diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index 946ca4592..e0ce29eee 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -39,7 +39,7 @@ activity is highly suspicious, and should be investigated. Attackers may leverag files to another host in the network or exfiltrate data while attempting to evade detection in the process. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Network Activity Detected via cat" diff --git a/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml b/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml index 30ce455a1..5356874e6 100644 --- a/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml +++ b/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs o UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Network Connection by Cups or Foomatic-rip Child" diff --git a/rules/linux/command_and_control_curl_socks_proxy_detected.toml b/rules/linux/command_and_control_curl_socks_proxy_detected.toml index 3fb5537d2..6fc18eaac 100644 --- a/rules/linux/command_and_control_curl_socks_proxy_detected.toml +++ b/rules/linux/command_and_control_curl_socks_proxy_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ process. Attackers may use `curl` to establish a SOCKS proxy connection to bypas data or communicate with C2 servers. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Curl SOCKS Proxy Activity from Unusual Parent" diff --git a/rules/linux/command_and_control_ip_forwarding_activity.toml b/rules/linux/command_and_control_ip_forwarding_activity.toml index 6f101558f..329a6d1d1 100644 --- a/rules/linux/command_and_control_ip_forwarding_activity.toml +++ b/rules/linux/command_and_control_ip_forwarding_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ forwarding can be used to route network traffic between different network interf pivot between networks, exfiltrate data, or establish command and control channels. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "IPv4/IPv6 Forwarding Activity" diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index 7d41cf8e9..f946aaaa5 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -40,7 +40,7 @@ channels, bypass network restrictions, and carry out malicious activities by cre access to internal systems. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via Chisel Client" diff --git a/rules/linux/command_and_control_linux_chisel_server_activity.toml b/rules/linux/command_and_control_linux_chisel_server_activity.toml index 263bb2dad..c277cc52b 100644 --- a/rules/linux/command_and_control_linux_chisel_server_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_server_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -40,7 +40,7 @@ establish covert communication channels, bypass network restrictions, and carry tunnels that allow unauthorized access to internal systems. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via Chisel Server" diff --git a/rules/linux/command_and_control_linux_proxychains_activity.toml b/rules/linux/command_and_control_linux_proxychains_activity.toml index 8253c3b5c..46cd848e6 100644 --- a/rules/linux/command_and_control_linux_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_proxychains_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -41,7 +41,7 @@ resources. Attackers can exploit the ProxyChains utility to hide their true sour perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "ProxyChains Activity" diff --git a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml index 111e9a9f3..4cc5b788c 100644 --- a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml +++ b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -41,7 +41,7 @@ can abuse X11 forwarding for tunneling their GUI-based tools, pivot through comp communication channels, enabling lateral movement and facilitating remote control of systems within a network. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Linux SSH X11 Forwarding" diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index d5b475379..baf53ccab 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -42,7 +42,7 @@ detection, and perform malicious activities through a chain of proxy servers, po intentions. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Utility Launched via ProxyChains" diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index da95e39ef..68be50722 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -41,7 +41,7 @@ and gain unauthorized access to internal resources, facilitating data exfiltrati control. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Tunneling and/or Port Forwarding" diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index e79d88422..b5f92960e 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -40,7 +40,7 @@ system within a separate protocol to avoid detection and network filtering, or t systems. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via EarthWorm" diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index cc7bfb06a..1ffa0927c 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ password-cracking utilities or prepare themselves for future operations by gathe victim. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Credential Dumping via Unshadow" diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index c6934659c..267ef6a56 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ dumping techniques to attempt secret extraction from privileged processes. Tools "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Linux init (PID 1) Secret Dump via GDB" diff --git a/rules/linux/credential_access_gdb_process_hooking.toml b/rules/linux/credential_access_gdb_process_hooking.toml index 5e9c2f228..d668a5a7a 100644 --- a/rules/linux/credential_access_gdb_process_hooking.toml +++ b/rules/linux/credential_access_gdb_process_hooking.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ secret extraction from privileged processes. Tools that display this behavior in "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Linux Process Hooking via GDB" diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index f570f4601..a83e64aca 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ short time interval. Adversaries might brute force login attempts across differe set of customly crafted passwords in an attempt to gain access to these accounts. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Local Account Brute Force Detected" diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index 90b1a9cb4..bdae2eaf8 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext c process and extracting lines that have a high probability of containing cleartext passwords. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Credential Dumping via Proc Filesystem" diff --git a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml index cdb9ef2e4..5f6686572 100644 --- a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml +++ b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/22" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ public IP address, and even temporary security credentials if role's are assumed various tools and scripts like curl, wget, python, and perl that might be used to interact with the metadata API. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Unusual Instance Metadata Service (IMDS) API Request" diff --git a/rules/linux/defense_evasion_acl_modification_via_setfacl.toml b/rules/linux/defense_evasion_acl_modification_via_setfacl.toml index a27dcc37e..5d28c2abd 100644 --- a/rules/linux/defense_evasion_acl_modification_via_setfacl.toml +++ b/rules/linux/defense_evasion_acl_modification_via_setfacl.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ description = """ This rule detects Linux Access Control List (ACL) modification via the setfacl command. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Access Control List Modification via setfacl" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 04675023c..024008d82 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Adversaries may attempt to disable the iptables or firewall service in an attemp receive or send network traffic. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Attempt to Disable IPTables or Firewall" diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index c5dc2298b..b8eb9f0e2 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Adversaries may attempt to disable the syslog service in an attempt to an attemp detection by security controls. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Attempt to Disable Syslog Service" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 011dc4721..613f65a3b 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Base16 or Base32 Encoding/Decoding Activity" diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index bb66372e2..405cf25b3 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ opened in write mode. Threat actors will commonly utilize this to prevent tamper files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" max_signals = 33 diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index 773c4da0c..9e4dc7450 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Monitors for the deletion of the kernel ring buffer events through dmesg. Attack to evade detection after installing a Linux kernel module (LKM). """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Attempt to Clear Kernel Ring Buffer" diff --git a/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml b/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml index dd98206f9..5e4687c75 100644 --- a/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml +++ b/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identify activity related where adversaries can add the 'hidden' flag to files t to evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Hidden Files and Directories via Hidden Flag" diff --git a/rules/linux/defense_evasion_directory_creation_in_bin.toml b/rules/linux/defense_evasion_directory_creation_in_bin.toml index ff4dc6d7f..819542e63 100644 --- a/rules/linux/defense_evasion_directory_creation_in_bin.toml +++ b/rules/linux/defense_evasion_directory_creation_in_bin.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ files that are required for the system to function properly. The creation of dir attempt to hide malicious files or executables, as these /bin directories usually just contain binaries. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Directory Creation in /bin directory" diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index 6dbf13a03..4ac7da81c 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ fine-grained access control policies to restrict the actions and resources that access. Adversaries may disable security tools to avoid possible detection of their tools and activities. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Disabling of AppArmor" diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 32fba2c5e..3b3e6dd8c 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ support access control policies. Adversaries may disable security tools to avoid activities. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Disabling of SELinux" diff --git a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml index c07ff4d97..03e17d56c 100644 --- a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml +++ b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ shared library that is used by the Linux kernel to load and execute programs. At execution flow of a program by modifying the dynamic linker configuration files. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Dynamic Linker Creation or Modification" diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index aa321096a..b7b54978b 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ their presence in the touch command arguments may indicate that a threat actor i of VM-related files and configurations on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "ESXI Timestomping using Touch Command" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 5391b81c5..d7de9703a 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ a network and how. Adversaries may remove these files over the course of an intr remove them at the end as part of the post-intrusion cleanup process. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "File Deletion via Shred" diff --git a/rules/linux/defense_evasion_hidden_directory_creation.toml b/rules/linux/defense_evasion_hidden_directory_creation.toml index 929e64c94..76312a857 100644 --- a/rules/linux/defense_evasion_hidden_directory_creation.toml +++ b/rules/linux/defense_evasion_hidden_directory_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Hidden Directory Creation via Unusual Parent" diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index b6e8178ba..ab2a7a74d 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" max_signals = 33 diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 972126958..82d386bd6 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ a "." as the first character in the file or folder name. Adversaries can use thi folders on the system for persistence and defense evasion. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" max_signals = 33 diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index c8a356d3c..065c84ee7 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Kernel Module Removal" diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index 41af91bd7..5047db3c5 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ as kthreadd and kworker typically do not have process.executable fields associat hide their malicious programs by masquerading as legitimate kernel processes. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Executable Masquerading as Kernel Process" diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 7c0d2d251..814aee338 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the deletion of sensitive Linux system logs. This may indicate an att forensic evidence on a system. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "System Log File Deletion" diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index f7b5185aa..b1b3758bf 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ hidepid option all the user has to do is remount the /proc filesystem with the o detected. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Hidden Process via Mount Hidepid" diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index 7986d5316..40d530a93 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ malicious payload or elevate privileges or perform network scans or orchestrate Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via PRoot" diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index b033e0047..9237b08e9 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies instances where VMware-related files, such as those with extensions l event action associated with these file types, which could indicate malicious activity. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Suspicious Renaming of ESXI Files" diff --git a/rules/linux/defense_evasion_rename_esxi_index_file.toml b/rules/linux/defense_evasion_rename_esxi_index_file.toml index db701e9a6..ab0619ad0 100644 --- a/rules/linux/defense_evasion_rename_esxi_index_file.toml +++ b/rules/linux/defense_evasion_rename_esxi_index_file.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ The rule monitors for the "rename" event action associated with this specific fi malicious activity. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Suspicious Renaming of ESXI index.html File" diff --git a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index 643e15122..244d0e213 100644 --- a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ directly, the commands will be executed in the background via its parent process to execute commands while attempting to evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potentially Suspicious Process Started via tmux or screen" diff --git a/rules/linux/discovery_dynamic_linker_via_od.toml b/rules/linux/discovery_dynamic_linker_via_od.toml index b2ab0c4bd..5630ad248 100644 --- a/rules/linux/discovery_dynamic_linker_via_od.toml +++ b/rules/linux/discovery_dynamic_linker_via_od.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ for examining and debugging binary files or data streams. Attackers can leverage identifying injection points and craft exploits based on the observed behaviors and structures within these files. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Dynamic Linker Discovery via od" diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index 6e4547b09..eae69d1e3 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ software, and their presence in the find command arguments may indicate that a t analyze, or manipulate VM-related files and configurations on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Find" diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index 4fa7fedc1..063a4e647 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "v may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Grep" diff --git a/rules/linux/discovery_kernel_seeking.toml b/rules/linux/discovery_kernel_seeking.toml index 0b9e88305..72efe98de 100644 --- a/rules/linux/discovery_kernel_seeking.toml +++ b/rules/linux/discovery_kernel_seeking.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ to search the Linux kernel for available symbols, functions, and other informati kernel. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Kernel Seeking Activity" diff --git a/rules/linux/discovery_kernel_unpacking.toml b/rules/linux/discovery_kernel_unpacking.toml index fa7d0695c..81323d2a4 100644 --- a/rules/linux/discovery_kernel_unpacking.toml +++ b/rules/linux/discovery_kernel_unpacking.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ This rule detects kernel unpacking activity through several built-in Linux utili to unpack kernel images and modules to search for vulnerabilities or to modify the kernel. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Kernel Unpacking Activity" diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 791938664..df98c5ebf 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Hping Process Activity" diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index cdb26df5e..760afd3f3 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Nping Process Activity" diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml index 932c0dbe2..a14fb2776 100644 --- a/rules/linux/discovery_pam_version_discovery.toml +++ b/rules/linux/discovery_pam_version_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ This rule detects PAM version discovery activity on Linux systems. PAM version d attacker attempting to backdoor the authentication process through malicious PAM modules. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Pluggable Authentication Module (PAM) Version Discovery" diff --git a/rules/linux/discovery_polkit_version_discovery.toml b/rules/linux/discovery_polkit_version_discovery.toml index 1ea639d81..0a2202d69 100644 --- a/rules/linux/discovery_polkit_version_discovery.toml +++ b/rules/linux/discovery_polkit_version_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/22" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ This rule detects Polkit version discovery activity on Linux systems. Polkit ver indication of an attacker attempting to exploit misconfigurations or vulnerabilities in the Polkit service. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Polkit Version Discovery" diff --git a/rules/linux/discovery_private_key_password_searching_activity.toml b/rules/linux/discovery_private_key_password_searching_activity.toml index 495e0053a..356264921 100644 --- a/rules/linux/discovery_private_key_password_searching_activity.toml +++ b/rules/linux/discovery_private_key_password_searching_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ This rule detects private key searching activity on Linux systems. Searching for attacker attempting to escalate privileges or exfiltrate sensitive information. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Private Key Searching Activity" diff --git a/rules/linux/discovery_proc_maps_read.toml b/rules/linux/discovery_proc_maps_read.toml index 1b628573d..fbc0fb36c 100644 --- a/rules/linux/discovery_proc_maps_read.toml +++ b/rules/linux/discovery_proc_maps_read.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ detailing the memory segments, permissions, and what files are mapped to these s memory map to identify memory addresses for code injection or process hijacking. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious /proc/maps Discovery" diff --git a/rules/linux/discovery_process_capabilities.toml b/rules/linux/discovery_process_capabilities.toml index 5d1ceb285..dc379d050 100644 --- a/rules/linux/discovery_process_capabilities.toml +++ b/rules/linux/discovery_process_capabilities.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies recursive process capability enumeration of the entire filesystem thr may manipulate identified capabilities to gain root privileges. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Process Capability Enumeration" diff --git a/rules/linux/discovery_security_file_access_via_common_utility.toml b/rules/linux/discovery_security_file_access_via_common_utility.toml index 77e8b3832..e345c1f4c 100644 --- a/rules/linux/discovery_security_file_access_via_common_utility.toml +++ b/rules/linux/discovery_security_file_access_via_common_utility.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ This rule detects sensitive security file access via common utilities on Linux s from sensitive files using common utilities to gather information about the system and its security configuration. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Security File Access via Common Utilities" diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index 4d5f05ee6..fe6b11cc9 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ the invoking user. Attackers may execute this command to enumerate commands allo permissions, potentially allowing to escalate privileges to root. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Sudo Command Enumeration Detected" diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index 35482e287..dbd83aa0b 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/24" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ an attacker is able to enumerate and find a binary that is misconfigured, they m misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "SUID/SGUID Enumeration Detected" diff --git a/rules/linux/discovery_suspicious_memory_grep_activity.toml b/rules/linux/discovery_suspicious_memory_grep_activity.toml index d3e44c6ac..e9520b480 100644 --- a/rules/linux/discovery_suspicious_memory_grep_activity.toml +++ b/rules/linux/discovery_suspicious_memory_grep_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ specific process, detailing the memory segments, permissions, and what files are read a process's memory map to identify memory addresses for code injection or process hijacking. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Memory grep Activity" diff --git a/rules/linux/discovery_suspicious_which_command_execution.toml b/rules/linux/discovery_suspicious_which_command_execution.toml index ce077dd90..92116188f 100644 --- a/rules/linux/discovery_suspicious_which_command_execution.toml +++ b/rules/linux/discovery_suspicious_which_command_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ leverage the which command to enumerate the system for useful installed utilitie system to escalate privileges or move latteraly across the network. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious which Enumeration" diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index ad351fb67..e37017ee7 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ behavior is unusual, and may be indicative of the execution of an enumeration sc scripts leverage the "id" command to enumerate the privileges of all users present on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Unusual User Privilege Enumeration via id" diff --git a/rules/linux/discovery_yum_dnf_plugin_detection.toml b/rules/linux/discovery_yum_dnf_plugin_detection.toml index bfeef246d..d0829ba73 100644 --- a/rules/linux/discovery_yum_dnf_plugin_detection.toml +++ b/rules/linux/discovery_yum_dnf_plugin_detection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ to search for YUM/DNF configurations and/or plugins with an enabled state. This attempting to establish persistence in a YUM or DNF plugin. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Yum/DNF Plugin Status Discovery" diff --git a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml index 00e2a0f6f..75fb1e6c1 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP UR crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "File Creation by Cups or Foomatic-rip Child" diff --git a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml index 680ec8ef8..1c8a89cd0 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ through crafted UDP packets or network spoofing. This can result in arbitrary co initiated. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Printer User (lp) Shell Execution" diff --git a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml index fb4fcdc90..2a9e38820 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ remote unauthenticated attackers to manipulate IPP URLs or inject malicious data spoofing. This can result in arbitrary command execution when a print job is initiated. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Cupsd or Foomatic-rip Shell Execution" diff --git a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml index db4f72aba..baff7f2d5 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ through crafted UDP packets or network spoofing. This can result in arbitrary co initiated. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution from Foomatic-rip or Cupsd Parent" diff --git a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml index 9397f734f..086dcc36c 100644 --- a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml +++ b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instruc this rule. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential curl CVE-2023-38545 Exploitation" diff --git a/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml b/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml index c555a3312..1e15219c5 100644 --- a/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml +++ b/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ entrypoint is a command or script specified in the Dockerfile and executed when this technique to establish a foothold in the environment, escape from a container to the host, or establish persistence. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Egress Connection from Entrypoint in Container" diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index 1a9f053b7..6221e571c 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ directory often used for malicious purposes by threat actors. This behavior is o malicious code and delete itself to hide its tracks. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "File Creation, Execution and Self-Deletion in Suspicious Directory" diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 47330570b..6f29f3951 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "logs-endpoint.events.network*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "File Transfer or Listener Established via Netcat" diff --git a/rules/linux/execution_interpreter_tty_upgrade.toml b/rules/linux/execution_interpreter_tty_upgrade.toml index a29e2ce05..1d9edd02b 100644 --- a/rules/linux/execution_interpreter_tty_upgrade.toml +++ b/rules/linux/execution_interpreter_tty_upgrade.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ simple reverse shell to a fully interactive tty after obtaining initial access t stable connection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Upgrade of Non-interactive Shell" diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index d0b9ca17f..d30212828 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Netcat Listener Established via rlwrap" diff --git a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml index 184a0a06b..39958a99e 100644 --- a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml +++ b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ cases overly permissive, and should (especially in conjunction with an outbound thoroughly. """ from = "now-9m" -index = ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Network Connection from Binary with RWX Memory Region" diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index e8f276243..18f1cdda7 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ connection event. This behavior can indicate the set up of a reverse tcp connect Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*", "logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Recently Compiled Executable" diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index d83be6e03..639aac823 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ this rule should be investigated further, as hack tools are commonly used by blu well. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Hack Tool Launched" diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index cf89945fd..9188badd5 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Process Started from Process ID (PID) File" diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index d70310f3a..2c230e7fb 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Binary Executed from Shared Memory Directory" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 1ab71d1ab..840ce3b7e 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a interactive tty after obtaining initial access to a host. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Interactive Terminal Spawned via Python" diff --git a/rules/linux/execution_python_webserver_spawned.toml b/rules/linux/execution_python_webserver_spawned.toml index 84d53f57b..a5c56cdcd 100644 --- a/rules/linux/execution_python_webserver_spawned.toml +++ b/rules/linux/execution_python_webserver_spawned.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ This rule identifies when a web server is spawned via Python. Attackers may use exfiltrate/infiltrate data or to move laterally within a network. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Web Server Spawned via Python" diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index 2d9d6ec7f..23b306e43 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ which can result in unauthorized access and malicious actions, and facilitate po unauthorized access and malicious actions. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Code Execution via Postgresql" diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index bb7b2c29a..7dfe90cd6 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/17" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ system shell. The activity of spawning a shell from a binary is not common behav and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Linux Restricted Shell Breakout via Linux Binary(s)" diff --git a/rules/linux/execution_shell_openssl_client_or_server.toml b/rules/linux/execution_shell_openssl_client_or_server.toml index 5fce4337c..c91ef9fb6 100644 --- a/rules/linux/execution_shell_openssl_client_or_server.toml +++ b/rules/linux/execution_shell_openssl_client_or_server.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ establish a secure connection to a remote server or to create a secure server to may be used to exfiltrate data or establish a command and control channel. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Openssl Client or Server Activity" diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 482507d44..057f3fab8 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Monitors for the execution of background processes with process arguments capabl channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Background Process" diff --git a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml index cc04183c1..cb4b21a61 100644 --- a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml +++ b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ activity consists of a network event that is followed by the creation of a shell arguments. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Child" diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml index e1dbc1409..b45e10e26 100644 --- a/rules/linux/execution_shell_via_java_revshell_linux.toml +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ This detection rule identifies the execution of a Linux shell process from a Jav network connection. This behavior may indicate reverse shell activity via a Java application. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Java" diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index cae82200b..4640cc46c 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ the specified utilities that are initialized from a single process followed by a captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Child Process" diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index 0fe844990..a3e205791 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ spawned. Stageless reverse tcp shells display this behaviour. Attackers may spaw persistence onto a target system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Binary" diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index 8a7e50d19..3a93c51c7 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ activity consists of a parent-child relationship where a network event is follow An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell" diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index 086914686..9056e38af 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ output from tail can be piped to funzip in order to decompress malicious code be consistent with malware families such as Bundlore. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Content Extracted or Decompressed via Funzip" diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index f07b9025d..75a52429d 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies service creation events of common mining services, possibly indicatin cryptominer. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Mining Process Creation Event" diff --git a/rules/linux/execution_system_binary_file_permission_change.toml b/rules/linux/execution_system_binary_file_permission_change.toml index c5622803b..c43395afb 100644 --- a/rules/linux/execution_system_binary_file_permission_change.toml +++ b/rules/linux/execution_system_binary_file_permission_change.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ This rule identifies file permission modification events on files located in com hide their payloads in the default Linux system directories, and modify the file permissions of these payloads prior to execution. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "System Binary Path File Permission Modification" diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index d484d1731..154708e80 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ A threat actor can utilize tc to set a bpf filter on an interface for the purpos This technique is not at all common and should indicate abnormal, suspicious or malicious activity. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "BPF filter applied using TC" diff --git a/rules/linux/execution_unix_socket_communication.toml b/rules/linux/execution_unix_socket_communication.toml index f788067e6..b31d97f5f 100644 --- a/rules/linux/execution_unix_socket_communication.toml +++ b/rules/linux/execution_unix_socket_communication.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ privileges or set up malicious communication channels via Unix sockets for inter evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Unix Socket Connection" diff --git a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml index 7cf613d43..3b1a1f4a3 100644 --- a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml +++ b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ for exfiltration on Linux systems. Data splitting is a technique used by adversa avoid detection and exfiltrate data. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Data Splitting Detected" diff --git a/rules/linux/impact_data_encrypted_via_openssl.toml b/rules/linux/impact_data_encrypted_via_openssl.toml index e994de102..f0db697d3 100644 --- a/rules/linux/impact_data_encrypted_via_openssl.toml +++ b/rules/linux/impact_data_encrypted_via_openssl.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Adversaries may encrypt data on a single or multiple systems in order to disrupt and may attempt to hold the organization's data to ransom for the purposes of extortion. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Data Encryption via OpenSSL Utility" diff --git a/rules/linux/impact_esxi_process_kill.toml b/rules/linux/impact_esxi_process_kill.toml index 149015fce..f97a7adf9 100644 --- a/rules/linux/impact_esxi_process_kill.toml +++ b/rules/linux/impact_esxi_process_kill.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ command. The rule monitors for the "end" event type, which signifies the termina interfere with the virtualized environment on the targeted system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Termination of ESXI Process" diff --git a/rules/linux/impact_memory_swap_modification.toml b/rules/linux/impact_memory_swap_modification.toml index 07c7b8972..d39b8f176 100644 --- a/rules/linux/impact_memory_swap_modification.toml +++ b/rules/linux/impact_memory_swap_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ the system's memory and potentially impact the system's performance. This behavi deploys miner software such as XMRig. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Memory Swap Modification" diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index 8d1787e97..3353a9b72 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ decryption key. One important indicator of a ransomware attack is the mass encry new file extension is added to the file. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Ransomware Note Creation Detected" diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index cd5672bdc..b111e3b5f 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies processes that are capable of downloading files with command line arg autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential SSH-IT SSH Worm Downloaded" diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 1d83b8fdd..68dda3bba 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Connection to External Network via Telnet" diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index f3935e9cd..107c0a38b 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Connection to Internal Network via Telnet" diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 464566426..625d5d4de 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ repositories. Attackers can backdoor APT to gain persistence by injecting malici thereby ensuring continued unauthorized access or control each time APT is used for package management. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious APT Package Manager Execution" diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index 6b806e42e..0dffc185e 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ repositories. Attackers can backdoor APT to gain persistence by injecting malici thereby ensuring continued unauthorized access or control each time APT is used for package management. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious APT Package Manager Network Connection" diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 5d417d59a..2a908cda8 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -55,7 +55,7 @@ either a start or a kill entry in every runlevel and when the system is rebooted providing long-term persistence. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Chkconfig Service Add" diff --git a/rules/linux/persistence_dpkg_unusual_execution.toml b/rules/linux/persistence_dpkg_unusual_execution.toml index ff1d13c99..a6fe79198 100644 --- a/rules/linux/persistence_dpkg_unusual_execution.toml +++ b/rules/linux/persistence_dpkg_unusual_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ command is used to install, remove, and manage Debian packages on a Linux system to install malicious packages on a system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Unusual DPKG Execution" diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index 7825dba63..c59e3a570 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -56,7 +56,7 @@ inject and preload a malicious shared object file. This activity should never oc considered highly suspicious or malicious. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Dynamic Linker Copy" diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 5db941163..7cd3bbae7 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -57,7 +57,7 @@ elevate privileges on compromised systems. File creation in these directories sh indicate a malicious binary or script installing persistence mechanisms for long term access. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Deprecated - Suspicious File Creation in /etc for Persistence" diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index e933187be..b268ef38a 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -42,7 +42,7 @@ can convert init.d files to service unit files that run at boot. Adversaries may /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "System V Init Script Created" diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index 3475045d5..be9b7a9fe 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -41,7 +41,7 @@ security products. Manually loading a kernel module in this manner should not be suspcious or malicious behavior. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Kernel Module Load via insmod" diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index ce945fed5..9fd2b9acc 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -83,7 +83,7 @@ Identifies the creation or modification of a K Desktop Environment (KDE) AutoSta execute upon each user logon. Adversaries may abuse this method for persistence. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Persistence via KDE AutoStart Script or Desktop File Modification" diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index 81927769b..79e32fb19 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -54,7 +54,7 @@ to be done in kernel space, which might include tasks like handling interrupts, kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious File Creation via Kworker" diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index be6a10329..70a01525e 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -38,7 +38,7 @@ Identifies the attempt to create a new backdoor user by setting the user's UID t 0 to establish persistence on a system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Backdoor User Account Creation" diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index bcf271a4f..75ef6bee4 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -42,7 +42,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Code Execution via Web Server" diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index ed9110934..192d66274 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -31,7 +31,7 @@ Identifies attempts to add a user to a privileged group. Attackers may add users establish persistence on a system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Linux User Added to Privileged Group" diff --git a/rules/linux/persistence_manual_dracut_execution.toml b/rules/linux/persistence_manual_dracut_execution.toml index 8f9cadc0c..260b43dcd 100644 --- a/rules/linux/persistence_manual_dracut_execution.toml +++ b/rules/linux/persistence_manual_dracut_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/22" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ initramfs image that is used to boot the system. Attackers may use `dracut` to c that includes malicious code or backdoors, allowing them to maintain persistence on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Manual Dracut Execution" diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index 44c531d32..29091adcc 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -35,7 +35,7 @@ boot. Adversaries may alter rc.local/rc.common to execute malicious code at star system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "rc.local/rc.common File Creation" diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index 455472a54..f281b3b7e 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -41,7 +41,7 @@ file owner or group. Threat actors can exploit these attributes to achieve persi allowing them to maintain control over a compromised system with elevated permissions. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Setcap setuid/setgid Capability Set" diff --git a/rules/linux/persistence_ssh_netcon.toml b/rules/linux/persistence_ssh_netcon.toml index abf7fbba0..88130c4d2 100644 --- a/rules/linux/persistence_ssh_netcon.toml +++ b/rules/linux/persistence_ssh_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ new SSH login occurs. Attackers can also backdoor the SSH daemon to allow for pe or to steal credentials. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Network Connection Initiated by SSHD Child Process" diff --git a/rules/linux/persistence_suspicious_file_opened_through_editor.toml b/rules/linux/persistence_suspicious_file_opened_through_editor.toml index f3e875590..2dfb4da2e 100644 --- a/rules/linux/persistence_suspicious_file_opened_through_editor.toml +++ b/rules/linux/persistence_suspicious_file_opened_through_editor.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ through an editor will trigger this event. Attackers may alter any of the files persistence, escalate privileges or perform reconnaisance on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" max_signals = 1 diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml index dafd11750..5be74bebb 100644 --- a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +++ b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ It identifies potential malicious shell executions through remote SSH and detect terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Execution via XZBackdoor" diff --git a/rules/linux/persistence_systemd_netcon.toml b/rules/linux/persistence_systemd_netcon.toml index a47b7303a..f010db5e5 100644 --- a/rules/linux/persistence_systemd_netcon.toml +++ b/rules/linux/persistence_systemd_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ or commands, or by replacing legitimate systemd binaries with compromised ones, automatically executed at system startup or during certain system events. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Network Connection via systemd" diff --git a/rules/linux/persistence_xdg_autostart_netcon.toml b/rules/linux/persistence_xdg_autostart_netcon.toml index 6abecb878..a4053fb7b 100644 --- a/rules/linux/persistence_xdg_autostart_netcon.toml +++ b/rules/linux/persistence_xdg_autostart_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ helps to identify potential malicious activity where an attacker may have modifi persistence on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Network Connections Initiated Through XDG Autostart Entry" diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index 5a802bc7a..6dd7ba601 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ commands or input containing wildcards (e.g., *, ?, []) to execute unintended op tricking the system into interpreting the wildcard characters in unexpected ways. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Unauthorized Access via Wildcard Injection Detected" diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml index 42f91415a..bee56739f 100644 --- a/rules/linux/privilege_escalation_container_util_misconfiguration.toml +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ able to create and run a container that mounts the root folder or spawn a privil escape attack, which might allow them to escalate privileges and gain further access onto the host file system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Container Misconfiguration" diff --git a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml index f0581fb23..eb87c2531 100644 --- a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml +++ b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ within a container is capable of mounting the root file system of the host, and containarized environment. This behavior pattern is very uncommon and should be investigated. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Chroot Container Escape via Mount" diff --git a/rules/linux/privilege_escalation_enlightenment_window_manager.toml b/rules/linux/privilege_escalation_enlightenment_window_manager.toml index 6b7dc4ae3..163762f1c 100644 --- a/rules/linux/privilege_escalation_enlightenment_window_manager.toml +++ b/rules/linux/privilege_escalation_enlightenment_window_manager.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Enlightenment. enlightenment_sys in Enlightenment before 0.25.4 allows local use setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Enlightenment" diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml index 5d3662cea..d9f136f68 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ Attackers may leverage this capability to hook and inject into a process that is to escalate their privileges to root. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via GDB CAP_SYS_PTRACE" diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml index 1b5d1c837..b03edb7d5 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ processes. Attackers may leverage this capability to hook and inject into a proc permissions in order to execute shell code and gain a reverse shell with root privileges. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Root Network Connection via GDB CAP_SYS_PTRACE" diff --git a/rules/linux/privilege_escalation_kworker_uid_elevation.toml b/rules/linux/privilege_escalation_kworker_uid_elevation.toml index bbfc33159..5c695d128 100644 --- a/rules/linux/privilege_escalation_kworker_uid_elevation.toml +++ b/rules/linux/privilege_escalation_kworker_uid_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ hijack the execution flow by hooking certain functions/syscalls through a rootki root via a special modified command. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Kworker UID Elevation" diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index 146c9775d..af3b13bbb 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ privileged process into following the symbolic link to a sensitive file, giving capabilities they would not normally have. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Symbolic Link Created" diff --git a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml index 92e93513b..9c7f2352d 100644 --- a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml +++ b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/27" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ allowed UID size (INT_MAX). Some older Linux versions were affected by a bug whi greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via UID INT_MAX Bug Detected" diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index 487698dcb..1f39e9a2a 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ escalate privileges, establish persistence or hide their activities by loading a tamper with the system's trusted state, allowing e.g. a VM Escape. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Kernel Load or Unload via Kexec Detected" diff --git a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml index db331d567..7f703f3cf 100644 --- a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml +++ b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ This rule detects potential privilege escalation attempts through Looney Tunable buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via CVE-2023-4911" diff --git a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml index c10a52143..52cc3a0fa 100644 --- a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml +++ b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/27" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ reverse shell shellcode is injected into a process run with elevated permissions inject shellcode into processes running as root, to escalate privileges. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Sudo Binary" diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index abc06624f..c7b540738 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ modifications to OverlayFS. These flaws allow the creation of specialized execut ability to escalate privileges to root on the affected machine. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via OverlayFS" diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 0b7405227..793e90b2b 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies an attempt to exploit a local privilege escalation in polkit pkexec ( variable injection. Successful exploitation allows an unprivileged user to escalate to the root user. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via PKEXEC" diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml index fabd017de..a5d2203f9 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_version = "8.16.0" min_stack_comments = "Breaking change at 8.16.0 for the Endpoint Integration with respect to ecs field process.group.id" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ privileges. Attackers may leverage a misconfiguration for exploitation in order establish a backdoor for persistence. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via SUID/SGID" diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index d3f6d037f..a3ba3a40c 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ vulnerability where attackers manipulate commands or input containing wildcards operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Shell via Wildcard Injection Detected" diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index 3ea1234fb..d916e1256 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ root, such as the shadow file, root ssh private keys or other sensitive files th privileges. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Suspicious DebugFS Root Device Access" diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index b3c4583f7..259c12927 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ that can be chosen arbitrarily. By using the sudo privileges, the command "sudo representing the root user. This exploit may work for sudo versions prior to v1.28. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Sudo Privilege Escalation via CVE-2019-14287" diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index b0172b2cd..4cd122d63 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_version = "8.16.0" min_stack_comments = "Breaking change at 8.16.0 for the Endpoint Integration with respect to ecs field process.group.id" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ attackers to activate their own sudo token. This attack requires ptrace to be en of a living process that has a valid sudo token with the same uid as the current user. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Sudo Token Manipulation via Process Injection" diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml index 016b5c7c4..9e7f6b499 100644 --- a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ privileges, based on the file owner or group. Threat actors can exploit these at privileges that are set on the binary that is being executed. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Python cap_setuid" diff --git a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml index e2c0f653c..0035cfea0 100644 --- a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ owner of a file, while CAP_FOWNER permits it to bypass permission checks on oper reading, writing, and executing). Attackers may abuse these capabilities to obtain unauthorized access to files. """ from = "now-9m" -index = ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.file*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities" diff --git a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml index f16ef0d7c..923962a5d 100644 --- a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml +++ b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ permissions or other privileges to add a new entry to the "/etc/passwd" file wit new user account to login as root. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-auditd_manager.auditd-*"] +index = ["logs-auditd_manager.auditd-*", "logs-endpoint.events.file*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Passwd File Event Action" diff --git a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml index 0b459d067..fa50b74e7 100644 --- a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/27" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ change its UID and GID, respectively, providing control over user and group iden a misconfiguration for exploitation in order to escalate their privileges to root. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via CAP_SETUID/SETGID Capabilities" diff --git a/rules/linux/privilege_escalation_uid_change_post_compilation.toml b/rules/linux/privilege_escalation_uid_change_post_compilation.toml index d9cbb6f9b..79f3fc167 100644 --- a/rules/linux/privilege_escalation_uid_change_post_compilation.toml +++ b/rules/linux/privilege_escalation_uid_change_post_compilation.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ alteration of UID permissions to root privileges. This behavior can potentially software privilege escalation exploit. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Recently Compiled Executable" diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index 31642cba6..110652ad3 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ or escape container security boundaries. Threat actors have utilized this binary host and access other resources or escalate privileges. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Namespace Manipulation Using Unshare" diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml index b635512f9..d295882bb 100644 --- a/rules/linux/privilege_escalation_writable_docker_socket.toml +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ sockets may be able to create and run a container that allows them to escalate p the host file system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation through Writable Docker Socket"