rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml

[metadata]
creation_date = "2023/12/11"
maturity = "production"
updated_date = "2024/05/21"

[rule]
author = ["Elastic"]
description = """
Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a
threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short
time interval could indicate application exploitation attempts.
"""
from = "now-9m"
index = [".alerts-security.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Buffer Overflow Attack Detected"
risk_score = 21
rule_id = "b7c05aaf-78c2-4558-b069-87fa25973489"
setup = """## Setup


This rule leverages alert data from other prebuilt detection rules to function correctly. 

### Dependent Elastic Detection Rule Enablement
As a higher-order rule (based on other detections), this rule also requires the following prerequisite Elastic detection rule to be installed and enabled:
- Segfault Detected (5c81fc9d-1eae-437f-ba07-268472967013)
"""
severity = "low"
tags = [
    "Domain: Endpoint",
    "OS: Linux",
    "Use Case: Threat Detection",
    "Tactic: Privilege Escalation",
    "Tactic: Initial Access",
    "Use Case: Vulnerability",
    "Rule Type: Higher-Order Rule",
]
timestamp_override = "event.ingested"
type = "threshold"

query = '''
kibana.alert.rule.rule_id:"5c81fc9d-1eae-437f-ba07-268472967013" and host.os.type:linux and event.kind:signal
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"


[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"


[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"

[rule.threshold]
field = ["event.kind", "host.id"]
value = 100
[New Rule] Potential Buffer Overflow Attack Detected (#3312 ) 2024-01-22 16:28:22 +01:00			`[metadata]`
			`creation_date = "2023/12/11"`
			`maturity = "production"`
Back-porting Version Trimming (#3704 ) 2024-05-23 00:45:10 +05:30			`updated_date = "2024/05/21"`
[New Rule] Potential Buffer Overflow Attack Detected (#3312 ) 2024-01-22 16:28:22 +01:00
			`[rule]`
			`author = ["Elastic"]`
			`description = """`
			`Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a`
			`threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short`
			`time interval could indicate application exploitation attempts.`
			`"""`
			`from = "now-9m"`
			`index = [".alerts-security.*"]`
			`language = "kuery"`
			`license = "Elastic License v2"`
			`name = "Potential Buffer Overflow Attack Detected"`
			`risk_score = 21`
			`rule_id = "b7c05aaf-78c2-4558-b069-87fa25973489"`
[Security Content] Small tweaks on the setup guides (#3308 ) 2024-03-11 09:09:40 -03:00			`setup = """## Setup`

[New Rule] Potential Buffer Overflow Attack Detected (#3312 ) 2024-01-22 16:28:22 +01:00
			`This rule leverages alert data from other prebuilt detection rules to function correctly.`

			`### Dependent Elastic Detection Rule Enablement`
			`As a higher-order rule (based on other detections), this rule also requires the following prerequisite Elastic detection rule to be installed and enabled:`
			`- Segfault Detected (5c81fc9d-1eae-437f-ba07-268472967013)`
			`"""`
			`severity = "low"`
			`tags = [`
Back-porting Version Trimming (#3704 ) 2024-05-23 00:45:10 +05:30			`"Domain: Endpoint",`
			`"OS: Linux",`
			`"Use Case: Threat Detection",`
			`"Tactic: Privilege Escalation",`
			`"Tactic: Initial Access",`
			`"Use Case: Vulnerability",`
			`"Rule Type: Higher-Order Rule",`
			`]`
[New Rule] Potential Buffer Overflow Attack Detected (#3312 ) 2024-01-22 16:28:22 +01:00			`timestamp_override = "event.ingested"`
			`type = "threshold"`
Back-porting Version Trimming (#3704 ) 2024-05-23 00:45:10 +05:30
[New Rule] Potential Buffer Overflow Attack Detected (#3312 ) 2024-01-22 16:28:22 +01:00			`query = '''`
[Bug] Fix test_os_and_platform_in_query test and rules (#3695 ) 2024-05-20 08:43:30 -07:00			`kibana.alert.rule.rule_id:"5c81fc9d-1eae-437f-ba07-268472967013" and host.os.type:linux and event.kind:signal`
[New Rule] Potential Buffer Overflow Attack Detected (#3312 ) 2024-01-22 16:28:22 +01:00			`'''`

Back-porting Version Trimming (#3704 ) 2024-05-23 00:45:10 +05:30
[New Rule] Potential Buffer Overflow Attack Detected (#3312 ) 2024-01-22 16:28:22 +01:00			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1068"`
			`name = "Exploitation for Privilege Escalation"`
			`reference = "https://attack.mitre.org/techniques/T1068/"`

Back-porting Version Trimming (#3704 ) 2024-05-23 00:45:10 +05:30
[New Rule] Potential Buffer Overflow Attack Detected (#3312 ) 2024-01-22 16:28:22 +01:00			`[rule.threat.tactic]`
			`id = "TA0004"`
			`name = "Privilege Escalation"`
			`reference = "https://attack.mitre.org/tactics/TA0004/"`
			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1190"`
			`name = "Exploit Public-Facing Application"`
			`reference = "https://attack.mitre.org/techniques/T1190/"`

Back-porting Version Trimming (#3704 ) 2024-05-23 00:45:10 +05:30
[New Rule] Potential Buffer Overflow Attack Detected (#3312 ) 2024-01-22 16:28:22 +01:00			`[rule.threat.tactic]`
			`id = "TA0001"`
			`name = "Initial Access"`
			`reference = "https://attack.mitre.org/tactics/TA0001/"`

			`[rule.threshold]`
			`field = ["event.kind", "host.id"]`
			`value = 100`