security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Linux Rules (#3092)

Browse Source 
* [Rule Tuning] [WIP] Linux DR

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Fixed tag

* Added additional tuning

* unit test fix

* Additional tuning

* tuning

* added max signals

* Added max_signals=1 to brute force rules

* Cross-Platform Tuning

* Small fix

* new_terms conversion

* typo

* new_terms conversion

* Ransomware rule tuning

* performance tuning

* new_terms conversion for auditd_manager

* tune

* Need coffee

* kql/eql stuff

* formatting improvement

* new_terms sudo hijacking conversion

* exclusion

* Deprecations that were added last tuning

* Deprecations that were added last tuning

* Increased max timespan for brute force rules

* version bump

* added domain tag

* Two tunings

* More tuning

* Additional tuning

* updated_date bump

* query optimization

* Tuning

* Readded the exclusions for this one

* Changed int comparison

* Some tunings

* Update persistence_systemd_scheduled_timer_created.toml

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml

* Update rules/linux/command_and_control_cat_network_activity.toml

* Update persistence_message_of_the_day_execution.toml

* Changed max_signals

* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"

This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.

* Revertable merge

* Update defense_evasion_ld_preload_env_variable_process_injection.toml

* File name change

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2023-10-23 16:28:58 +02:00
committed by GitHub
parent 7254c582c5
commit 020fff3aea
60 changed files with 749 additions and 422 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_linux_iodine_activity.toml → rules/_deprecated/command_and_control_linux_iodine_activity.toml
+16 -5
View File
@@ -1,10 +1,11 @@
[metadata]
creation_date = "2020/02/18"
deprecation_date = "2023/09/25"
integration = ["endpoint"]
maturity = "production"
maturity = "deprecated"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/25"
updated_date = "2023/09/25"
[rule]
author = ["Elastic"]
@@ -23,27 +24,37 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "kuery"
license = "Elastic License v2"
name = "Deprecated - Potential DNS Tunneling via Iodine"
note = """This rule was deprecated due to its addition to the umbrella `Potential Linux Tunneling and/or Port Forwarding` (6ee947e9-de7e-4281-a55d-09289bdf947e) rule."""
note = "This rule was deprecated due to its addition to the umbrella `Potential Linux Tunneling and/or Port Forwarding` (6ee947e9-de7e-4281-a55d-09289bdf947e) rule."
references = ["https://code.kryo.se/iodine/"]
risk_score = 73
rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml → rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml
+21 -11
View File
@@ -1,10 +1,11 @@
[metadata]
creation_date = "2023/06/26"
deprecation_date = "2023/09/25"
integration = ["endpoint"]
maturity = "production"
maturity = "deprecated"
min_stack_comments = "The linux.advanced.capture_env_vars option for Elastic Defend has been introduced in 8.6.0"
min_stack_version = "8.6.0"
updated_date = "2023/10/12"
updated_date = "2023/09/25"
[rule]
author = ["Elastic"]
@@ -65,63 +66,72 @@ references = ["https://www.getambassador.io/resources/code-injection-on-linux-an
risk_score = 21
rule_id = "4973e46b-a663-41b8-a875-ced16dda2bb0"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Tactic: Persistence",
"Tactic: Privilege Escalation",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and process.env_vars : ("LD_PRELOAD=?*", "LD_LIBRARY_PATH=?*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.006"
name = "Dynamic Linker Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.006"
name = "Dynamic Linker Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.006"
name = "Dynamic Linker Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
rules/cross-platform/command_and_control_non_standard_ssh_port.toml
+17 -12
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/09/22"
[rule]
author = ["Elastic"]
@@ -30,31 +30,36 @@ references = ["https://attack.mitre.org/techniques/T1571/"]
risk_score = 21
rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "OS: macOS", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"OS: macOS",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by process.entity_id with maxspan=1m
[process where event.action == "exec" and process.name:"ssh"]
[network where process.name:"ssh"
and event.action in ("connection_attempted", "connection_accepted")
and destination.port != 22
and destination.ip != "127.0.0.1"
and network.transport: "tcp"
]
[process where event.action == "exec" and process.name:"ssh" and not process.parent.name in (
"rsync", "pyznap", "git", "ansible-playbook", "scp", "pgbackrest", "git-lfs", "expect", "Sourcetree", "ssh-copy-id",
"run"
)
]
[network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and
destination.port != 22 and destination.ip != "127.0.0.1" and network.transport: "tcp"
]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1571"
name = "Non-Standard Port"
reference = "https://attack.mitre.org/techniques/T1571/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/cross-platform/discovery_security_software_grep.toml
+21 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/09/22"
[rule]
author = ["Elastic"]
@@ -55,7 +55,14 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
risk_score = 47
rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655"
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: macOS",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Resources: Investigation Guide",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -94,25 +101,32 @@ process.name : "grep" and user.id != "0" and
"osquery*",
"elastic-endpoint*"
) and
not (process.args : "Avast" and process.args : "Passwords")
not (
(process.args : "Avast" and process.args : "Passwords") or
(process.parent.args : "/opt/McAfee/agent/scripts/ma" and process.parent.args : "checkhealth") or
(process.command_line : (
"grep ESET Command-line scanner, version %s -A2",
"grep -i McAfee Web Gateway Core version:",
"grep --color=auto ESET Command-line scanner, version %s -A2"
)
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1518"
name = "Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/"
[[rule.threat.technique.subtechnique]]
id = "T1518.001"
name = "Security Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/001/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/cross-platform/execution_revershell_via_shell_cmd.toml
+13 -6
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/09/22"
[rule]
author = ["Elastic"]
@@ -58,7 +58,14 @@ references = [
risk_score = 73
rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Execution",
"Resources: Investigation Guide",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -69,21 +76,21 @@ process where event.type in ("start", "process_started") and
/* noisy FPs */
not (process.parent.name : "timeout" and process.executable : "/var/lib/docker/overlay*") and
not process.command_line : ("*/dev/tcp/sirh_db/*", "*/dev/tcp/remoteiot.com/*", "*dev/tcp/elk.stag.one/*", "*dev/tcp/kafka/*", "*/dev/tcp/$0/$1*", "*/dev/tcp/127.*", "*/dev/udp/127.*", "*/dev/tcp/localhost/*") and
not process.command_line : (
"*/dev/tcp/sirh_db/*", "*/dev/tcp/remoteiot.com/*", "*dev/tcp/elk.stag.one/*", "*dev/tcp/kafka/*",
"*/dev/tcp/$0/$1*", "*/dev/tcp/127.*", "*/dev/udp/127.*", "*/dev/tcp/localhost/*", "*/dev/tcp/itom-vault/*") and
not process.parent.command_line : "runc init"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/cross-platform/execution_suspicious_jar_child_process.toml
+26 -12
View File
@@ -2,9 +2,9 @@
creation_date = "2021/01/19"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/22"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
language = "kuery"
license = "Elastic License v2"
name = "Suspicious JAVA Child Process"
note = """## Triage and analysis
@@ -60,32 +60,46 @@ references = [
risk_score = 47
rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Execution",
"Resources: Investigation Guide",
"Use Case: Vulnerability",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
type = "new_terms"
query = '''
process where event.type in ("start", "process_started") and
process.parent.name : "java" and
process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget")
event.category:process and event.type:("start" or "process_started") and process.parent.name:"java" and process.name:(
"sh" or "bash" or "dash" or "ksh" or "tcsh" or "zsh" or "curl" or "wget"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.007"
name = "JavaScript"
reference = "https://attack.mitre.org/techniques/T1059/007/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.command_line"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules/cross-platform/impact_hosts_file_modified.toml
+7 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/09/22"
[rule]
author = ["Elastic"]
@@ -73,7 +73,8 @@ any where
miss this, which is the purpose of the process + command line args logic below */
(
event.category == "file" and event.type in ("change", "creation") and
file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts")
file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") and
not process.name in ("dockerd", "rootlesskit", "podman", "crio")
)
or
@@ -81,26 +82,25 @@ any where
(
event.category == "process" and event.type in ("start") and
process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and
process.args : ("/etc/hosts")
process.args : ("/etc/hosts") and
not process.parent.name in ("dhclient-script", "google_set_hostname")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1565"
name = "Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/001/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml
+28 -16
View File
@@ -2,9 +2,9 @@
creation_date = "2020/12/21"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/22"
[rule]
author = ["Elastic"]
@@ -29,9 +29,16 @@ references = [
risk_score = 47
rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0"
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: macOS",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Tactic: Persistence",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "query"
type = "new_terms"
query = '''
event.category:file and event.type:change and
@@ -40,19 +47,11 @@ event.category:file and event.type:change and
(* and
not
(
/bin/yum or
"/usr/sbin/pam-auth-update" or
/usr/libexec/packagekitd or
/usr/bin/dpkg or
/usr/bin/vim or
/usr/libexec/xpcproxy or
/usr/bin/bsdtar or
/usr/local/bin/brew or
/usr/bin/rsync or
/usr/bin/yum or
/var/lib/docker/*/bin/yum or
/var/lib/docker/*/bin/dpkg or
./merged/var/lib/docker/*/bin/dpkg or
"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service"
)
) and
@@ -62,32 +61,45 @@ event.category:file and event.type:change and
/tmp/newroot/lib/*/pam_*.so or
/private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or
/tmp/newroot/usr/lib64/security/pam_*.so
) and
not process.name:
(
yum or dnf or rsync or platform-python or authconfig or rpm or pdkg or apk or dnf-automatic or btrfs or
dpkg or pam-auth-update or steam or platform-python3.6 or pam-config or microdnf or yum_install or yum-cron or
systemd or containerd or pacman
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "file.path"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules/cross-platform/persistence_shell_profile_modification.toml
+14 -20
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/09/22"
[rule]
author = ["Elastic"]
@@ -24,26 +24,22 @@ references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-
risk_score = 47
rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c"
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: macOS",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:file and event.type:change and
process.name:(* and not (sudo or
vim or
zsh or
env or
nano or
bash or
Terminal or
xpcproxy or
login or
cat or
cp or
launchctl or
java)) and
not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and
process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or
launchctl or java or dnf or tailwatchd or ldconfig or yum or semodule or cpanellogd or dockerd or authselect or chmod or
dnf-automatic or git or dpkg or platform-python)) and
not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*) and
file.path:(/private/etc/rc.local or
/etc/rc.local or
/home/*/.profile or
@@ -55,22 +51,20 @@ event.category:file and event.type:change and
/Users/*/.zshenv)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.004"
name = "Unix Shell Configuration Modification"
reference = "https://attack.mitre.org/techniques/T1546/004/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
+25 -8
View File
@@ -2,9 +2,9 @@
creation_date = "2020/12/22"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/22"
[rule]
author = ["Elastic"]
@@ -20,9 +20,16 @@ name = "SSH Authorized Keys File Modification"
risk_score = 47
rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Lateral Movement",
"Tactic: Persistence",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "query"
type = "new_terms"
query = '''
event.category:file and event.type:(change or creation) and
@@ -42,13 +49,14 @@ event.category:file and event.type:(change or creation) and
/opt/jc/bin/jumpcloud-agent)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.004"
name = "SSH Authorized Keys"
@@ -59,14 +67,14 @@ id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1563"
name = "Remote Service Session Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/"
[[rule.threat.technique.subtechnique]]
id = "T1563.001"
name = "SSH Hijacking"
@@ -76,6 +84,7 @@ reference = "https://attack.mitre.org/techniques/T1563/001/"
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[[rule.threat.technique.subtechnique]]
id = "T1021.004"
name = "SSH"
@@ -85,3 +94,11 @@ reference = "https://attack.mitre.org/techniques/T1021/004/"
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "file.path"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
+13 -7
View File
@@ -2,9 +2,9 @@
creation_date = "2020/04/13"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/22"
[rule]
author = ["Elastic"]
@@ -22,28 +22,34 @@ rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "query"
type = "new_terms"
query = '''
event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "file.path"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules/linux/command_and_control_cat_network_activity.toml
+4 -4
View File
@@ -53,10 +53,10 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
[process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.name == "cat"]
[network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and
process.name == "cat"]
[process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "cat" and
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
[network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and process.name == "cat" and
destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")]
'''
[[rule.threat]]
rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
+15 -13
View File
@@ -57,19 +57,21 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ((
// gost & pivotnacci - spawned without process.parent.name
(process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or (
// ssh
(process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "D", "-w") and process.args_count >= 4)) or
// sshuttle
(process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or
// socat
(process.name == "socat" and process.args : ("TCP4-LISTEN:*", "SOCKS*") and process.args_count >= 3) or
// chisel
(process.name : "chisel*" and process.args in ("client", "server")) or
// iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok
(process.name in ("iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok"))
) and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"))
// gost & pivotnacci - spawned without process.parent.name
(process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or (
// ssh
(process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "D", "-w") and process.args_count >= 4 and
not process.args : "chmod")) or
// sshuttle
(process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or
// socat
(process.name == "socat" and process.args : ("TCP4-LISTEN:*", "SOCKS*") and process.args_count >= 3) or
// chisel
(process.name : "chisel*" and process.args in ("client", "server")) or
// iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok
(process.name in ("iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok"))
) and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
)
'''
[[rule.threat]]
rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
+28 -62
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/07/31"
updated_date = "2023/09/25"
[rule]
author = ["Elastic"]
@@ -23,69 +23,35 @@ name = "Suspicious Network Activity to the Internet by Previously Unknown Execut
risk_score = 21
rule_id = "53617418-17b4-4e9c-8a2c-8deb8086ca4b"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:linux and event.category:network and
event.action:(connection_attempted or ipv4_connection_attempt_event) and
process.executable : (
(/etc/crontab or
/etc/rc.local or
/boot/* or
/dev/shm/* or
/etc/cron.*/* or
/etc/init.d/* or
/etc/rc*.d/* or
/etc/update-motd.d/* or
/home/*/.* or
/run/* or
/srv/* or
/tmp/* or
/usr/lib/update-notifier/* or
/var/tmp/*) and
not (/usr/bin/apt or
/usr/bin/curl or
/usr/bin/dnf or
/usr/bin/dockerd or
/usr/bin/dpkg or
/usr/bin/rpm or
/usr/bin/wget or
/usr/bin/yum)
)
and source.ip : (
10.0.0.0/8 or
127.0.0.0/8 or
172.16.0.0/12 or
192.168.0.0/16) and
not destination.ip : (
10.0.0.0/8 or
100.64.0.0/10 or
127.0.0.0/8 or
169.254.0.0/16 or
172.16.0.0/12 or
192.0.0.0/24 or
192.0.0.0/29 or
192.0.0.10/32 or
192.0.0.170/32 or
192.0.0.171/32 or
192.0.0.8/32 or
192.0.0.9/32 or
192.0.2.0/24 or
192.168.0.0/16 or
192.175.48.0/24 or
192.31.196.0/24 or
192.52.193.0/24 or
192.88.99.0/24 or
198.18.0.0/15 or
198.51.100.0/24 or
203.0.113.0/24 or
224.0.0.0/4 or
240.0.0.0/4 or
"::1" or
"FE80::/10" or
"FF00::/8")
host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and
process.executable:(
(/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or
/etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/*
) and not (/tmp/newroot/* or /tmp/snap.rootfs*)
) and
source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and
not process.name:(
apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or
saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform*
) and
not destination.ip:(
10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or
192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or
192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or
198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8"
)
'''
[[rule.threat]]
@@ -103,8 +69,8 @@ reference = "https://attack.mitre.org/tactics/TA0011/"
[rule.new_terms]
field = "new_terms_fields"
value = ["destination.ip", "process.executable"]
value = ["host.id", "destination.ip", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
value = "now-14d"
rules/linux/credential_access_collection_sensitive_files.toml
+25 -10
View File
@@ -2,9 +2,9 @@
creation_date = "2020/12/22"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/19"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/10/23"
[rule]
author = ["Elastic"]
@@ -60,9 +60,17 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Collection",
"Tactic: Credential Access",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "query"
type = "new_terms"
query = '''
event.category:process and host.os.type:linux and event.type:start and
@@ -99,39 +107,46 @@ event.category:process and host.os.type:linux and event.type:start and
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.001"
name = "Credentials In Files"
reference = "https://attack.mitre.org/techniques/T1552/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1560"
name = "Archive Collected Data"
reference = "https://attack.mitre.org/techniques/T1560/"
[[rule.threat.technique.subtechnique]]
id = "T1560.001"
name = "Archive via Utility"
reference = "https://attack.mitre.org/techniques/T1560/001/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.command_line", "process.parent.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"
rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
+8 -3
View File
@@ -4,7 +4,7 @@ integration = ["system"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/28"
updated_date = "2023/09/25"
[rule]
author = ["Elastic"]
@@ -17,6 +17,7 @@ from = "now-9m"
index = ["logs-system.auth-*"]
language = "eql"
license = "Elastic License v2"
max_signals = 5
name = "Potential External Linux SSH Brute Force Detected"
note = """## Triage and analysis
@@ -59,10 +60,14 @@ In case this rule generates too much noise and external brute forcing is of not
risk_score = 21
rule_id = "fa210b61-b627-4e5e-86f4-17e8270656ab"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
tags = ["Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access"
]
type = "eql"
query = '''
sequence by host.id, source.ip, user.name with maxspan=5s
sequence by host.id, source.ip, user.name with maxspan=15s
[ authentication where host.os.type == "linux" and
event.action in ("ssh_login", "user_login") and event.outcome == "failure" and
not cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml
+8 -3
View File
@@ -4,7 +4,7 @@ integration = ["system"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/28"
updated_date = "2023/09/25"
[rule]
author = ["Elastic"]
@@ -17,6 +17,7 @@ from = "now-9m"
index = ["logs-system.auth-*"]
language = "eql"
license = "Elastic License v2"
max_signals = 5
name = "Potential Internal Linux SSH Brute Force Detected"
note = """## Triage and analysis
@@ -55,10 +56,14 @@ The rule identifies consecutive internal SSH login failures targeting a user acc
risk_score = 47
rule_id = "1c27fa22-7727-4dd3-81c0-de6da5555feb"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
tags = ["Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access"
]
type = "eql"
query = '''
sequence by host.id, source.ip, user.name with maxspan=5s
sequence by host.id, source.ip, user.name with maxspan=15s
[ authentication where host.os.type == "linux" and
event.action in ("ssh_login", "user_login") and event.outcome == "failure" and
cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
rules/linux/credential_access_bruteforce_password_guessing.toml → rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml
+8 -3
View File
@@ -4,7 +4,7 @@ integration = ["system"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/05"
updated_date = "2023/09/25"
[rule]
author = ["Elastic"]
@@ -50,10 +50,15 @@ The rule identifies consecutive SSH login failures followed by a successful logi
risk_score = 73
rule_id = "8cb84371-d053-4f4f-bce0-c74990e28f28"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access"
]
type = "eql"
query = '''
sequence by host.id, source.ip, user.name with maxspan=3s
sequence by host.id, source.ip, user.name with maxspan=15s
[authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and
event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10
rules/linux/credential_access_ssh_backdoor_log.toml
+2 -1
View File
@@ -73,7 +73,8 @@ type = "eql"
query = '''
file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and
(
(file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history")) or
(file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history", ".google_authenticator",
".jelenv", ".csvignore", ".rtreport")) or
file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or
file.path :
(
rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
+14 -5
View File
@@ -53,7 +53,7 @@ type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
[process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.name in ("cp", "mv", "cat") and process.args : (
process.name in ("cp", "mv") and process.args : (
// Shells
"/bin/*sh", "/usr/bin/*sh",
@@ -71,10 +71,10 @@ sequence by host.id, process.entity_id with maxspan=1s
"/usr/bin/mknod", "/bin/ping*", "/usr/bin/ping*", "/bin/nmap", "/usr/bin/nmap",
// System utilities
"/bin/ls", "/usr/bin/ls", "/bin/cat", "/usr/bin/cat", "/bin/mv", "/usr/bin/mv", "/bin/cp", "/usr/bin/cp",
"/bin/sudo", "/usr/bin/sudo", "/bin/curl", "/usr/bin/curl", "/bin/wget", "/usr/bin/wget", "/bin/tmux",
"/usr/bin/tmux", "/bin/screen", "/usr/bin/screen", "/bin/ssh", "/usr/bin/ssh", "/bin/ftp", "/usr/bin/ftp"
)]
"/bin/ls", "/usr/bin/ls", "/bin/cat", "/usr/bin/cat", "/bin/sudo", "/usr/bin/sudo", "/bin/curl", "/usr/bin/curl",
"/bin/wget", "/usr/bin/wget", "/bin/tmux", "/usr/bin/tmux", "/bin/screen", "/usr/bin/screen", "/bin/ssh",
"/usr/bin/ssh", "/bin/ftp", "/usr/bin/ftp"
) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")]
[file where host.os.type == "linux" and event.action == "creation" and file.path : (
"/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*"
)]
@@ -88,6 +88,15 @@ id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.003"
name = "Rename System Utilities"
reference = "https://attack.mitre.org/techniques/T1036/003/"
[rule.threat.tactic]
id = "TA0005"
rules/linux/defense_evasion_file_mod_writable_dir.toml
+16 -12
View File
@@ -2,9 +2,9 @@
creation_date = "2020/04/21"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/13"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/25"
[rule]
author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
language = "kuery"
license = "Elastic License v2"
name = "File Permission Modification in Writable Directory"
risk_score = 21
@@ -65,27 +65,31 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
type = "new_terms"
query = '''
process where host.os.type == "linux" and event.type == "start"and
process.name in ("chmod", "chown", "chattr", "chgrp") and
process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
not process.parent.name in ("update-motd-updates-available") and
not user.name == "root"
host.os.type:linux and event.category:process and event.type:start and
process.name:(chmod or chown or chattr or chgrp) and
process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1222"
name = "File and Directory Permissions Modification"
reference = "https://attack.mitre.org/techniques/T1222/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.parent.executable", "process.command_line"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules/linux/defense_evasion_log_files_deleted.toml
+11 -6
View File
@@ -63,7 +63,14 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -83,25 +90,23 @@ file where host.os.type == "linux" and event.type == "deletion" and
"/var/log/boot.log",
"/var/log/kern.log"
) and
not process.name : ("gzip")
not process.name in ("gzip", "executor", "dockerd")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"
[[rule.threat.technique.subtechnique]]
id = "T1070.002"
name = "Clear Linux or Mac System Logs"
reference = "https://attack.mitre.org/techniques/T1070/002/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/discovery_kernel_module_enumeration.toml
+2 -3
View File
@@ -62,8 +62,7 @@ event.category:process and host.os.type:linux and event.type:start and (
(process.name:(lsmod or modinfo)) or
(process.name:kmod and process.args:list) or
(process.name:depmod and process.args:(--all or -a))
) and process.parent.name:(sudo or bash or dash or ash or sh or tcsh or csh or zsh or ksh or fish) and
not process.parent.user.id:0
)
'''
[[rule.threat]]
@@ -81,7 +80,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["process.parent.name", "host.id"]
value = ["host.id", "process.command_line", "process.parent.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
rules/linux/discovery_suid_sguid_enumeration.toml
+4 -2
View File
@@ -57,8 +57,10 @@ query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name == "find" and process.args : "-perm" and process.args : (
"/6000", "-6000", "/4000", "-4000", "/2000", "-2000", "/u=s", "-u=s", "/g=s", "-g=s", "/u=s,g=s", "/g=s,u=s"
) and
not user.Ext.real.id == "0" and not group.Ext.real.id == "0"
) and not (
user.Ext.real.id == "0" or group.Ext.real.id == "0" or process.args_count >= 12 or
(process.args : "/usr/bin/pkexec" and process.args : "-xdev" and process.args_count == 7)
)
'''
[[rule.threat]]
rules/linux/discovery_unusual_user_enumeration_via_id.toml
+2 -1
View File
@@ -53,7 +53,8 @@ type = "eql"
query = '''
sequence by host.id, process.parent.entity_id with maxspan=1s
[process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.name == "id" and process.args_count == 2] with runs=20
process.name == "id" and process.args_count == 2 and
not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20
'''
[[rule.threat]]
rules/linux/execution_abnormal_process_id_file_created.toml
+11 -3
View File
@@ -102,7 +102,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Threat: BPFDoor",
"Resources: Investigation Guide",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
@@ -115,7 +123,7 @@ user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* o
process.executable : (
./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*
))
) and not process.name : (go or git)
) and not process.name : (go or git or containerd* or snap-confine)
'''
[[rule.threat]]
@@ -133,7 +141,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["process.executable", "file.path"]
value = ["host.id", "process.executable", "file.path"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
rules/linux/execution_python_tty_shell.toml
+4 -4
View File
@@ -54,10 +54,10 @@ type = "eql"
query = '''
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
(
(process.parent.name : "python*" and process.name : "*sh" and process.parent.args_count >= 3 and
process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or
(process.parent.name : "python*" and process.name : "*sh" and process.args : "*sh" and process.args_count == 1
and process.parent.args_count == 1)
(process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh",
"fish") and process.parent.args_count >= 3 and process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or
(process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh",
"fish") and process.args : "*sh" and process.args_count == 1 and process.parent.args_count == 1)
)
'''
rules/linux/execution_remote_code_execution_via_postgresql.toml
+8 -1
View File
@@ -50,7 +50,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
rules/linux/execution_shell_evasion_linux_binary.toml
+1 -1
View File
@@ -141,7 +141,7 @@ process where host.os.type == "linux" and event.type == "start" and
(process.name == "capsh" and process.args == "--") or
/* launching shells from unusual parents or parent+arg combos */
(process.name : "*sh" and (
(process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and (
(process.parent.name : "*awk" and process.parent.args : "BEGIN {system(*)}") or
(process.parent.name == "git" and process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or
process.args : ("*PAGER*", "!*sh", "exec *sh") and not process.name == "ssh" ) or
rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
+8 -8
View File
@@ -17,7 +17,8 @@ from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Suspicious Parent Process"
name = "Deprecated - Potential Reverse Shell via Suspicious Parent Process"
note = "This rule was deprecated due to its addition to the umbrella `Potential Reverse Shell via Suspicious Child Process` (76e4d92b-61c1-4a95-ab61-5fd94179a1ee) rule."
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
]
@@ -48,7 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- Click Save and Continue.
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
@@ -56,13 +56,13 @@ type = "eql"
query = '''
sequence by host.id, process.parent.entity_id with maxspan=1s
[ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and (
(process.name : "python*" and process.args : "-c") or
(process.name : "php*" and process.args : "-r") or
(process.name : "perl" and process.args : "-e") or
(process.name : "ruby" and process.args : ("-e", "-rsocket")) or
(process.name : "lua*" and process.args : "-e") or
(process.name : "python*" and process.args == "-c" and not process.args == "/usr/bin/supervisord") or
(process.name : "php*" and process.args == "-r") or
(process.name : "perl" and process.args == "-e") or
(process.name : "ruby" and process.args in ("-e", "-rsocket")) or
(process.name : "lua*" and process.args == "-e") or
(process.name : "openssl" and process.args : "-connect") or
(process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or
(process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args == "-z") or
(process.name : "telnet" and process.args_count >= 3) or
(process.name : "awk")) and
process.parent.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ]
rules/linux/execution_shell_via_java_revshell_linux.toml
+8 -6
View File
@@ -54,12 +54,14 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
type = "eql"
query = '''
sequence by host.id with maxspan=5s
[ network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and
process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and
destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] by process.entity_id
[ process where host.os.type == "linux" and event.action == "exec" and
process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and
process.parent.args : "-jar" and process.executable : "*sh" ] by process.parent.entity_id
[network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and
process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and
destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1"
] by process.entity_id
[process where host.os.type == "linux" and event.action == "exec" and
process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and
process.parent.args : "-jar" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
] by process.parent.entity_id
'''
[[rule.threat]]
rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
+31 -15
View File
@@ -51,24 +51,40 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
(process.name : "python*" and process.args : "-c") or
(process.name : "php*" and process.args : "-r") or
(process.name : "perl" and process.args : "-e") or
(process.name : "ruby" and process.args : ("-e", "-rsocket")) or
(process.name : "lua*" and process.args : "-e") or
(process.name : "openssl" and process.args : "-connect") or
(process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or
(process.name : "telnet" and process.args_count >= 3) or
(process.name : "awk")) and
process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ]
[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and
process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and
destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ]
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and (
(process.name : "python*" and process.args : "-c" and process.args : (
"*import*pty*spawn*", "*import*subprocess*call*"
)) or
(process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : (
"*exec*", "*system*"
)) or
(process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : (
"*TCPSocket.new*", "*TCPSocket.open*"
)) or
(process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : (
"*io.popen*", "*os.execute*"
)) or
(process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or
(process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or
(process.name : "openssl" and process.args : "-connect") or
(process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args == "-z") or
(process.name : "telnet" and process.args_count >= 3)
) and process.parent.name : (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*",
"openssl", "nc", "netcat", "ncat", "telnet", "awk")]
[network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and
process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and
destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")]
'''
[[rule.threat]]
rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
+7 -6
View File
@@ -55,12 +55,13 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
type = "eql"
query = '''
sequence by host.id with maxspan=1s
[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and
destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] by process.entity_id
[ process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "fork") and
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") ] by process.parent.entity_id
[network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and
destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1"] by process.entity_id
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and not
process.args : "*imunify360-agent*"] by process.parent.entity_id
'''
[[rule.threat]]
rules/linux/execution_shell_via_udp_cli_utility_linux.toml
+6 -1
View File
@@ -59,7 +59,12 @@ However, if more advanced configuration is required to detect specific behavior,
"""
severity = "medium"
tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
rules/linux/execution_suspicious_executable_running_system_commands.toml
+4 -5
View File
@@ -2,9 +2,9 @@
creation_date = "2023/06/14"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4"
min_stack_version = "8.4.0"
updated_date = "2023/10/16"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/25"
[rule]
author = ["Elastic"]
@@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- Click Save and Continue.
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
@@ -86,7 +85,7 @@ reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.new_terms]
field = "new_terms_fields"
value = ["process.executable"]
value = ["host.id", "user.id", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
rules/linux/impact_potential_linux_ransomware_file_encryption.toml
+9 -10
View File
@@ -49,21 +49,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Impact",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
sequence by process.entity_id, host.id with maxspan=1s
[file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*"
and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or
(process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and
and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and
file.path : (
"/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*",
"/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not ((
process.name : (
"dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
"conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
"systemsettings", "vmis-launcher")) or file.path : "/etc/selinux/*" or (file.extension in ("qmlc", "txt")
))] with runs=25
"/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25
'''
[[rule.threat]]
rules/linux/impact_potential_linux_ransomware_note_detected.toml
+9 -10
View File
@@ -50,21 +50,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Impact",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
sequence by process.entity_id, host.id with maxspan=1s
[file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*"
and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or
(process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and
and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and
file.path : (
"/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*",
"/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not ((
process.name : (
"dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
"conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
"systemsettings", "vmis-launcher")) or (file.path : "/etc/selinux/*") or (file.extension in ("qmlc", "txt")
))] with runs=25
"/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25
[file where host.os.type == "linux" and event.action == "creation" and file.name : (
"*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*"
)]
rules/linux/persistence_credential_access_modify_ssh_binaries.toml
+2 -1
View File
@@ -72,7 +72,8 @@ event.category:file and host.os.type:linux and event.type:change and
/usr/bin/sftp or
/usr/bin/ssh or
/usr/sbin/sshd) or
file.name:libkeyutils.so)
file.name:libkeyutils.so) and
not process.executable:/usr/share/elasticsearch/*
'''
rules/linux/persistence_cron_job_creation.toml
+13 -4
View File
@@ -51,7 +51,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Tactic: Privilege Escalation",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
@@ -60,7 +69,7 @@ host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "c
file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or
/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron)
and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "5") or
file.extension : ("swp" or "swx"))
file.extension : ("swp" or "swpx"))
'''
[[rule.threat]]
@@ -119,8 +128,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["file.path", "process.name"]
value = ["host.id", "file.path", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
value = "now-10d"
rules/linux/persistence_insmod_kernel_module_load.toml
+12 -3
View File
@@ -3,7 +3,7 @@ creation_date = "2022/07/11"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/16"
updated_date = "2023/10/23"
integration = ["endpoint"]
[rule]
@@ -15,7 +15,7 @@ from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Kernel module load via insmod"
name = "Kernel Module Load via insmod"
references = [
"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"
]
@@ -49,12 +49,21 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Threat: Rootkit",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko"
and not process.parent.name in ("cisco-amp-helper", "ksplice-apply")
'''
[[rule.threat]]
rules/linux/persistence_linux_shell_activity_via_web_server.toml
+1 -1
View File
@@ -149,7 +149,7 @@ event.action in ("exec", "exec_event") and process.parent.executable : (
"/usr/local/lsws/bin/lswsctrl",
"*/bin/catalina.sh"
) and
process.name : ("*sh", "python*", "perl", "php*", "tmux") and
process.name : ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "tmux") and
process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") and
not process.name == "phpquery"
'''
rules/linux/persistence_message_of_the_day_creation.toml
+14 -6
View File
@@ -149,13 +149,21 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend"
]
type = "new_terms"
query = '''
host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and
file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not
process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm" or "/kaniko/executor") and not
file.extension : ("swp" or "swx")
file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : (
dpkg or dockerd or rpm or executor or dnf
) and not file.extension : ("swp" or "swpx")
'''
[[rule.threat]]
@@ -173,8 +181,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.new_terms]
field = "new_terms_fields"
value = ["file.path", "process.name"]
value = ["host.id", "file.path", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
value = "now-10d"
rules/linux/persistence_message_of_the_day_execution.toml
+32 -6
View File
@@ -148,15 +148,41 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and
event.type == "start" and event.action : ("exec", "exec_event") and
process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "nc", "ncat",
"netcat", "socat", "lua", "java", "openssl", "ruby", "telnet")
process where event.type == "start" and event.action : ("exec", "exec_event") and
process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and (
(process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and (
(process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*"))) or
(process.name : ("nc", "ncat", "netcat", "nc.openbsd") and process.args_count >= 3 and
not process.args : ("-*z*", "-*l*")) or
(process.name : "python*" and process.args : "-c" and process.args : (
"*import*pty*spawn*", "*import*subprocess*call*"
)) or
(process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : (
"*exec*", "*system*"
)) or
(process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : (
"*TCPSocket.new*", "*TCPSocket.open*"
)) or
(process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : (
"*io.popen*", "*os.execute*"
)) or
(process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or
(process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or
(process.name in ("openssl", "telnet"))
) and
not (process.parent.args : "--force" or process.args : ("/usr/games/lolcat", "/usr/bin/screenfetch"))
'''
[[rule.threat]]
rules/linux/persistence_rc_script_creation.toml
+13 -3
View File
@@ -134,12 +134,22 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend"
]
type = "new_terms"
query = '''
host.os.type : "linux" and event.category : "file" and
event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and
file.path : "/etc/rc.local" and not process.name : ("dockerd" or "docker" or "dnf" or "yum" or "rpm" or "dpkg") and not file.extension : ("swp" or "swx")
file.path : "/etc/rc.local" and not process.name : (
"dockerd" or "docker" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "dpkg"
) and not file.extension : ("swp" or "swpx")
'''
[[rule.threat]]
@@ -162,7 +172,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable"]
value = ["host.id", "process.executable", "user.id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
rules/linux/persistence_shared_object_creation.toml
+15 -9
View File
@@ -52,30 +52,37 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and
file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and
process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher"))
process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher"
or "pacman" or "apt-get" or "dnf"))
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.006"
name = "Dynamic Linker Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
@@ -83,9 +90,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.new_terms]
field = "new_terms_fields"
value = ["file.path", "process.name"]
value = ["host.id", "file.path", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
value = "now-10d"
rules/linux/persistence_systemd_scheduled_timer_created.toml
+14 -4
View File
@@ -163,13 +163,23 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and
file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or
/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : ("docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor")
/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : (
"docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor" or "cloudflared"
)
'''
[[rule.threat]]
@@ -192,8 +202,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.new_terms]
field = "new_terms_fields"
value = ["file.path", "process.name"]
value = ["host.id", "file.path", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
value = "now-10d"
rules/linux/persistence_systemd_service_creation.toml
+26 -8
View File
@@ -53,20 +53,38 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Tactic: Privilege Escalation",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type : "linux" and event.action : ("creation" or "file_create_event") and
file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or
/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not
(process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "dnf-automatic" or python* or
"elastic-agent" or "cinc-client") or file.extension : ("swp" or "swx"))
host.os.type:linux and event.category:file and event.action:("creation" or "file_create_event") and file.path:(
/etc/systemd/system/* or
/usr/local/lib/systemd/system/* or
/lib/systemd/system/* or
/usr/lib/systemd/system/* or
/home/*/.config/systemd/user/*
) and
not (
process.name:(
"dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "dnf-automatic" or python* or "puppetd" or
"elastic-agent" or "cinc-client" or "chef-client" or "pacman" or "puppet" or "cloudflared"
) or
file.extension:("swp" or "swpx")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
@@ -102,8 +120,8 @@ reference = "https://attack.mitre.org/tactics/TA0004/"
[rule.new_terms]
field = "new_terms_fields"
value = ["file.path", "process.name"]
value = ["host.id", "file.path", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
value = "now-10d"
rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
+23 -10
View File
@@ -2,9 +2,9 @@
creation_date = "2021/01/27"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/16"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/25"
[rule]
author = ["Elastic"]
@@ -60,31 +60,44 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "query"
type = "new_terms"
query = '''
event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload and
event.action:(updated or renamed or rename)
host.os.type:linux and event.category:file and event.action:(updated or renamed or rename) and
not event.type:deletion and file.path:/etc/ld.so.preload
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.006"
name = "Dynamic Linker Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "user.id", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"
rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml
+2 -2
View File
@@ -54,8 +54,8 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
event.type == "start" and process.name == "ln" and
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
event.type == "start" and process.name == "ln" and process.args in ("-s", "-sf") and
(
/* suspicious files */
(process.args in ("/etc/shadow", "/etc/shadow-", "/etc/shadow~", "/etc/gshadow", "/etc/gshadow-") or
rules/linux/privilege_escalation_sudo_hijacking.toml
+24 -7
View File
@@ -2,9 +2,9 @@
creation_date = "2023/07/26"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/16"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/25"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ enable persistence onto the system every time the sudo binary is executed.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
language = "kuery"
license = "Elastic License v2"
name = "Potential Sudo Hijacking Detected"
references = ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"]
@@ -49,11 +49,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Tactic: Persistence",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
type = "new_terms"
query = '''
file where event.type in ("creation", "file_create_event") and file.path == "/usr/bin/sudo"
host.os.type:linux and event.category:file and event.type:("creation" or "file_create_event") and
file.path:("/usr/bin/sudo" or "/bin/sudo") and not process.name:(docker or dockerd)
'''
[[rule.threat]]
@@ -86,3 +95,11 @@ reference = "https://attack.mitre.org/techniques/T1574/"
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "user.id", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules/network/discovery_potential_network_sweep_detected.toml
+7 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/31"
updated_date = "2023/09/22"
[rule]
author = ["Elastic"]
@@ -19,11 +19,16 @@ from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*",]
language = "kuery"
license = "Elastic License v2"
max_signals = 5
name = "Potential Network Sweep Detected"
risk_score = 21
rule_id = "781f8746-2180-4691-890c-4c96d11ca91d"
severity = "low"
tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"]
tags = ["Domain: Network",
"Tactic: Discovery",
"Tactic: Reconnaissance",
"Use Case: Network Security Monitoring"
]
type = "threshold"
query = '''
destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and
rules/network/discovery_potential_port_scan_detected.toml
+7 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/31"
updated_date = "2023/09/22"
[rule]
author = ["Elastic"]
@@ -20,11 +20,16 @@ from = "now-9m"
index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 5
name = "Potential Network Scan Detected"
risk_score = 21
rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b"
severity = "low"
tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"]
tags = ["Domain: Network",
"Tactic: Discovery",
"Tactic: Reconnaissance",
"Use Case: Network Security Monitoring"
]
type = "threshold"
query = '''
destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
rules/network/discovery_potential_syn_port_scan_detected.toml
+7 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/31"
updated_date = "2023/09/22"
[rule]
author = ["Elastic"]
@@ -20,11 +20,16 @@ from = "now-9m"
index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 5
name = "Potential SYN-Based Network Scan Detected"
risk_score = 21
rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409"
severity = "low"
tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"]
tags = ["Domain: Network",
"Tactic: Discovery",
"Tactic: Reconnaissance",
"Use Case: Network Security Monitoring"
]
type = "threshold"
query = '''
destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
Regular → Executable
View File
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml
+21 -11
View File
@@ -2,9 +2,9 @@
creation_date = "2020/04/12"
integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/24"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/25"
[rule]
author = ["Elastic"]
@@ -23,7 +23,7 @@ false_positives = [
from = "now-119m"
interval = "60m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
language = "kuery"
license = "Elastic License v2"
name = "Enumeration of Kernel Modules via Proc"
note = """## Setup
@@ -45,16 +45,17 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen
risk_score = 21
rule_id = "80084fa9-8677-4453-8680-b891d3c0c778"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
tags = [
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "eql"
type = "new_terms"
building_block_type = "default"
query = '''
file where host.os.type == "linux" and event.action == "opened-file" and file.path == "/proc/modules" and not
(
process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "SchedulerRunner", "grep") or
process.parent.pid == 1 or process.title : "*grep*"
)
host.os.type:linux and event.category:file and event.action:"opened-file" and file.path:"/proc/modules"
'''
[[rule.threat]]
@@ -69,3 +70,12 @@ reference = "https://attack.mitre.org/techniques/T1082/"
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules_building_block/discovery_linux_modprobe_enumeration.toml
+21 -12
View File
@@ -2,9 +2,9 @@
creation_date = "2023/06/08"
integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/24"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/25"
[rule]
author = ["Elastic"]
@@ -17,7 +17,7 @@ system.
from = "now-119m"
interval = "60m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
language = "kuery"
license = "Elastic License v2"
name = "Suspicious Modprobe File Event"
note = """## Setup
@@ -44,17 +44,18 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen
risk_score = 21
rule_id = "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd"
severity = "low"
tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
tags = [
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "eql"
type = "new_terms"
building_block_type = "default"
query = '''
file where host.os.type == "linux" and event.action == "opened-file" and
file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not
(
process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp", "mkinitramfs",
"readlink") or process.title : "*grep*" or process.parent.pid == 1
)
host.os.type:linux and event.category:file and event.action:"opened-file" and
file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*)
'''
[[rule.threat]]
@@ -69,3 +70,11 @@ reference = "https://attack.mitre.org/techniques/T1082/"
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "file.path"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules_building_block/discovery_linux_sysctl_enumeration.toml
+21 -9
View File
@@ -2,9 +2,9 @@
creation_date = "2023/06/08"
integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/24"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/25"
[rule]
author = ["Elastic"]
@@ -16,7 +16,7 @@ configuration files to modify kernel parameters, potentially compromising system
from = "now-119m"
interval = "60m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
language = "kuery"
license = "Elastic License v2"
name = "Suspicious Sysctl File Event"
note = """## Setup
@@ -44,14 +44,18 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen
risk_score = 21
rule_id = "7592c127-89fb-4209-a8f6-f9944dfd7e02"
severity = "low"
tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
tags = [
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "eql"
type = "new_terms"
building_block_type = "default"
query = '''
file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and
file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and
not process.name in ("auditbeat", "systemd-sysctl", "dpkg", "dnf", "yum", "rpm", "apt")
host.os.type:linux and event.category:file and event.action:("opened-file" or "read-file" or "wrote-to-file") and
file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*)
'''
[[rule.threat]]
@@ -66,3 +70,11 @@ reference = "https://attack.mitre.org/techniques/T1082/"
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "file.path"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules_building_block/discovery_suspicious_proc_enumeration.toml
+13 -5
View File
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/24"
updated_date = "2023/09/25"
[rule]
author = ["Elastic"]
@@ -42,18 +42,25 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen
risk_score = 21
rule_id = "0787daa6-f8c5-453b-a4ec-048037f6c1cd"
severity = "low"
tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
tags = [
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "threshold"
building_block_type = "default"
query = '''
host.os.type : "linux" and event.category : "file" and event.action : "opened-file" and
file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : "pidof" and
not process.parent.pid : 1
host.os.type:linux and event.category:file and event.action:"opened-file" and
file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : (
ps or netstat or landscape-sysin or w or pgrep or pidof or needrestart or apparmor_status
) and not process.parent.pid : 1
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1057"
name = "Process Discovery"
@@ -72,6 +79,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.threshold]
field = ["host.id", "process.pid", "process.name"]
value = 1
[[rule.threshold.cardinality]]
field = "file.path"
value = 100
rules_building_block/discovery_suspicious_which_command_execution.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/30"
updated_date = "2023/09/13"
[rule]
author = ["Elastic"]
@@ -22,7 +22,7 @@ name = "Suspicious which Enumeration"
risk_score = 21
rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"]
timestamp_override = "event.ingested"
type = "eql"
building_block_type = "default"
rules_building_block/persistence_suspicious_file_opened_through_editor.toml
+5 -4
View File
@@ -3,7 +3,7 @@ creation_date = "2023/07/25"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/25"
updated_date = "2023/09/26"
integration = ["endpoint"]
[rule]
@@ -20,6 +20,7 @@ interval = "60m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
max_signals = 1
name = "Potential Suspicious File Edit"
risk_score = 21
rule_id = "3728c08d-9b70-456b-b6b8-007c7d246128"
@@ -35,9 +36,9 @@ file.path : (
/* common interesting files and locations */
"/etc/.shadow.swp", "/etc/.shadow-.swp", "/etc/.shadow~.swp", "/etc/.gshadow.swp", "/etc/.gshadow-.swp",
"/etc/.passwd.swp", "/etc/.pwd.db.swp", "/etc/.master.passwd.swp", "/etc/.spwd.db.swp", "/etc/security/.opasswd.swp",
"/etc/.hosts.swp", "/etc/.environment.swp", "/etc/.profile.swp", "/etc/sudoers.d/.*.swp",
"/etc/ld.so.conf.d/.*.swp", "/etc/init.d/.*.swp", "/etc/.rc.local.swp", "/etc/rc*.d/.*.swp",
"/dev/shm/.*.swp", "/etc/update-motd.d/.*.swp", "/usr/lib/update-notifier/.*.swp",
"/etc/.environment.swp", "/etc/.profile.swp", "/etc/sudoers.d/.*.swp", "/etc/ld.so.conf.d/.*.swp",
"/etc/init.d/.*.swp", "/etc/.rc.local.swp", "/etc/rc*.d/.*.swp", "/dev/shm/.*.swp", "/etc/update-motd.d/.*.swp",
"/usr/lib/update-notifier/.*.swp",
/* service, timer, want, socket and lock files */
"/etc/systemd/system/.*.swp", "/usr/local/lib/systemd/system/.*.swp", "/lib/systemd/system/.*.swp",