From 00923dcde17adaeea3daff7899bdf7ab0e23cbe3 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Wed, 14 Apr 2021 16:41:37 +0200
Subject: [PATCH] [Rule Tuning] Setuid / Setgid Bit Set via chmod (#1032)

* [Rule Tuning] Setuid / Setgid Bit Set via chmod

* update date

* Update rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
---
 ...ation_setuid_setgid_bit_set_via_chmod.toml | 30 ++++++++++++++++---
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
index 7b5095135..428b72f1e 100644
--- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
+++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/04/23"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/10"
 
 [rule]
 author = ["Elastic"]
@@ -26,8 +26,31 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.category:process AND event.type:(start OR process_started) AND process.name:chmod AND
-  process.args:("+s" OR "u+s" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/)
+event.category:process AND event.type:(start OR process_started) AND
+ process.name:chmod AND process.args:("+s" OR "u+s" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND
+ NOT process.args:
+           (
+             /.*\/Applications\/VirtualBox.app\/.+/ OR
+             /\/usr\/local\/lib\/python.+/ OR
+             /\/var\/folders\/.+\/FP.*nstallHelper/ OR
+             /\/Library\/Filesystems\/.+/ OR
+             /\/usr\/lib\/virtualbox\/.+/ OR
+             /\/Library\/Application.*/ OR
+             "/run/postgresql" OR
+             "/var/crash" OR
+             "/var/run/postgresql" OR
+             /\/usr\/bin\/.+/ OR /\/usr\/local\/share\/.+/ OR
+             /\/Applications\/.+/ OR /\/usr\/libexec\/.+/ OR
+             "/var/metrics" OR /\/var\/lib\/dpkg\/.+/ OR
+             /\/run\/log\/journal\/.*/ OR
+             \/Users\/*\/.minikube\/bin\/docker-machine-driver-hyperkit
+           ) AND
+ NOT process.parent.executable:
+           (
+             /\/var\/lib\/docker\/.+/ OR
+             "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service" OR
+             "/var/lib/dpkg/info/whoopsie.postinst"
+           )
 '''
 
 
@@ -55,4 +78,3 @@ framework = "MITRE ATT&CK"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-