From 020fff3aea3e7dbb971b4bffb85bbd0e5d994d25 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 23 Oct 2023 16:28:58 +0200 Subject: [PATCH] [Rule Tuning] Linux Rules (#3092) * [Rule Tuning] [WIP] Linux DR * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Fixed tag * Added additional tuning * unit test fix * Additional tuning * tuning * added max signals * Added max_signals=1 to brute force rules * Cross-Platform Tuning * Small fix * new_terms conversion * typo * new_terms conversion * Ransomware rule tuning * performance tuning * new_terms conversion for auditd_manager * tune * Need coffee * kql/eql stuff * formatting improvement * new_terms sudo hijacking conversion * exclusion * Deprecations that were added last tuning * Deprecations that were added last tuning * Increased max timespan for brute force rules * version bump * added domain tag * Two tunings * More tuning * Additional tuning * updated_date bump * query optimization * Tuning * Readded the exclusions for this one * Changed int comparison * Some tunings * Update persistence_systemd_scheduled_timer_created.toml * Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * [New Rule] Potential curl CVE-2023-38545 Exploitation * Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation" This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0. * Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml * Update rules/linux/command_and_control_cat_network_activity.toml * Update persistence_message_of_the_day_execution.toml * Changed max_signals * Revert "Merge branch 'main' into rule-tuning-ongoing-dr" This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8. * Revertable merge * Update defense_evasion_ld_preload_env_variable_process_injection.toml * File name change --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- ...and_and_control_linux_iodine_activity.toml | 21 +++-- ...reload_env_variable_process_injection.toml | 32 ++++--- ...and_and_control_non_standard_ssh_port.toml | 29 +++--- .../discovery_security_software_grep.toml | 28 ++++-- .../execution_revershell_via_shell_cmd.toml | 19 ++-- ...xecution_suspicious_jar_child_process.toml | 38 +++++--- .../impact_hosts_file_modified.toml | 14 +-- ...l_access_modify_auth_module_or_config.toml | 44 +++++---- ...ersistence_shell_profile_modification.toml | 34 +++---- ...ence_ssh_authorized_keys_modification.toml | 33 +++++-- ...privilege_escalation_sudoers_file_mod.toml | 20 +++-- ...mand_and_control_cat_network_activity.toml | 8 +- ...l_linux_tunneling_and_port_forwarding.toml | 28 +++--- ...work_activity_from_unknown_executable.toml | 90 ++++++------------- ...ial_access_collection_sensitive_files.toml | 35 +++++--- ...tential_linux_ssh_bruteforce_external.toml | 11 ++- ...tential_linux_ssh_bruteforce_internal.toml | 11 ++- ...tial_successful_linux_ssh_bruteforce.toml} | 11 ++- .../credential_access_ssh_backdoor_log.toml | 3 +- ...binary_copied_to_suspicious_directory.toml | 19 ++-- ...defense_evasion_file_mod_writable_dir.toml | 28 +++--- .../defense_evasion_log_files_deleted.toml | 17 ++-- .../discovery_kernel_module_enumeration.toml | 5 +- .../discovery_suid_sguid_enumeration.toml | 6 +- ...overy_unusual_user_enumeration_via_id.toml | 3 +- ...tion_abnormal_process_id_file_created.toml | 14 ++- rules/linux/execution_python_tty_shell.toml | 8 +- ..._remote_code_execution_via_postgresql.toml | 9 +- .../execution_shell_evasion_linux_binary.toml | 2 +- ...uspicious_parent_child_revshell_linux.toml | 16 ++-- ...ecution_shell_via_java_revshell_linux.toml | 14 +-- ...on_shell_via_lolbin_interpreter_linux.toml | 46 ++++++---- ...ution_shell_via_tcp_cli_utility_linux.toml | 13 +-- ...ution_shell_via_udp_cli_utility_linux.toml | 7 +- ...us_executable_running_system_commands.toml | 9 +- ...tial_linux_ransomware_file_encryption.toml | 19 ++-- ...ential_linux_ransomware_note_detected.toml | 19 ++-- ...credential_access_modify_ssh_binaries.toml | 3 +- .../linux/persistence_cron_job_creation.toml | 17 +++- ...persistence_insmod_kernel_module_load.toml | 15 +++- ...e_linux_shell_activity_via_web_server.toml | 2 +- ...rsistence_message_of_the_day_creation.toml | 20 +++-- ...sistence_message_of_the_day_execution.toml | 38 ++++++-- .../linux/persistence_rc_script_creation.toml | 16 +++- .../persistence_shared_object_creation.toml | 24 +++-- ...tence_systemd_scheduled_timer_created.toml | 18 +++- .../persistence_systemd_service_creation.toml | 34 +++++-- ...lation_ld_preload_shared_object_modif.toml | 33 ++++--- ...lation_linux_suspicious_symbolic_link.toml | 4 +- .../privilege_escalation_sudo_hijacking.toml | 31 +++++-- ...very_potential_network_sweep_detected.toml | 9 +- ...iscovery_potential_port_scan_detected.toml | 9 +- ...very_potential_syn_port_scan_detected.toml | 9 +- ...n_execution_msbuild_started_by_script.toml | 0 ...ry_kernel_module_enumeration_via_proc.toml | 32 ++++--- .../discovery_linux_modprobe_enumeration.toml | 33 ++++--- .../discovery_linux_sysctl_enumeration.toml | 30 +++++-- ...discovery_suspicious_proc_enumeration.toml | 18 ++-- ...ry_suspicious_which_command_execution.toml | 4 +- ...suspicious_file_opened_through_editor.toml | 9 +- 60 files changed, 749 insertions(+), 422 deletions(-) rename rules/{linux => _deprecated}/command_and_control_linux_iodine_activity.toml (75%) rename rules/{linux => _deprecated}/defense_evasion_ld_preload_env_variable_process_injection.toml (95%) rename rules/linux/{credential_access_bruteforce_password_guessing.toml => credential_access_potential_successful_linux_ssh_bruteforce.toml} (93%) mode change 100644 => 100755 rules/windows/defense_evasion_execution_msbuild_started_by_script.toml diff --git a/rules/linux/command_and_control_linux_iodine_activity.toml b/rules/_deprecated/command_and_control_linux_iodine_activity.toml similarity index 75% rename from rules/linux/command_and_control_linux_iodine_activity.toml rename to rules/_deprecated/command_and_control_linux_iodine_activity.toml index 871926ebc..175ce0171 100644 --- a/rules/linux/command_and_control_linux_iodine_activity.toml +++ b/rules/_deprecated/command_and_control_linux_iodine_activity.toml @@ -1,10 +1,11 @@ [metadata] creation_date = "2020/02/18" +deprecation_date = "2023/09/25" integration = ["endpoint"] -maturity = "production" +maturity = "deprecated" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/25" +updated_date = "2023/09/25" [rule] author = ["Elastic"] @@ -23,27 +24,37 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Deprecated - Potential DNS Tunneling via Iodine" -note = """This rule was deprecated due to its addition to the umbrella `Potential Linux Tunneling and/or Port Forwarding` (6ee947e9-de7e-4281-a55d-09289bdf947e) rule.""" +note = "This rule was deprecated due to its addition to the umbrella `Potential Linux Tunneling and/or Port Forwarding` (6ee947e9-de7e-4281-a55d-09289bdf947e) rule." references = ["https://code.kryo.se/iodine/"] risk_score = 73 rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" + query = ''' event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml b/rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml similarity index 95% rename from rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml rename to rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml index 70a2ac9c5..9a4eec122 100644 --- a/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml +++ b/rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml @@ -1,10 +1,11 @@ [metadata] creation_date = "2023/06/26" +deprecation_date = "2023/09/25" integration = ["endpoint"] -maturity = "production" +maturity = "deprecated" min_stack_comments = "The linux.advanced.capture_env_vars option for Elastic Defend has been introduced in 8.6.0" min_stack_version = "8.6.0" -updated_date = "2023/10/12" +updated_date = "2023/09/25" [rule] author = ["Elastic"] @@ -65,63 +66,72 @@ references = ["https://www.getambassador.io/resources/code-injection-on-linux-an risk_score = 21 rule_id = "4973e46b-a663-41b8-a875-ced16dda2bb0" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.action == "exec" and process.env_vars : ("LD_PRELOAD=?*", "LD_LIBRARY_PATH=?*") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml index 9ab2adb5f..b863a6bf6 100644 --- a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml +++ b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -30,31 +30,36 @@ references = ["https://attack.mitre.org/techniques/T1571/"] risk_score = 21 rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "OS: macOS", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "OS: macOS", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' sequence by process.entity_id with maxspan=1m -[process where event.action == "exec" and process.name:"ssh"] -[network where process.name:"ssh" - and event.action in ("connection_attempted", "connection_accepted") - and destination.port != 22 - and destination.ip != "127.0.0.1" - and network.transport: "tcp" -] + [process where event.action == "exec" and process.name:"ssh" and not process.parent.name in ( + "rsync", "pyznap", "git", "ansible-playbook", "scp", "pgbackrest", "git-lfs", "expect", "Sourcetree", "ssh-copy-id", + "run" + ) + ] + [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and + destination.port != 22 and destination.ip != "127.0.0.1" and network.transport: "tcp" + ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1571" name = "Non-Standard Port" reference = "https://attack.mitre.org/techniques/T1571/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 902e64eb4..f9d9756c7 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -55,7 +55,14 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -94,25 +101,32 @@ process.name : "grep" and user.id != "0" and "osquery*", "elastic-endpoint*" ) and - not (process.args : "Avast" and process.args : "Passwords") + not ( + (process.args : "Avast" and process.args : "Passwords") or + (process.parent.args : "/opt/McAfee/agent/scripts/ma" and process.parent.args : "checkhealth") or + (process.command_line : ( + "grep ESET Command-line scanner, version %s -A2", + "grep -i McAfee Web Gateway Core version:", + "grep --color=auto ESET Command-line scanner, version %s -A2" + ) + ) + ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index 191145340..4e8ddc53c 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -58,7 +58,14 @@ references = [ risk_score = 73 rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -69,21 +76,21 @@ process where event.type in ("start", "process_started") and /* noisy FPs */ not (process.parent.name : "timeout" and process.executable : "/var/lib/docker/overlay*") and - not process.command_line : ("*/dev/tcp/sirh_db/*", "*/dev/tcp/remoteiot.com/*", "*dev/tcp/elk.stag.one/*", "*dev/tcp/kafka/*", "*/dev/tcp/$0/$1*", "*/dev/tcp/127.*", "*/dev/udp/127.*", "*/dev/tcp/localhost/*") and + not process.command_line : ( + "*/dev/tcp/sirh_db/*", "*/dev/tcp/remoteiot.com/*", "*dev/tcp/elk.stag.one/*", "*dev/tcp/kafka/*", + "*/dev/tcp/$0/$1*", "*/dev/tcp/127.*", "*/dev/udp/127.*", "*/dev/tcp/localhost/*", "*/dev/tcp/itom-vault/*") and not process.parent.command_line : "runc init" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index e0cdafbb3..9cf5d2259 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -2,9 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Suspicious JAVA Child Process" note = """## Triage and analysis @@ -60,32 +60,46 @@ references = [ risk_score = 47 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where event.type in ("start", "process_started") and - process.parent.name : "java" and - process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget") +event.category:process and event.type:("start" or "process_started") and process.parent.name:"java" and process.name:( + "sh" or "bash" or "dash" or "ksh" or "tcsh" or "zsh" or "curl" or "wget" +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 033920b2e..99fc5e61d 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -73,7 +73,8 @@ any where miss this, which is the purpose of the process + command line args logic below */ ( event.category == "file" and event.type in ("change", "creation") and - file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") + file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") and + not process.name in ("dockerd", "rootlesskit", "podman", "crio") ) or @@ -81,26 +82,25 @@ any where ( event.category == "process" and event.type in ("start") and process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and - process.args : ("/etc/hosts") + process.args : ("/etc/hosts") and + not process.parent.name in ("dhclient-script", "google_set_hostname") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1565" name = "Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/" + [[rule.threat.technique.subtechnique]] id = "T1565.001" name = "Stored Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/001/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index 31f1f7479..b81101419 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -2,9 +2,9 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -29,9 +29,16 @@ references = [ risk_score = 47 rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "query" +type = "new_terms" query = ''' event.category:file and event.type:change and @@ -40,19 +47,11 @@ event.category:file and event.type:change and (* and not ( - /bin/yum or - "/usr/sbin/pam-auth-update" or /usr/libexec/packagekitd or - /usr/bin/dpkg or /usr/bin/vim or /usr/libexec/xpcproxy or /usr/bin/bsdtar or /usr/local/bin/brew or - /usr/bin/rsync or - /usr/bin/yum or - /var/lib/docker/*/bin/yum or - /var/lib/docker/*/bin/dpkg or - ./merged/var/lib/docker/*/bin/dpkg or "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service" ) ) and @@ -62,32 +61,45 @@ event.category:file and event.type:change and /tmp/newroot/lib/*/pam_*.so or /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or /tmp/newroot/usr/lib64/security/pam_*.so + ) and + not process.name: + ( + yum or dnf or rsync or platform-python or authconfig or rpm or pdkg or apk or dnf-automatic or btrfs or + dpkg or pam-auth-update or steam or platform-python3.6 or pam-config or microdnf or yum_install or yum-cron or + systemd or containerd or pacman ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "file.path"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index 0cb0b70d9..da32aff27 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -24,26 +24,22 @@ references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware- risk_score = 47 rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "query" query = ''' event.category:file and event.type:change and - process.name:(* and not (sudo or - vim or - zsh or - env or - nano or - bash or - Terminal or - xpcproxy or - login or - cat or - cp or - launchctl or - java)) and - not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and + process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or + launchctl or java or dnf or tailwatchd or ldconfig or yum or semodule or cpanellogd or dockerd or authselect or chmod or + dnf-automatic or git or dpkg or platform-python)) and + not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*) and file.path:(/private/etc/rc.local or /etc/rc.local or /home/*/.profile or @@ -55,22 +51,20 @@ event.category:file and event.type:change and /Users/*/.zshenv) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index b6e6fbf20..3ad311540 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -2,9 +2,9 @@ creation_date = "2020/12/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -20,9 +20,16 @@ name = "SSH Authorized Keys File Modification" risk_score = 47 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "query" +type = "new_terms" query = ''' event.category:file and event.type:(change or creation) and @@ -42,13 +49,14 @@ event.category:file and event.type:(change or creation) and /opt/jc/bin/jumpcloud-agent) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.004" name = "SSH Authorized Keys" @@ -59,14 +67,14 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" + [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" @@ -76,6 +84,7 @@ reference = "https://attack.mitre.org/techniques/T1563/001/" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" @@ -85,3 +94,11 @@ reference = "https://attack.mitre.org/techniques/T1021/004/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "file.path"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index 36967a399..7320c3562 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -2,9 +2,9 @@ creation_date = "2020/04/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -22,28 +22,34 @@ rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" -type = "query" +type = "new_terms" query = ''' event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "file.path"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index 7e05fe4d8..dae299664 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -53,10 +53,10 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and - process.name == "cat"] - [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and - process.name == "cat"] + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "cat" and + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] + [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and process.name == "cat" and + destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' [[rule.threat]] diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index eedd58e85..b70caa291 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -57,19 +57,21 @@ timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (( -// gost & pivotnacci - spawned without process.parent.name -(process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or ( -// ssh -(process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "D", "-w") and process.args_count >= 4)) or -// sshuttle -(process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or -// socat -(process.name == "socat" and process.args : ("TCP4-LISTEN:*", "SOCKS*") and process.args_count >= 3) or -// chisel -(process.name : "chisel*" and process.args in ("client", "server")) or -// iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok -(process.name in ("iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok")) -) and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")) + // gost & pivotnacci - spawned without process.parent.name + (process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or ( + // ssh + (process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "D", "-w") and process.args_count >= 4 and + not process.args : "chmod")) or + // sshuttle + (process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or + // socat + (process.name == "socat" and process.args : ("TCP4-LISTEN:*", "SOCKS*") and process.args_count >= 3) or + // chisel + (process.name : "chisel*" and process.args in ("client", "server")) or + // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok + (process.name in ("iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok")) + ) and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") +) ''' [[rule.threat]] diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index 1cce40900..03d592c7c 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/07/31" +updated_date = "2023/09/25" [rule] author = ["Elastic"] @@ -23,69 +23,35 @@ name = "Suspicious Network Activity to the Internet by Previously Unknown Execut risk_score = 21 rule_id = "53617418-17b4-4e9c-8a2c-8deb8086ca4b" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:linux and event.category:network and -event.action:(connection_attempted or ipv4_connection_attempt_event) and -process.executable : ( - (/etc/crontab or - /etc/rc.local or - /boot/* or - /dev/shm/* or - /etc/cron.*/* or - /etc/init.d/* or - /etc/rc*.d/* or - /etc/update-motd.d/* or - /home/*/.* or - /run/* or - /srv/* or - /tmp/* or - /usr/lib/update-notifier/* or - /var/tmp/*) and - not (/usr/bin/apt or - /usr/bin/curl or - /usr/bin/dnf or - /usr/bin/dockerd or - /usr/bin/dpkg or - /usr/bin/rpm or - /usr/bin/wget or - /usr/bin/yum) - ) -and source.ip : ( - 10.0.0.0/8 or - 127.0.0.0/8 or - 172.16.0.0/12 or - 192.168.0.0/16) and - not destination.ip : ( - 10.0.0.0/8 or - 100.64.0.0/10 or - 127.0.0.0/8 or - 169.254.0.0/16 or - 172.16.0.0/12 or - 192.0.0.0/24 or - 192.0.0.0/29 or - 192.0.0.10/32 or - 192.0.0.170/32 or - 192.0.0.171/32 or - 192.0.0.8/32 or - 192.0.0.9/32 or - 192.0.2.0/24 or - 192.168.0.0/16 or - 192.175.48.0/24 or - 192.31.196.0/24 or - 192.52.193.0/24 or - 192.88.99.0/24 or - 198.18.0.0/15 or - 198.51.100.0/24 or - 203.0.113.0/24 or - 224.0.0.0/4 or - 240.0.0.0/4 or - "::1" or - "FE80::/10" or - "FF00::/8") +host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and +process.executable:( + (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or + /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/* + ) and not (/tmp/newroot/* or /tmp/snap.rootfs*) + ) and +source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and +not process.name:( + apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or + saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform* +) and +not destination.ip:( + 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or + 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or + 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or + 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" +) ''' [[rule.threat]] @@ -103,8 +69,8 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" -value = ["destination.ip", "process.executable"] +value = ["host.id", "destination.ip", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-14d" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 1f242cfb8..9a30bc6cd 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -2,9 +2,9 @@ creation_date = "2020/12/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/19" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -60,9 +60,17 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "query" +type = "new_terms" query = ''' event.category:process and host.os.type:linux and event.type:start and @@ -99,39 +107,46 @@ event.category:process and host.os.type:linux and event.type:start and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.001" name = "Credentials In Files" reference = "https://attack.mitre.org/techniques/T1552/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" + [[rule.threat.technique.subtechnique]] id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.command_line", "process.parent.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-10d" diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index a5c038256..5dda1e40a 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/28" +updated_date = "2023/09/25" [rule] author = ["Elastic"] @@ -17,6 +17,7 @@ from = "now-9m" index = ["logs-system.auth-*"] language = "eql" license = "Elastic License v2" +max_signals = 5 name = "Potential External Linux SSH Brute Force Detected" note = """## Triage and analysis @@ -59,10 +60,14 @@ In case this rule generates too much noise and external brute forcing is of not risk_score = 21 rule_id = "fa210b61-b627-4e5e-86f4-17e8270656ab" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" query = ''' -sequence by host.id, source.ip, user.name with maxspan=5s +sequence by host.id, source.ip, user.name with maxspan=15s [ authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and not cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index fae0e736c..22d42490d 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/28" +updated_date = "2023/09/25" [rule] author = ["Elastic"] @@ -17,6 +17,7 @@ from = "now-9m" index = ["logs-system.auth-*"] language = "eql" license = "Elastic License v2" +max_signals = 5 name = "Potential Internal Linux SSH Brute Force Detected" note = """## Triage and analysis @@ -55,10 +56,14 @@ The rule identifies consecutive internal SSH login failures targeting a user acc risk_score = 47 rule_id = "1c27fa22-7727-4dd3-81c0-de6da5555feb" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" query = ''' -sequence by host.id, source.ip, user.name with maxspan=5s +sequence by host.id, source.ip, user.name with maxspan=15s [ authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", diff --git a/rules/linux/credential_access_bruteforce_password_guessing.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml similarity index 93% rename from rules/linux/credential_access_bruteforce_password_guessing.toml rename to rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index 691f6575b..aba73a13e 100644 --- a/rules/linux/credential_access_bruteforce_password_guessing.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/05" +updated_date = "2023/09/25" [rule] author = ["Elastic"] @@ -50,10 +50,15 @@ The rule identifies consecutive SSH login failures followed by a successful logi risk_score = 73 rule_id = "8cb84371-d053-4f4f-bce0-c74990e28f28" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" query = ''' -sequence by host.id, source.ip, user.name with maxspan=3s +sequence by host.id, source.ip, user.name with maxspan=15s [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10 diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index c54c4dadc..a853ae8fc 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -73,7 +73,8 @@ type = "eql" query = ''' file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and ( - (file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history")) or + (file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history", ".google_authenticator", + ".jelenv", ".csvignore", ".rtreport")) or file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or file.path : ( diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index 3d6d9fa3a..a092ad3ad 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -53,7 +53,7 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and - process.name in ("cp", "mv", "cat") and process.args : ( + process.name in ("cp", "mv") and process.args : ( // Shells "/bin/*sh", "/usr/bin/*sh", @@ -71,10 +71,10 @@ sequence by host.id, process.entity_id with maxspan=1s "/usr/bin/mknod", "/bin/ping*", "/usr/bin/ping*", "/bin/nmap", "/usr/bin/nmap", // System utilities - "/bin/ls", "/usr/bin/ls", "/bin/cat", "/usr/bin/cat", "/bin/mv", "/usr/bin/mv", "/bin/cp", "/usr/bin/cp", - "/bin/sudo", "/usr/bin/sudo", "/bin/curl", "/usr/bin/curl", "/bin/wget", "/usr/bin/wget", "/bin/tmux", - "/usr/bin/tmux", "/bin/screen", "/usr/bin/screen", "/bin/ssh", "/usr/bin/ssh", "/bin/ftp", "/usr/bin/ftp" - )] + "/bin/ls", "/usr/bin/ls", "/bin/cat", "/usr/bin/cat", "/bin/sudo", "/usr/bin/sudo", "/bin/curl", "/usr/bin/curl", + "/bin/wget", "/usr/bin/wget", "/bin/tmux", "/usr/bin/tmux", "/bin/screen", "/usr/bin/screen", "/bin/ssh", + "/usr/bin/ssh", "/bin/ftp", "/usr/bin/ftp" + ) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")] [file where host.os.type == "linux" and event.action == "creation" and file.path : ( "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*" )] @@ -88,6 +88,15 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename System Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index db94ce007..1f7d0900f 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,9 +2,9 @@ creation_date = "2020/04/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/13" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/25" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "File Permission Modification in Writable Directory" risk_score = 21 @@ -65,27 +65,31 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "linux" and event.type == "start"and - process.name in ("chmod", "chown", "chattr", "chgrp") and - process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and - not process.parent.name in ("update-motd-updates-available") and - not user.name == "root" +host.os.type:linux and event.category:process and event.type:start and +process.name:(chmod or chown or chattr or chgrp) and +process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.parent.executable", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index f4a3a4375..e8bd27f95 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -63,7 +63,14 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -83,25 +90,23 @@ file where host.os.type == "linux" and event.type == "deletion" and "/var/log/boot.log", "/var/log/kern.log" ) and - not process.name : ("gzip") + not process.name in ("gzip", "executor", "dockerd") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 8788f5d17..0dbf80516 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -62,8 +62,7 @@ event.category:process and host.os.type:linux and event.type:start and ( (process.name:(lsmod or modinfo)) or (process.name:kmod and process.args:list) or (process.name:depmod and process.args:(--all or -a)) -) and process.parent.name:(sudo or bash or dash or ash or sh or tcsh or csh or zsh or ksh or fish) and -not process.parent.user.id:0 +) ''' [[rule.threat]] @@ -81,7 +80,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["process.parent.name", "host.id"] +value = ["host.id", "process.command_line", "process.parent.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index 17df0d288..aa1a36374 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -57,8 +57,10 @@ query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "find" and process.args : "-perm" and process.args : ( "/6000", "-6000", "/4000", "-4000", "/2000", "-2000", "/u=s", "-u=s", "/g=s", "-g=s", "/u=s,g=s", "/g=s,u=s" -) and -not user.Ext.real.id == "0" and not group.Ext.real.id == "0" +) and not ( + user.Ext.real.id == "0" or group.Ext.real.id == "0" or process.args_count >= 12 or + (process.args : "/usr/bin/pkexec" and process.args : "-xdev" and process.args_count == 7) +) ''' [[rule.threat]] diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index 2b41f1238..3137222fe 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -53,7 +53,8 @@ type = "eql" query = ''' sequence by host.id, process.parent.entity_id with maxspan=1s [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and - process.name == "id" and process.args_count == 2] with runs=20 + process.name == "id" and process.args_count == 2 and + not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20 ''' [[rule.threat]] diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index d8f7e5f4c..0a9a75116 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -102,7 +102,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -115,7 +123,7 @@ user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* o process.executable : ( ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/* )) -) and not process.name : (go or git) +) and not process.name : (go or git or containerd* or snap-confine) ''' [[rule.threat]] @@ -133,7 +141,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["process.executable", "file.path"] +value = ["host.id", "process.executable", "file.path"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 97d813820..0f6f35c31 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -54,10 +54,10 @@ type = "eql" query = ''' process where host.os.type == "linux" and event.action in ("exec", "exec_event") and ( - (process.parent.name : "python*" and process.name : "*sh" and process.parent.args_count >= 3 and - process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or - (process.parent.name : "python*" and process.name : "*sh" and process.args : "*sh" and process.args_count == 1 - and process.parent.args_count == 1) + (process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", + "fish") and process.parent.args_count >= 3 and process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or + (process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", + "fish") and process.args : "*sh" and process.args_count == 1 and process.parent.args_count == 1) ) ''' diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index 6f6c86241..44daa3eed 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -50,7 +50,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 451fd92b1..65cae9af9 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -141,7 +141,7 @@ process where host.os.type == "linux" and event.type == "start" and (process.name == "capsh" and process.args == "--") or /* launching shells from unusual parents or parent+arg combos */ - (process.name : "*sh" and ( + (process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and ( (process.parent.name : "*awk" and process.parent.args : "BEGIN {system(*)}") or (process.parent.name == "git" and process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or process.args : ("*PAGER*", "!*sh", "exec *sh") and not process.name == "ssh" ) or diff --git a/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml b/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml index 44cc4040c..edaab1cf7 100644 --- a/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml +++ b/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml @@ -17,7 +17,8 @@ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" -name = "Potential Reverse Shell via Suspicious Parent Process" +name = "Deprecated - Potential Reverse Shell via Suspicious Parent Process" +note = "This rule was deprecated due to its addition to the umbrella `Potential Reverse Shell via Suspicious Child Process` (76e4d92b-61c1-4a95-ab61-5fd94179a1ee) rule." references = [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] @@ -48,7 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click Save and Continue. - To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] @@ -56,13 +56,13 @@ type = "eql" query = ''' sequence by host.id, process.parent.entity_id with maxspan=1s [ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and ( - (process.name : "python*" and process.args : "-c") or - (process.name : "php*" and process.args : "-r") or - (process.name : "perl" and process.args : "-e") or - (process.name : "ruby" and process.args : ("-e", "-rsocket")) or - (process.name : "lua*" and process.args : "-e") or + (process.name : "python*" and process.args == "-c" and not process.args == "/usr/bin/supervisord") or + (process.name : "php*" and process.args == "-r") or + (process.name : "perl" and process.args == "-e") or + (process.name : "ruby" and process.args in ("-e", "-rsocket")) or + (process.name : "lua*" and process.args == "-e") or (process.name : "openssl" and process.args : "-connect") or - (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args == "-z") or (process.name : "telnet" and process.args_count >= 3) or (process.name : "awk")) and process.parent.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ] diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml index 36a76f1f2..d06677ec9 100644 --- a/rules/linux/execution_shell_via_java_revshell_linux.toml +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -54,12 +54,14 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: type = "eql" query = ''' sequence by host.id with maxspan=5s -[ network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and - process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and - destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] by process.entity_id -[ process where host.os.type == "linux" and event.action == "exec" and - process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and - process.parent.args : "-jar" and process.executable : "*sh" ] by process.parent.entity_id + [network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and + process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" + ] by process.entity_id + [process where host.os.type == "linux" and event.action == "exec" and + process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and + process.parent.args : "-jar" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") + ] by process.parent.entity_id ''' [[rule.threat]] diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index 443509f2f..2f3f8d0a6 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -51,24 +51,40 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s -[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( - (process.name : "python*" and process.args : "-c") or - (process.name : "php*" and process.args : "-r") or - (process.name : "perl" and process.args : "-e") or - (process.name : "ruby" and process.args : ("-e", "-rsocket")) or - (process.name : "lua*" and process.args : "-e") or - (process.name : "openssl" and process.args : "-connect") or - (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or - (process.name : "telnet" and process.args_count >= 3) or - (process.name : "awk")) and - process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] -[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and - process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and - destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and ( + (process.name : "python*" and process.args : "-c" and process.args : ( + "*import*pty*spawn*", "*import*subprocess*call*" + )) or + (process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : ( + "*exec*", "*system*" + )) or + (process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : ( + "*TCPSocket.new*", "*TCPSocket.open*" + )) or + (process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : ( + "*io.popen*", "*os.execute*" + )) or + (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or + (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or + (process.name : "openssl" and process.args : "-connect") or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args == "-z") or + (process.name : "telnet" and process.args_count >= 3) + ) and process.parent.name : ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*", + "openssl", "nc", "netcat", "ncat", "telnet", "awk")] + [network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and + destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' [[rule.threat]] diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index a743d7bfe..5f5dba990 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -55,12 +55,13 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: type = "eql" query = ''' sequence by host.id with maxspan=1s -[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and - process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and - destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] by process.entity_id -[ process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "fork") and - process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and - process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") ] by process.parent.entity_id + [network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1"] by process.entity_id + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and not + process.args : "*imunify360-agent*"] by process.parent.entity_id ''' [[rule.threat]] diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 49c9fbd28..79d260c9a 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -59,7 +59,12 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" -tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution" + ] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index 0b079f747..1e92d95cc 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -2,9 +2,9 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2023/10/16" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/25" [rule] author = ["Elastic"] @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click Save and Continue. - To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] @@ -86,7 +85,7 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.new_terms] field = "new_terms_fields" -value = ["process.executable"] +value = ["host.id", "user.id", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index 65b44554c..1fb436411 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -49,21 +49,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' -sequence by host.id, process.entity_id with maxspan=1s +sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" - and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or - (process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and + and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and file.path : ( "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", - "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not (( - process.name : ( - "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", - "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git", - "systemsettings", "vmis-launcher")) or file.path : "/etc/selinux/*" or (file.extension in ("qmlc", "txt") - ))] with runs=25 + "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25 ''' [[rule.threat]] diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index 97e871911..cdcdefb45 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -50,21 +50,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' -sequence by host.id, process.entity_id with maxspan=1s +sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" - and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or - (process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and + and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and file.path : ( "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", - "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not (( - process.name : ( - "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", - "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git", - "systemsettings", "vmis-launcher")) or (file.path : "/etc/selinux/*") or (file.extension in ("qmlc", "txt") - ))] with runs=25 + "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25 [file where host.os.type == "linux" and event.action == "creation" and file.name : ( "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*" )] diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 81f127c75..415811d27 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -72,7 +72,8 @@ event.category:file and host.os.type:linux and event.type:change and /usr/bin/sftp or /usr/bin/ssh or /usr/sbin/sshd) or - file.name:libkeyutils.so) + file.name:libkeyutils.so) and + not process.executable:/usr/share/elasticsearch/* ''' diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 2d87b99bf..602b15e17 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -51,7 +51,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -60,7 +69,7 @@ host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "c file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or /etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "5") or -file.extension : ("swp" or "swx")) +file.extension : ("swp" or "swpx")) ''' [[rule.threat]] @@ -119,8 +128,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["file.path", "process.name"] +value = ["host.id", "file.path", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-10d" diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index a69b50ca5..fe1533de0 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/10/23" integration = ["endpoint"] [rule] @@ -15,7 +15,7 @@ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" -name = "Kernel module load via insmod" +name = "Kernel Module Load via insmod" references = [ "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" ] @@ -49,12 +49,21 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Rootkit", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" +and not process.parent.name in ("cisco-amp-helper", "ksplice-apply") ''' [[rule.threat]] diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index 043072fe1..6ef216a42 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -149,7 +149,7 @@ event.action in ("exec", "exec_event") and process.parent.executable : ( "/usr/local/lsws/bin/lswsctrl", "*/bin/catalina.sh" ) and -process.name : ("*sh", "python*", "perl", "php*", "tmux") and +process.name : ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "tmux") and process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") and not process.name == "phpquery" ''' diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 170d7f94e..c55357c72 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -149,13 +149,21 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] type = "new_terms" query = ''' host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and -file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not -process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm" or "/kaniko/executor") and not -file.extension : ("swp" or "swx") +file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : ( + dpkg or dockerd or rpm or executor or dnf +) and not file.extension : ("swp" or "swpx") ''' [[rule.threat]] @@ -173,8 +181,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" -value = ["file.path", "process.name"] +value = ["host.id", "file.path", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-10d" diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index 7f2672014..2ef391fcd 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -148,15 +148,41 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and -event.type == "start" and event.action : ("exec", "exec_event") and -process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and -process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "nc", "ncat", -"netcat", "socat", "lua", "java", "openssl", "ruby", "telnet") +process where event.type == "start" and event.action : ("exec", "exec_event") and +process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and ( + (process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and ( + (process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*"))) or + (process.name : ("nc", "ncat", "netcat", "nc.openbsd") and process.args_count >= 3 and + not process.args : ("-*z*", "-*l*")) or + (process.name : "python*" and process.args : "-c" and process.args : ( + "*import*pty*spawn*", "*import*subprocess*call*" + )) or + (process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : ( + "*exec*", "*system*" + )) or + (process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : ( + "*TCPSocket.new*", "*TCPSocket.open*" + )) or + (process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : ( + "*io.popen*", "*os.execute*" + )) or + (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or + (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or + (process.name in ("openssl", "telnet")) +) and +not (process.parent.args : "--force" or process.args : ("/usr/games/lolcat", "/usr/bin/screenfetch")) ''' [[rule.threat]] diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index 7ce4e1616..4f6508d26 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -134,12 +134,22 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] type = "new_terms" query = ''' host.os.type : "linux" and event.category : "file" and event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and -file.path : "/etc/rc.local" and not process.name : ("dockerd" or "docker" or "dnf" or "yum" or "rpm" or "dpkg") and not file.extension : ("swp" or "swx") +file.path : "/etc/rc.local" and not process.name : ( + "dockerd" or "docker" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "dpkg" +) and not file.extension : ("swp" or "swpx") ''' [[rule.threat]] @@ -162,7 +172,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.executable"] +value = ["host.id", "process.executable", "user.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index 1f05b3741..02892b697 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -52,30 +52,37 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" query = ''' host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and -process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher")) +process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher" + or "pacman" or "apt-get" or "dnf")) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -83,9 +90,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" -value = ["file.path", "process.name"] +value = ["host.id", "file.path", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" - - +value = "now-10d" diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 1c5be6028..3f36b04e2 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -163,13 +163,23 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" query = ''' host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or -/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : ("docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor") +/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : ( + "docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor" or "cloudflared" +) ''' [[rule.threat]] @@ -192,8 +202,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" -value = ["file.path", "process.name"] +value = ["host.id", "file.path", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-10d" diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index 31f6d7d6a..e79968b90 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -53,20 +53,38 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type : "linux" and event.action : ("creation" or "file_create_event") and -file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or -/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not -(process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "dnf-automatic" or python* or - "elastic-agent" or "cinc-client") or file.extension : ("swp" or "swx")) +host.os.type:linux and event.category:file and event.action:("creation" or "file_create_event") and file.path:( + /etc/systemd/system/* or + /usr/local/lib/systemd/system/* or + /lib/systemd/system/* or + /usr/lib/systemd/system/* or + /home/*/.config/systemd/user/* +) and +not ( + process.name:( + "dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "dnf-automatic" or python* or "puppetd" or + "elastic-agent" or "cinc-client" or "chef-client" or "pacman" or "puppet" or "cloudflared" + ) or + file.extension:("swp" or "swpx") +) ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -102,8 +120,8 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" -value = ["file.path", "process.name"] +value = ["host.id", "file.path", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-10d" diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index b25c6ff05..25cce2de2 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -2,9 +2,9 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/16" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/25" [rule] author = ["Elastic"] @@ -60,31 +60,44 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "query" +type = "new_terms" query = ''' -event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload and -event.action:(updated or renamed or rename) +host.os.type:linux and event.category:file and event.action:(updated or renamed or rename) and +not event.type:deletion and file.path:/etc/ld.so.preload ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-10d" diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index 6a0b2c81d..55ff7e0e1 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -54,8 +54,8 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and -event.type == "start" and process.name == "ln" and +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +event.type == "start" and process.name == "ln" and process.args in ("-s", "-sf") and ( /* suspicious files */ (process.args in ("/etc/shadow", "/etc/shadow-", "/etc/shadow~", "/etc/gshadow", "/etc/gshadow-") or diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index 6926f3b31..a76882c66 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -2,9 +2,9 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/10/16" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/25" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ enable persistence onto the system every time the sudo binary is executed. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Potential Sudo Hijacking Detected" references = ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"] @@ -49,11 +49,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -file where event.type in ("creation", "file_create_event") and file.path == "/usr/bin/sudo" +host.os.type:linux and event.category:file and event.type:("creation" or "file_create_event") and +file.path:("/usr/bin/sudo" or "/bin/sudo") and not process.name:(docker or dockerd) ''' [[rule.threat]] @@ -86,3 +95,11 @@ reference = "https://attack.mitre.org/techniques/T1574/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index 0c8bd9280..13acbd2c1 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/31" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -19,11 +19,16 @@ from = "now-9m" index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*",] language = "kuery" license = "Elastic License v2" +max_signals = 5 name = "Potential Network Sweep Detected" risk_score = 21 rule_id = "781f8746-2180-4691-890c-4c96d11ca91d" severity = "low" -tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"] +tags = ["Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring" + ] type = "threshold" query = ''' destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml index 24c72c77c..9cea2f75d 100644 --- a/rules/network/discovery_potential_port_scan_detected.toml +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/31" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -20,11 +20,16 @@ from = "now-9m" index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"] language = "kuery" license = "Elastic License v2" +max_signals = 5 name = "Potential Network Scan Detected" risk_score = 21 rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b" severity = "low" -tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"] +tags = ["Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring" + ] type = "threshold" query = ''' destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml index f294ca144..32c1b0ec8 100644 --- a/rules/network/discovery_potential_syn_port_scan_detected.toml +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/31" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -20,11 +20,16 @@ from = "now-9m" index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" +max_signals = 5 name = "Potential SYN-Based Network Scan Detected" risk_score = 21 rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409" severity = "low" -tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"] +tags = ["Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring" + ] type = "threshold" query = ''' destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml old mode 100644 new mode 100755 diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index 22574493f..966145820 100644 --- a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -2,9 +2,9 @@ creation_date = "2020/04/12" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/24" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/25" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ false_positives = [ from = "now-119m" interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Enumeration of Kernel Modules via Proc" note = """## Setup @@ -45,16 +45,17 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen risk_score = 21 rule_id = "80084fa9-8677-4453-8680-b891d3c0c778" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = [ + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" building_block_type = "default" query = ''' -file where host.os.type == "linux" and event.action == "opened-file" and file.path == "/proc/modules" and not -( - process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "SchedulerRunner", "grep") or - process.parent.pid == 1 or process.title : "*grep*" -) +host.os.type:linux and event.category:file and event.action:"opened-file" and file.path:"/proc/modules" ''' [[rule.threat]] @@ -69,3 +70,12 @@ reference = "https://attack.mitre.org/techniques/T1082/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index 5e2688a6b..6bd380bd5 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -2,9 +2,9 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/24" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/25" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ system. from = "now-119m" interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Suspicious Modprobe File Event" note = """## Setup @@ -44,17 +44,18 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen risk_score = 21 rule_id = "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd" severity = "low" -tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = [ + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" building_block_type = "default" query = ''' -file where host.os.type == "linux" and event.action == "opened-file" and -file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not -( - process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp", "mkinitramfs", - "readlink") or process.title : "*grep*" or process.parent.pid == 1 -) +host.os.type:linux and event.category:file and event.action:"opened-file" and +file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) ''' [[rule.threat]] @@ -69,3 +70,11 @@ reference = "https://attack.mitre.org/techniques/T1082/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "file.path"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index 24fc90046..b929a3a02 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -2,9 +2,9 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/24" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/25" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ configuration files to modify kernel parameters, potentially compromising system from = "now-119m" interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Suspicious Sysctl File Event" note = """## Setup @@ -44,14 +44,18 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen risk_score = 21 rule_id = "7592c127-89fb-4209-a8f6-f9944dfd7e02" severity = "low" -tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = [ + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" building_block_type = "default" query = ''' -file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and -file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and -not process.name in ("auditbeat", "systemd-sysctl", "dpkg", "dnf", "yum", "rpm", "apt") +host.os.type:linux and event.category:file and event.action:("opened-file" or "read-file" or "wrote-to-file") and +file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) ''' [[rule.threat]] @@ -66,3 +70,11 @@ reference = "https://attack.mitre.org/techniques/T1082/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "file.path"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules_building_block/discovery_suspicious_proc_enumeration.toml b/rules_building_block/discovery_suspicious_proc_enumeration.toml index 9a8342266..61ccf6620 100644 --- a/rules_building_block/discovery_suspicious_proc_enumeration.toml +++ b/rules_building_block/discovery_suspicious_proc_enumeration.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/09/25" [rule] author = ["Elastic"] @@ -42,18 +42,25 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen risk_score = 21 rule_id = "0787daa6-f8c5-453b-a4ec-048037f6c1cd" severity = "low" -tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = [ + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "threshold" building_block_type = "default" query = ''' -host.os.type : "linux" and event.category : "file" and event.action : "opened-file" and -file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : "pidof" and -not process.parent.pid : 1 +host.os.type:linux and event.category:file and event.action:"opened-file" and +file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : ( + ps or netstat or landscape-sysin or w or pgrep or pidof or needrestart or apparmor_status +) and not process.parent.pid : 1 ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" @@ -72,6 +79,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.threshold] field = ["host.id", "process.pid", "process.name"] value = 1 + [[rule.threshold.cardinality]] field = "file.path" value = 100 diff --git a/rules_building_block/discovery_suspicious_which_command_execution.toml b/rules_building_block/discovery_suspicious_which_command_execution.toml index b6cdb9dc9..11a5daab6 100644 --- a/rules_building_block/discovery_suspicious_which_command_execution.toml +++ b/rules_building_block/discovery_suspicious_which_command_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/30" +updated_date = "2023/09/13" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ name = "Suspicious which Enumeration" risk_score = 21 rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" building_block_type = "default" diff --git a/rules_building_block/persistence_suspicious_file_opened_through_editor.toml b/rules_building_block/persistence_suspicious_file_opened_through_editor.toml index c34019245..3ba36c01c 100644 --- a/rules_building_block/persistence_suspicious_file_opened_through_editor.toml +++ b/rules_building_block/persistence_suspicious_file_opened_through_editor.toml @@ -3,7 +3,7 @@ creation_date = "2023/07/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/25" +updated_date = "2023/09/26" integration = ["endpoint"] [rule] @@ -20,6 +20,7 @@ interval = "60m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" +max_signals = 1 name = "Potential Suspicious File Edit" risk_score = 21 rule_id = "3728c08d-9b70-456b-b6b8-007c7d246128" @@ -35,9 +36,9 @@ file.path : ( /* common interesting files and locations */ "/etc/.shadow.swp", "/etc/.shadow-.swp", "/etc/.shadow~.swp", "/etc/.gshadow.swp", "/etc/.gshadow-.swp", "/etc/.passwd.swp", "/etc/.pwd.db.swp", "/etc/.master.passwd.swp", "/etc/.spwd.db.swp", "/etc/security/.opasswd.swp", - "/etc/.hosts.swp", "/etc/.environment.swp", "/etc/.profile.swp", "/etc/sudoers.d/.*.swp", - "/etc/ld.so.conf.d/.*.swp", "/etc/init.d/.*.swp", "/etc/.rc.local.swp", "/etc/rc*.d/.*.swp", - "/dev/shm/.*.swp", "/etc/update-motd.d/.*.swp", "/usr/lib/update-notifier/.*.swp", + "/etc/.environment.swp", "/etc/.profile.swp", "/etc/sudoers.d/.*.swp", "/etc/ld.so.conf.d/.*.swp", + "/etc/init.d/.*.swp", "/etc/.rc.local.swp", "/etc/rc*.d/.*.swp", "/dev/shm/.*.swp", "/etc/update-motd.d/.*.swp", + "/usr/lib/update-notifier/.*.swp", /* service, timer, want, socket and lock files */ "/etc/systemd/system/.*.swp", "/usr/local/lib/systemd/system/.*.swp", "/lib/systemd/system/.*.swp",