[Tuning] Linux DR Tuning - Part 2 (#3453)
* [Tuning] Linux DR Tuning - Part 2
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
(cherry picked from commit 0e48747aa6)
This commit is contained in:
Ruben Groenewoud
committed by
github-actions[bot]
github-actions[bot]
parent
cfc0b41e20
commit
24d4da7b5d
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -47,14 +47,22 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Credential Access",
|
||||
"Data Source: Elastic Defend"
|
||||
]
|
||||
type = "eql"
|
||||
query = '''
|
||||
sequence by host.id, process.parent.executable, user.id with maxspan=1s
|
||||
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and
|
||||
not process.parent.name in (
|
||||
"bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server"
|
||||
)] with runs=10
|
||||
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and
|
||||
not process.parent.name in (
|
||||
"bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server", "ma", "gitlab-runner",
|
||||
"updatedb.findutils", "cron"
|
||||
)
|
||||
] with runs=10
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -52,24 +52,31 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Credential Access",
|
||||
"Use Case: Vulnerability",
|
||||
"Data Source: Elastic Defend"
|
||||
]
|
||||
type = "eql"
|
||||
query = '''
|
||||
sequence by process.parent.name,host.name with maxspan=1m
|
||||
[process where host.os.type == "linux" and process.name == "ps" and event.action == "exec"
|
||||
and process.args in ("-eo", "pid", "command") ]
|
||||
|
||||
[process where host.os.type == "linux" and process.name == "strings" and event.action == "exec"
|
||||
and process.args : "/tmp/*" ]
|
||||
sequence by host.id, process.parent.name with maxspan=1m
|
||||
[process where host.os.type == "linux" and process.name == "ps" and event.action == "exec"
|
||||
and process.args in ("-eo", "pid", "command")]
|
||||
[process where host.os.type == "linux" and process.name == "strings" and event.action == "exec"
|
||||
and process.args : "/tmp/*"]
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1003"
|
||||
name = "OS Credential Dumping"
|
||||
reference = "https://attack.mitre.org/techniques/T1003/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1003.007"
|
||||
name = "Proc Filesystem"
|
||||
@@ -80,10 +87,7 @@ id = "T1212"
|
||||
name = "Exploitation for Credential Access"
|
||||
reference = "https://attack.mitre.org/techniques/T1212/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0006"
|
||||
name = "Credential Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0006/"
|
||||
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2020/04/17"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -16,8 +16,8 @@ false_positives = [
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
|
||||
language = "kuery"
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Base16 or Base32 Encoding/Decoding Activity"
|
||||
risk_score = 21
|
||||
@@ -61,18 +61,25 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
|
||||
|
||||
"""
|
||||
severity = "low"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Defense Evasion",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
type = "eql"
|
||||
query = '''
|
||||
event.category:process and host.os.type:linux and event.type:(start or process_started) and
|
||||
process.name:(base16 or base32 or base32plain or base32hex)
|
||||
process where host.os.type == "linux" and event.type in ("start", "process_started") and
|
||||
process.name in ("base16", "base32", "base32plain", "base32hex") and not process.args in ("--help", "--version")
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1027"
|
||||
name = "Obfuscated Files or Information"
|
||||
@@ -83,9 +90,7 @@ id = "T1140"
|
||||
name = "Deobfuscate/Decode Files or Information"
|
||||
reference = "https://attack.mitre.org/techniques/T1140/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/12/12"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -82,7 +82,7 @@ sequence by host.id, process.entity_id with maxspan=1s
|
||||
) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")]
|
||||
[file where host.os.type == "linux" and event.action == "creation" and file.path : (
|
||||
"/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*"
|
||||
) and not file.path : ("/tmp/rear*", "/var/tmp/dracut*")]
|
||||
) and not file.path : ("/tmp/rear*", "/var/tmp/rear*", "/var/tmp/dracut*", "/var/tmp/mkinitramfs*")]
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2023/10/24"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -13,7 +13,7 @@ Monitors for the deletion of the kernel ring buffer events through dmesg. Attack
|
||||
to evade detection after installing a Linux kernel module (LKM).
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Attempt to Clear Kernel Ring Buffer"
|
||||
@@ -51,13 +51,15 @@ tags = [
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Defense Evasion",
|
||||
"Data Source: Elastic Defend"
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
|
||||
process.name == "dmesg" and process.args : "-c"
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed") and
|
||||
event.type == "start" and process.name == "dmesg" and process.args : "-c"
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
@@ -87,4 +89,3 @@ reference = "https://attack.mitre.org/techniques/T1070/002/"
|
||||
name = "Defense Evasion"
|
||||
id = "TA0005"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user