From 08f946b394e872786b4e3f7cb8fcc266d742c4b3 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 7 Mar 2024 11:01:08 +0100 Subject: [PATCH] [Tuning] Linux DR Tuning - Part 8 (#3460) * [Tuning] Linux DR Tuning - Part 8 * Update impact_esxi_process_kill.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> --- rules/linux/execution_tc_bpf_filter.toml | 24 +++++++++++++----- rules/linux/impact_esxi_process_kill.toml | 22 ++++++++++------ ...tial_linux_ransomware_file_encryption.toml | 16 +++++++++--- ...ential_linux_ransomware_note_detected.toml | 20 ++++++++++----- .../linux/impact_process_kill_threshold.toml | 25 +++++++++++++------ 5 files changed, 75 insertions(+), 32 deletions(-) diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 9a75c23f1..95ffa1af9 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -3,13 +3,16 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" integration = ["endpoint"] [rule] author = ["Elastic"] description = """ -Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity. +Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network +interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. +A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. +This technique is not at all common and should indicate abnormal, suspicious or malicious activity. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -49,16 +52,27 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: TripleCross", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: TripleCross", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd" +process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and +process.args == "filter" and process.args == "add" and process.args == "bpf" and +not process.parent.executable == "/usr/sbin/libvirtd" ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -73,5 +87,3 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - diff --git a/rules/linux/impact_esxi_process_kill.toml b/rules/linux/impact_esxi_process_kill.toml index d45f5244e..ce3e61050 100644 --- a/rules/linux/impact_esxi_process_kill.toml +++ b/rules/linux/impact_esxi_process_kill.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ The presence of a "kill" command as the parent process for terminating VMware pr threat actor is attempting to interfere with the virtualized environment on the targeted system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Termination of ESXI Process" @@ -51,24 +51,30 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "end" and process.name : ("vmware-vmx", "vmx") -and process.parent.name : "kill" +process where host.os.type == "linux" and event.type == "end" and process.name in ("vmware-vmx", "vmx") +and process.parent.name == "kill" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index 6ab9c3305..4d87d7287 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -48,7 +48,8 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", +tags = [ + "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", @@ -60,8 +61,15 @@ sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and file.path : ( - "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", - "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25 + "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", "/var/log/*", "/var/lib/log/*", + "/var/backup/*", "/var/www/*" + ) and + not process.name : ( + "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", + "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git", + "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader" + ) + ] with runs=25 ''' [[rule.threat]] diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index 92c2ecbcd..666632a68 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -49,7 +49,8 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", +tags = [ + "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", @@ -61,11 +62,18 @@ sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and file.path : ( - "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", - "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25 + "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", "/var/log/*", "/var/lib/log/*", + "/var/backup/*", "/var/www/*") and + not process.name : ( + "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", + "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git", + "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader" + ) + ] with runs=25 [file where host.os.type == "linux" and event.action == "creation" and file.name : ( - "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*" - )] + "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*" + ) + ] ''' [[rule.threat]] diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index f32b0bb0e..a431d1833 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -1,16 +1,18 @@ [metadata] creation_date = "2022/07/27" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/02/21" [rule] author = ["Elastic"] -description = "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period." +description = """ +This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. +""" from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "High Number of Process Terminations" @@ -77,7 +79,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] type = "threshold" timestamp_override = "event.ingested" @@ -85,15 +96,14 @@ query = ''' event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" @@ -102,4 +112,3 @@ reference = "https://attack.mitre.org/tactics/TA0040/" [rule.threshold] field = ["host.id", "process.executable", "user.name"] value = 10 -