security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 3 (#4343)

Browse Source 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 3

* .

* Update rules/linux/command_and_control_ip_forwarding_activity.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2025-01-09 10:35:58 -03:00
committed by GitHub
parent d6ceb88558
commit 0fc83fe815
10 changed files with 70 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_ip_forwarding_activity.toml
+8 -4
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2024/11/04"
integration = ["endpoint"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/11/04"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/06"
[rule]
author = ["Elastic"]
@@ -12,7 +14,7 @@ forwarding can be used to route network traffic between different network interf
pivot between networks, exfiltrate data, or establish command and control channels.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "IPv4/IPv6 Forwarding Activity"
@@ -25,11 +27,13 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
"Data Source: Elastic Endgame",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "exec_event") and
process.parent.executable != null and process.command_line like (
"*net.ipv4.ip_forward*", "*/proc/sys/net/ipv4/ip_forward*", "*net.ipv6.conf.all.forwarding*",
"*/proc/sys/net/ipv6/conf/all/forwarding*"
rules/linux/command_and_control_linux_proxychains_activity.toml
+8 -4
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint", "auditd_manager"]
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/06"
[transform]
[[transform.osquery]]
@@ -39,7 +41,7 @@ resources. Attackers can exploit the ProxyChains utility to hide their true sour
perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "ProxyChains Activity"
@@ -118,12 +120,14 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started")
and process.name == "proxychains"
'''
rules/linux/command_and_control_linux_ssh_x11_forwarding.toml
+8 -4
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint"]
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/10/18"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/06"
[transform]
[[transform.osquery]]
@@ -39,7 +41,7 @@ can abuse X11 forwarding for tunneling their GUI-based tools, pivot through comp
communication channels, enabling lateral movement and facilitating remote control of systems within a network.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Linux SSH X11 Forwarding"
@@ -113,11 +115,13 @@ tags = [
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
process.name in ("ssh", "sshd") and process.args in ("-X", "-Y") and process.args_count >= 3 and
process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
'''
rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml
+8 -4
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint", "auditd_manager"]
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/06"
[transform]
[[transform.osquery]]
@@ -40,7 +42,7 @@ detection, and perform malicious activities through a chain of proxy servers, po
intentions.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Utility Launched via ProxyChains"
@@ -144,12 +146,14 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started")
and process.name == "proxychains" and process.args : (
"ssh", "sshd", "sshuttle", "socat", "iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng",
"ssf", "3proxy", "ngrok", "gost", "pivotnacci", "chisel*", "nmap", "ping", "python*", "php*", "perl", "ruby",
rules/linux/persistence_kde_autostart_modification.toml
+6 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2021/01/06"
integration = ["endpoint"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/10/17"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/06"
[transform]
[[transform.osquery]]
@@ -81,7 +83,7 @@ Identifies the creation or modification of a K Desktop Environment (KDE) AutoSta
execute upon each user logon. Adversaries may abuse this method for persistence.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Persistence via KDE AutoStart Script or Desktop File Modification"
@@ -203,6 +205,7 @@ tags = [
"Tactic: Persistence",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/persistence_kworker_file_creation.toml
+7 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2023/10/26"
integration = ["endpoint"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/07/18"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/06"
[transform]
[[transform.osquery]]
@@ -52,7 +54,7 @@ to be done in kernel space, which might include tasks like handling interrupts,
kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious File Creation via Kworker"
@@ -159,6 +161,8 @@ tags = [
"Tactic: Persistence",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
"Data Source: Elastic Endgame",
]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
+7 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2024/12/16"
integration = ["endpoint"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/12/16"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/06"
[rule]
author = ["Elastic"]
@@ -15,7 +17,7 @@ false_positives = [
"Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
]
from = "now-9m"
index = ["logs-endpoint.events.file*"]
index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Pluggable Authentication Module (PAM) Creation in Unusual Directory"
@@ -35,6 +37,8 @@ tags = [
"Tactic: Credential Access",
"Tactic: Persistence",
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
"Data Source: Elastic Endgame",
]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/persistence_ssh_key_generation.toml
+6 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2024/05/31"
integration = ["endpoint"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/09/23"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/06"
[rule]
author = ["Elastic"]
@@ -13,7 +15,7 @@ tool to move laterally across a network or maintain persistence by generating un
access to systems.
"""
from = "now-9m"
index = ["logs-endpoint.events.file*", "endgame-*"]
index = ["logs-endpoint.events.file*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "SSH Key Generated via ssh-keygen"
@@ -29,6 +31,7 @@ tags = [
"Tactic: Persistence",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/persistence_suspicious_file_opened_through_editor.toml
+6 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2023/07/25"
integration = ["endpoint"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/06"
[rule]
author = ["Elastic"]
@@ -14,7 +16,7 @@ through an editor will trigger this event. Attackers may alter any of the files
persistence, escalate privileges or perform reconnaisance on the system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
max_signals = 1
@@ -30,6 +32,7 @@ tags = [
"Tactic: Privilege Escalation",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/privilege_escalation_pkexec_envar_hijack.toml
+6 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2022/01/26"
integration = ["endpoint"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/06"
[rule]
author = ["Elastic"]
@@ -11,7 +13,7 @@ Identifies an attempt to exploit a local privilege escalation in polkit pkexec (
variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privilege Escalation via PKEXEC"
@@ -52,6 +54,7 @@ tags = [
"Data Source: Elastic Endgame",
"Use Case: Vulnerability",
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"