[Tuning] Linux DR Tuning - Part 8 (#3460)
* [Tuning] Linux DR Tuning - Part 8 * Update impact_esxi_process_kill.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
@@ -3,13 +3,16 @@ creation_date = "2022/07/11"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
integration = ["endpoint"]
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.
|
||||
Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network
|
||||
interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic.
|
||||
A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic.
|
||||
This technique is not at all common and should indicate abnormal, suspicious or malicious activity.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
@@ -49,16 +52,27 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "high"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: TripleCross", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Execution",
|
||||
"Threat: TripleCross",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd"
|
||||
process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and
|
||||
process.args == "filter" and process.args == "add" and process.args == "bpf" and
|
||||
not process.parent.executable == "/usr/sbin/libvirtd"
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1059"
|
||||
name = "Command and Scripting Interpreter"
|
||||
@@ -73,5 +87,3 @@ reference = "https://attack.mitre.org/techniques/T1059/004/"
|
||||
id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.5.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -15,7 +15,7 @@ The presence of a "kill" command as the parent process for terminating VMware pr
|
||||
threat actor is attempting to interfere with the virtualized environment on the targeted system.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious Termination of ESXI Process"
|
||||
@@ -51,24 +51,30 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Impact",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "end" and process.name : ("vmware-vmx", "vmx")
|
||||
and process.parent.name : "kill"
|
||||
process where host.os.type == "linux" and event.type == "end" and process.name in ("vmware-vmx", "vmx")
|
||||
and process.parent.name == "kill"
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1489"
|
||||
name = "Service Stop"
|
||||
reference = "https://attack.mitre.org/techniques/T1489/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0040"
|
||||
name = "Impact"
|
||||
reference = "https://attack.mitre.org/tactics/TA0040/"
|
||||
reference = "https://attack.mitre.org/tactics/TA0040/"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -48,7 +48,8 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint",
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Impact",
|
||||
@@ -60,8 +61,15 @@ sequence by process.entity_id, host.id with maxspan=1s
|
||||
[file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*"
|
||||
and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and
|
||||
file.path : (
|
||||
"/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*",
|
||||
"/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25
|
||||
"/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", "/var/log/*", "/var/lib/log/*",
|
||||
"/var/backup/*", "/var/www/*"
|
||||
) and
|
||||
not process.name : (
|
||||
"dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
|
||||
"conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
|
||||
"systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader"
|
||||
)
|
||||
] with runs=25
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -49,7 +49,8 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint",
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Impact",
|
||||
@@ -61,11 +62,18 @@ sequence by process.entity_id, host.id with maxspan=1s
|
||||
[file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*"
|
||||
and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and
|
||||
file.path : (
|
||||
"/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*",
|
||||
"/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25
|
||||
"/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", "/var/log/*", "/var/lib/log/*",
|
||||
"/var/backup/*", "/var/www/*") and
|
||||
not process.name : (
|
||||
"dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
|
||||
"conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
|
||||
"systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader"
|
||||
)
|
||||
] with runs=25
|
||||
[file where host.os.type == "linux" and event.action == "creation" and file.name : (
|
||||
"*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*"
|
||||
)]
|
||||
"*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*"
|
||||
)
|
||||
]
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -1,16 +1,18 @@
|
||||
[metadata]
|
||||
creation_date = "2022/07/27"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/17"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period."
|
||||
description = """
|
||||
This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "High Number of Process Terminations"
|
||||
@@ -77,7 +79,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Impact",
|
||||
"Resources: Investigation Guide",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
type = "threshold"
|
||||
timestamp_override = "event.ingested"
|
||||
|
||||
@@ -85,15 +96,14 @@ query = '''
|
||||
event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f"
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1489"
|
||||
name = "Service Stop"
|
||||
reference = "https://attack.mitre.org/techniques/T1489/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0040"
|
||||
name = "Impact"
|
||||
@@ -102,4 +112,3 @@ reference = "https://attack.mitre.org/tactics/TA0040/"
|
||||
[rule.threshold]
|
||||
field = ["host.id", "process.executable", "user.name"]
|
||||
value = 10
|
||||
|
||||
|
||||
Reference in New Issue
Block a user