From 09bd4cef16635dc670e5268f4791470d420159fd Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 18 Oct 2024 16:38:14 +0200 Subject: [PATCH] [Rule Tuning] Q2 Linux DR Tuning - CP (#4170) * [Rule Tuning] Q2 Linux DR Tuning - CP * Update command_and_control_non_standard_ssh_port.toml --- ...and_and_control_non_standard_ssh_port.toml | 19 +++--- ...sion_elastic_agent_service_terminated.toml | 11 ++-- ...ion_masquerading_space_after_filename.toml | 21 ++++--- .../discovery_security_software_grep.toml | 10 ++- .../execution_python_script_in_cmdline.toml | 61 ------------------- ...xecution_suspicious_jar_child_process.toml | 12 ++-- 6 files changed, 36 insertions(+), 98 deletions(-) delete mode 100644 rules/cross-platform/execution_python_script_in_cmdline.toml diff --git a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml index 26b3ddbf1..7e90f0a3d 100644 --- a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml +++ b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/18" [rule] author = ["Elastic"] @@ -37,30 +37,35 @@ tags = [ "Data Source: Elastic Defend", ] type = "eql" - query = ''' sequence by process.entity_id with maxspan=1m - [process where event.action == "exec" and process.name:"ssh" and not process.parent.name in ( + [process where event.action == "exec" and process.name in ("ssh", "sshd") and not process.parent.name in ( "rsync", "pyznap", "git", "ansible-playbook", "scp", "pgbackrest", "git-lfs", "expect", "Sourcetree", "ssh-copy-id", "run" ) ] [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and - destination.port != 22 and destination.ip != "127.0.0.1" and network.transport: "tcp" + destination.port != 22 and network.transport == "tcp" and not ( + destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch( + destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", + "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", + "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", + "FF00::/8" + ) + ) ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1571" name = "Non-Standard Port" reference = "https://attack.mitre.org/techniques/T1571/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index 50eac1fc7..655695f3c 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/18" [rule] author = ["Elastic"] @@ -39,7 +39,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where /* net, sc or wmic stopping or deleting Elastic Agent on Windows */ @@ -52,7 +51,7 @@ or (event.type == "end" and (process.name : ("systemctl", "service") and process.args : "elastic-agent" and - process.args : "stop") + process.args : ("stop", "disable")) or /* pkill , killall used to stop Elastic Agent on Linux */ ( event.type == "end" and process.name : ("pkill", "killall") and process.args: "elastic-agent") @@ -63,22 +62,20 @@ or event.action : "end")) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml index 37fb73fe7..4b4633236 100644 --- a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml +++ b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/18" [rule] author = ["Elastic"] @@ -42,30 +42,31 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type:("linux","macos") and - event.type == "start" and - (process.executable regex~ """/[a-z0-9\s_\-\\./]+\s""") and not - process.name in ("ls", "find", "grep", "xkbcomp") +process where host.os.type:("linux","macos") and event.type == "start" and +process.executable regex~ """/[a-z0-9\s_\-\\./]+\s""" and not ( + process.name in ("ls", "find", "grep", "xkbcomp") or + process.executable like ("/opt/nessus_agent/*", "/opt/gitlab/sv/gitlab-exporter/*", "/tmp/ansible-admin/*") or + process.parent.args in ( + "./check_rubrik", "/usr/bin/check_mk_agent", "/etc/rubrik/start_stop_bootstrap.sh", "/etc/rubrik/start_stop_agent.sh" + ) +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.006" name = "Space after Filename" reference = "https://attack.mitre.org/techniques/T1036/006/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index f22fae9c6..369eb12bb 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/18" [rule] author = ["Elastic"] @@ -68,7 +68,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where event.type == "start" and process.name : "grep" and user.id != "0" and @@ -106,6 +105,7 @@ process.name : "grep" and user.id != "0" and ) and not ( (process.args : "Avast" and process.args : "Passwords") or + (process.args == "osquery.conf") or (process.parent.args : "/opt/McAfee/agent/scripts/ma" and process.parent.args : "checkhealth") or (process.command_line : ( "grep ESET Command-line scanner, version %s -A2", @@ -121,22 +121,20 @@ process.name : "grep" and user.id != "0" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/cross-platform/execution_python_script_in_cmdline.toml b/rules/cross-platform/execution_python_script_in_cmdline.toml deleted file mode 100644 index 1f8237443..000000000 --- a/rules/cross-platform/execution_python_script_in_cmdline.toml +++ /dev/null @@ -1,61 +0,0 @@ -[metadata] -creation_date = "2021/01/13" -integration = ["endpoint"] -maturity = "development" -updated_date = "2024/08/08" - -[rule] -author = ["Elastic"] -description = """ -Identifies when a Python script is executed using command line input and imports the sys module. Attackers often use -this method to execute malicious scripts and avoiding writing it to disk. -""" -false_positives = ["Legitimate Python scripting activity."] -from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] -language = "eql" -license = "Elastic License v2" -name = "Python Script Execution via Command Line" -risk_score = 47 -rule_id = "ee9f08dc-cf80-4124-94ae-08c405f059ae" -setup = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, -events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. -Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate -`event.ingested` to @timestamp. -For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html -""" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where event.type in ("start", "process_started") and - process.name : "python*" and process.args : "-c" and process.args : "*import*sys*" -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.006" -name = "Python" -reference = "https://attack.mitre.org/techniques/T1059/006/" -[[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 33a0253ee..c4e9ce9e8 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/18" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" -name = "Suspicious JAVA Child Process" +name = "Deprecated - Suspicious JAVA Child Process" note = """## Triage and analysis ### Investigating Suspicious Java Child Process @@ -85,20 +85,19 @@ event.category:process and event.type:("start" or "process_started") and process ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -107,8 +106,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - -