security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[Rule Tuning] Tighten Up Elastic Defend Indexes - Linux (#4446)

Browse Source
This commit is contained in:
Jonhnathan
2025-02-05 15:25:45 -03:00
committed by GitHub
parent ab89dfb98d
commit 0268daa17d
146 changed files with 292 additions and 292 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_cat_network_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/09/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/04"
[transform]
[[transform.osquery]]
@@ -39,7 +39,7 @@ activity is highly suspicious, and should be investigated. Attackers may leverag
files to another host in the network or exfiltrate data while attempting to evade detection in the process.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Network Activity Detected via cat"
rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/09/27"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs o
UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Network Connection by Cups or Foomatic-rip Child"
rules/linux/command_and_control_curl_socks_proxy_detected.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/11/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ process. Attackers may use `curl` to establish a SOCKS proxy connection to bypas
data or communicate with C2 servers.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Curl SOCKS Proxy Activity from Unusual Parent"
rules/linux/command_and_control_ip_forwarding_activity.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ forwarding can be used to route network traffic between different network interf
pivot between networks, exfiltrate data, or establish command and control channels.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "IPv4/IPv6 Forwarding Activity"
rules/linux/command_and_control_linux_chisel_client_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/04"
[transform]
[[transform.osquery]]
@@ -40,7 +40,7 @@ channels, bypass network restrictions, and carry out malicious activities by cre
access to internal systems.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Protocol Tunneling via Chisel Client"
rules/linux/command_and_control_linux_chisel_server_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/02/04"
[transform]
[[transform.osquery]]
@@ -40,7 +40,7 @@ establish covert communication channels, bypass network restrictions, and carry
tunnels that allow unauthorized access to internal systems.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Protocol Tunneling via Chisel Server"
rules/linux/command_and_control_linux_proxychains_activity.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/02/03"
updated_date = "2025/02/04"
[transform]
[[transform.osquery]]
@@ -41,7 +41,7 @@ resources. Attackers can exploit the ProxyChains utility to hide their true sour
perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "ProxyChains Activity"
rules/linux/command_and_control_linux_ssh_x11_forwarding.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/02/03"
updated_date = "2025/02/04"
[transform]
[[transform.osquery]]
@@ -41,7 +41,7 @@ can abuse X11 forwarding for tunneling their GUI-based tools, pivot through comp
communication channels, enabling lateral movement and facilitating remote control of systems within a network.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Linux SSH X11 Forwarding"
rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/02/03"
updated_date = "2025/02/04"
[transform]
[[transform.osquery]]
@@ -42,7 +42,7 @@ detection, and perform malicious activities through a chain of proxy servers, po
intentions.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Utility Launched via ProxyChains"
rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/02/03"
updated_date = "2025/02/04"
[transform]
[[transform.osquery]]
@@ -41,7 +41,7 @@ and gain unauthorized access to internal resources, facilitating data exfiltrati
control.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Linux Tunneling and/or Port Forwarding"
rules/linux/command_and_control_tunneling_via_earthworm.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/02/03"
updated_date = "2025/02/04"
[transform]
[[transform.osquery]]
@@ -40,7 +40,7 @@ system within a separate protocol to avoid detection and network filtering, or t
systems.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Protocol Tunneling via EarthWorm"
rules/linux/credential_access_credential_dumping.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -16,7 +16,7 @@ password-cracking utilities or prepare themselves for future operations by gathe
victim.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Linux Credential Dumping via Unshadow"
rules/linux/credential_access_gdb_init_process_hooking.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ dumping techniques to attempt secret extraction from privileged processes. Tools
"truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Linux init (PID 1) Secret Dump via GDB"
rules/linux/credential_access_gdb_process_hooking.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ secret extraction from privileged processes. Tools that display this behavior in
"bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Linux Process Hooking via GDB"
rules/linux/credential_access_potential_linux_local_account_bruteforce.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/07/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ short time interval. Adversaries might brute force login attempts across differe
set of customly crafted passwords in an attempt to gain access to these accounts.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Linux Local Account Brute Force Detected"
rules/linux/credential_access_proc_credential_dumping.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext c
process and extracting lines that have a high probability of containing cleartext passwords.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Linux Credential Dumping via Proc Filesystem"
rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/08/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ public IP address, and even temporary security credentials if role's are assumed
various tools and scripts like curl, wget, python, and perl that might be used to interact with the metadata API.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Unusual Instance Metadata Service (IMDS) API Request"
rules/linux/defense_evasion_acl_modification_via_setfacl.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ description = """
This rule detects Linux Access Control List (ACL) modification via the setfacl command.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Access Control List Modification via setfacl"
rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Adversaries may attempt to disable the iptables or firewall service in an attemp
receive or send network traffic.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Attempt to Disable IPTables or Firewall"
rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Adversaries may attempt to disable the syslog service in an attempt to an attemp
detection by security controls.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Attempt to Disable Syslog Service"
rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Base16 or Base32 Encoding/Decoding Activity"
rules/linux/defense_evasion_chattr_immutable_file.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ opened in write mode. Threat actors will commonly utilize this to prevent tamper
files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
max_signals = 33
rules/linux/defense_evasion_clear_kernel_ring_buffer.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Monitors for the deletion of the kernel ring buffer events through dmesg. Attack
to evade detection after installing a Linux kernel module (LKM).
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Attempt to Clear Kernel Ring Buffer"
rules/linux/defense_evasion_creation_of_hidden_files_directories.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identify activity related where adversaries can add the 'hidden' flag to files t
to evade detection.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Hidden Files and Directories via Hidden Flag"
rules/linux/defense_evasion_directory_creation_in_bin.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ files that are required for the system to function properly. The creation of dir
attempt to hide malicious files or executables, as these /bin directories usually just contain binaries.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Directory Creation in /bin directory"
rules/linux/defense_evasion_disable_apparmor_attempt.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ fine-grained access control policies to restrict the actions and resources that
access. Adversaries may disable security tools to avoid possible detection of their tools and activities.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Disabling of AppArmor"
rules/linux/defense_evasion_disable_selinux_attempt.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ support access control policies. Adversaries may disable security tools to avoid
activities.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Disabling of SELinux"
rules/linux/defense_evasion_dynamic_linker_file_creation.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/08/08"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ shared library that is used by the Linux kernel to load and execute programs. At
execution flow of a program by modifying the dynamic linker configuration files.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "Dynamic Linker Creation or Modification"
rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -16,7 +16,7 @@ their presence in the touch command arguments may indicate that a threat actor i
of VM-related files and configurations on the system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "ESXI Timestomping using Touch Command"
rules/linux/defense_evasion_file_deletion_via_shred.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ a network and how. Adversaries may remove these files over the course of an intr
remove them at the end as part of the post-intrusion cleanup process.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "File Deletion via Shred"
rules/linux/defense_evasion_hidden_directory_creation.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Hidden Directory Creation via Unusual Parent"
rules/linux/defense_evasion_hidden_file_dir_tmp.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/29"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
max_signals = 33
rules/linux/defense_evasion_hidden_shared_object.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ a "." as the first character in the file or folder name. Adversaries can use thi
folders on the system for persistence and defense evasion.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
max_signals = 33
rules/linux/defense_evasion_kernel_module_removal.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Kernel Module Removal"
rules/linux/defense_evasion_kthreadd_masquerading.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ as kthreadd and kworker typically do not have process.executable fields associat
hide their malicious programs by masquerading as legitimate kernel processes.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Executable Masquerading as Kernel Process"
rules/linux/defense_evasion_log_files_deleted.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the deletion of sensitive Linux system logs. This may indicate an att
forensic evidence on a system.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "System Log File Deletion"
rules/linux/defense_evasion_mount_execution.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -18,7 +18,7 @@ hidepid option all the user has to do is remount the /proc filesystem with the o
detected.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Hidden Process via Mount Hidepid"
rules/linux/defense_evasion_potential_proot_exploits.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -20,7 +20,7 @@ malicious payload or elevate privileges or perform network scans or orchestrate
Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Defense Evasion via PRoot"
rules/linux/defense_evasion_rename_esxi_files.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/04/11"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ Identifies instances where VMware-related files, such as those with extensions l
event action associated with these file types, which could indicate malicious activity.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Renaming of ESXI Files"
rules/linux/defense_evasion_rename_esxi_index_file.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/04/11"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ The rule monitors for the "rename" event action associated with this specific fi
malicious activity.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Renaming of ESXI index.html File"
rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ directly, the commands will be executed in the background via its parent process
to execute commands while attempting to evade detection.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potentially Suspicious Process Started via tmux or screen"
rules/linux/discovery_dynamic_linker_via_od.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ for examining and debugging binary files or data streams. Attackers can leverage
identifying injection points and craft exploits based on the observed behaviors and structures within these files.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Dynamic Linker Discovery via od"
rules/linux/discovery_esxi_software_via_find.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ software, and their presence in the find command arguments may indicate that a t
analyze, or manipulate VM-related files and configurations on the system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "ESXI Discovery via Find"
rules/linux/discovery_esxi_software_via_grep.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "v
may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "ESXI Discovery via Grep"
rules/linux/discovery_kernel_seeking.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/01/07"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ to search the Linux kernel for available symbols, functions, and other informati
kernel.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Kernel Seeking Activity"
rules/linux/discovery_kernel_unpacking.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/01/07"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -11,7 +11,7 @@ This rule detects kernel unpacking activity through several built-in Linux utili
to unpack kernel images and modules to search for vulnerabilities or to modify the kernel.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Kernel Unpacking Activity"
rules/linux/discovery_linux_hping_activity.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Hping Process Activity"
rules/linux/discovery_linux_nping_activity.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Nping Process Activity"
rules/linux/discovery_pam_version_discovery.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ This rule detects PAM version discovery activity on Linux systems. PAM version d
attacker attempting to backdoor the authentication process through malicious PAM modules.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Pluggable Authentication Module (PAM) Version Discovery"
rules/linux/discovery_polkit_version_discovery.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/22"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ This rule detects Polkit version discovery activity on Linux systems. Polkit ver
indication of an attacker attempting to exploit misconfigurations or vulnerabilities in the Polkit service.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Polkit Version Discovery"
rules/linux/discovery_private_key_password_searching_activity.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ This rule detects private key searching activity on Linux systems. Searching for
attacker attempting to escalate privileges or exfiltrate sensitive information.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Private Key Searching Activity"
rules/linux/discovery_proc_maps_read.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/01/29"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ detailing the memory segments, permissions, and what files are mapped to these s
memory map to identify memory addresses for code injection or process hijacking.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious /proc/maps Discovery"
rules/linux/discovery_process_capabilities.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/01/09"
integration = ["endpoint", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -11,7 +11,7 @@ Identifies recursive process capability enumeration of the entire filesystem thr
may manipulate identified capabilities to gain root privileges.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Process Capability Enumeration"
rules/linux/discovery_security_file_access_via_common_utility.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ This rule detects sensitive security file access via common utilities on Linux s
from sensitive files using common utilities to gather information about the system and its security configuration.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Security File Access via Common Utilities"
rules/linux/discovery_sudo_allowed_command_enumeration.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ the invoking user. Attackers may execute this command to enumerate commands allo
permissions, potentially allowing to escalate privileges to root.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Sudo Command Enumeration Detected"
rules/linux/discovery_suid_sguid_enumeration.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/07/24"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ an attacker is able to enumerate and find a binary that is misconfigured, they m
misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "SUID/SGUID Enumeration Detected"
rules/linux/discovery_suspicious_memory_grep_activity.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ specific process, detailing the memory segments, permissions, and what files are
read a process's memory map to identify memory addresses for code injection or process hijacking.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Memory grep Activity"
rules/linux/discovery_suspicious_which_command_execution.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ leverage the which command to enumerate the system for useful installed utilitie
system to escalate privileges or move latteraly across the network.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious which Enumeration"
rules/linux/discovery_unusual_user_enumeration_via_id.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/29"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ behavior is unusual, and may be indicative of the execution of an enumeration sc
scripts leverage the "id" command to enumerate the privileges of all users present on the system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Unusual User Privilege Enumeration via id"
rules/linux/discovery_yum_dnf_plugin_detection.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ to search for YUM/DNF configurations and/or plugins with an enabled state. This
attempting to establish persistence in a YUM or DNF plugin.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Yum/DNF Plugin Status Discovery"
rules/linux/execution_cupsd_foomatic_rip_file_creation.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -16,7 +16,7 @@ and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP UR
crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"]
index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "File Creation by Cups or Foomatic-rip Child"
rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/09/27"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ through crafted UDP packets or network spoofing. This can result in arbitrary co
initiated.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
index = ["endgame-*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Printer User (lp) Shell Execution"
rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -16,7 +16,7 @@ remote unauthenticated attackers to manipulate IPP URLs or inject malicious data
spoofing. This can result in arbitrary command execution when a print job is initiated.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Cupsd or Foomatic-rip Shell Execution"
rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -17,7 +17,7 @@ through crafted UDP packets or network spoofing. This can result in arbitrary co
initiated.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Execution from Foomatic-rip or Cupsd Parent"
rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/10/11"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instruc
this rule.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Potential curl CVE-2023-38545 Exploitation"
rules/linux/execution_egress_connection_from_entrypoint_in_container.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/07/10"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ entrypoint is a command or script specified in the Dockerfile and executed when
this technique to establish a foothold in the environment, escape from a container to the host, or establish persistence.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Egress Connection from Entrypoint in Container"
rules/linux/execution_file_execution_followed_by_deletion.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/28"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ directory often used for malicious purposes by threat actors. This behavior is o
malicious code and delete itself to hide its tracks.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "File Creation, Execution and Self-Deletion in Suspicious Directory"
rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "logs-endpoint.events.network*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "File Transfer or Listener Established via Netcat"
rules/linux/execution_interpreter_tty_upgrade.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ simple reverse shell to a fully interactive tty after obtaining initial access t
stable connection.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Upgrade of Non-interactive Shell"
rules/linux/execution_nc_listener_via_rlwrap.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Netcat Listener Established via rlwrap"
rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/03/13"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ cases overly permissive, and should (especially in conjunction with an outbound
thoroughly.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.network*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Network Connection from Binary with RWX Memory Region"
rules/linux/execution_network_event_post_compilation.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/28"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ connection event. This behavior can indicate the set up of a reverse tcp connect
Attackers may spawn reverse shells to establish persistence onto a target system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.file*", "logs-endpoint.events.network*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Network Connection via Recently Compiled Executable"
rules/linux/execution_potential_hack_tool_executed.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ this rule should be investigated further, as hack tools are commonly used by blu
well.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Linux Hack Tool Launched"
rules/linux/execution_process_started_from_process_id_file.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2022/05/11"
integration = ["endpoint", "auditd_manager", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Process Started from Process ID (PID) File"
rules/linux/execution_process_started_in_shared_memory_directory.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2022/05/10"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
index = ["endgame-*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Binary Executed from Shared Memory Directory"
rules/linux/execution_python_tty_shell.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a
interactive tty after obtaining initial access to a host.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Interactive Terminal Spawned via Python"
rules/linux/execution_python_webserver_spawned.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ This rule identifies when a web server is spawned via Python. Attackers may use
exfiltrate/infiltrate data or to move laterally within a network.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Web Server Spawned via Python"
rules/linux/execution_remote_code_execution_via_postgresql.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2022/06/20"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ which can result in unauthorized access and malicious actions, and facilitate po
unauthorized access and malicious actions.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
index = ["endgame-*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Code Execution via Postgresql"
rules/linux/execution_shell_evasion_linux_binary.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2022/05/06"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/17"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ system shell. The activity of spawning a shell from a binary is not common behav
and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Linux Restricted Shell Breakout via Linux Binary(s)"
rules/linux/execution_shell_openssl_client_or_server.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ establish a secure connection to a remote server or to create a secure server to
may be used to exfiltrate data or establish a command and control channel.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Openssl Client or Server Activity"
rules/linux/execution_shell_via_background_process.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Monitors for the execution of background processes with process arguments capabl
channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Background Process"
rules/linux/execution_shell_via_child_tcp_utility_linux.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/11/02"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ activity consists of a network event that is followed by the creation of a shell
arguments. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Child"
rules/linux/execution_shell_via_java_revshell_linux.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/07/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -11,7 +11,7 @@ This detection rule identifies the execution of a Linux shell process from a Jav
network connection. This behavior may indicate reverse shell activity via a Java application.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Java"
rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/07/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ the specified utilities that are initialized from a single process followed by a
captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Suspicious Child Process"
rules/linux/execution_shell_via_suspicious_binary.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/07/05"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ spawned. Stageless reverse tcp shells display this behaviour. Attackers may spaw
persistence onto a target system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Suspicious Binary"
rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/07/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ activity consists of a parent-child relationship where a network event is follow
An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell"
rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ output from tail can be piped to funzip in order to decompress malicious code be
consistent with malware families such as Bundlore.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Content Extracted or Decompressed via Funzip"
rules/linux/execution_suspicious_mining_process_creation_events.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies service creation events of common mining services, possibly indicatin
cryptominer.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Mining Process Creation Event"
rules/linux/execution_system_binary_file_permission_change.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/01/07"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/22"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -11,7 +11,7 @@ This rule identifies file permission modification events on files located in com
hide their payloads in the default Linux system directories, and modify the file permissions of these payloads prior to execution.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "System Binary Path File Permission Modification"
rules/linux/execution_tc_bpf_filter.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ A threat actor can utilize tc to set a bpf filter on an interface for the purpos
This technique is not at all common and should indicate abnormal, suspicious or malicious activity.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "BPF filter applied using TC"
rules/linux/execution_unix_socket_communication.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ privileges or set up malicious communication channels via Unix sockets for inter
evade detection.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Unix Socket Connection"
rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ for exfiltration on Linux systems. Data splitting is a technique used by adversa
avoid detection and exfiltrate data.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Data Splitting Detected"
rules/linux/impact_data_encrypted_via_openssl.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/06/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ Adversaries may encrypt data on a single or multiple systems in order to disrupt
and may attempt to hold the organization's data to ransom for the purposes of extortion.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Data Encryption via OpenSSL Utility"
rules/linux/impact_esxi_process_kill.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/04/11"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ command. The rule monitors for the "end" event type, which signifies the termina
interfere with the virtualized environment on the targeted system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
index = ["endgame-*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Termination of ESXI Process"
rules/linux/impact_memory_swap_modification.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ the system's memory and potentially impact the system's performance. This behavi
deploys miner software such as XMRig.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Memory Swap Modification"
rules/linux/impact_potential_linux_ransomware_note_detected.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/03/20"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ decryption key. One important indicator of a ransomware attack is the mass encry
new file extension is added to the file.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Linux Ransomware Note Creation Detected"
rules/linux/lateral_movement_ssh_it_worm_download.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies processes that are capable of downloading files with command line arg
autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential SSH-IT SSH Worm Downloaded"
rules/linux/lateral_movement_telnet_network_activity_external.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"]
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Connection to External Network via Telnet"
rules/linux/lateral_movement_telnet_network_activity_internal.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"]
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Connection to Internal Network via Telnet"
rules/linux/persistence_apt_package_manager_execution.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/24"
updated_date = "2025/02/04"
[rule]
author = ["Elastic"]
@@ -16,7 +16,7 @@ repositories. Attackers can backdoor APT to gain persistence by injecting malici
thereby ensuring continued unauthorized access or control each time APT is used for package management.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"]
index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious APT Package Manager Execution"

Some files were not shown because too many files have changed in this diff Show More