a7e6-b50386cd15f8
-status: test
-description: Detects chmod targeting files in abnormal directory paths.
-references:
-    - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
-    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
-author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
-date: 2022-06-03
-tags:
-    - attack.defense-evasion
-    - attack.t1222.002
-logsource:
-    product: linux
-    category: process_creation
-detection:
-    selection:
-        Image|endswith: '/chmod'
-        CommandLine|contains:
-            - '/tmp/'
-            - '/.Library/'
-            - '/etc/'
-            - '/opt/'
-    condition: selection
-falsepositives:
-    - Admin changing file permissions.
-level: medium
@@ -1,11 +1,15 @@
 title: Potential Suspicious Change To Sensitive/Critical Files
 id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4
 status: test
-description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
+description: |
+    Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
+    These files include, but are not limited to, system configuration files, authentication files, and critical application files.
+    Attackers often target these files to maintain persistence, escalate privileges, or disrupt system operations.
 references:
    - https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
 author: '@d4ns4n_ (Wuerth-Phoenix)'
 date: 2023-05-30
+modified: 2026-03-18
 tags:
    - attack.impact
    - attack.t1565.001
@@ -44,7 +48,13 @@ detection:
            - '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/'
            - '/usr/bin/'
            - '/usr/local/bin/'
-    condition: 1 of selection_img_* and selection_paths
+    filter_main_mdadm.conf:
+        Image|endswith: '/bin/sed'
+        CommandLine|startswith:
+            - 'sed -i /^*'
+            - 'sed -ne s/^'
+        CommandLine|endswith: '/etc/mdadm/mdadm.conf'
+    condition: 1 of selection_img_* and selection_paths and not 1 of filter_main_*
 falsepositives:
    - Some false positives are to be expected on user or administrator machines. Apply additional filters as needed.
 level: medium