From 24d4da7b5d8fedce6d47a48732d9960e99083f76 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 20 Feb 2024 14:17:17 +0100 Subject: [PATCH] [Tuning] Linux DR Tuning - Part 2 (#3453) * [Tuning] Linux DR Tuning - Part 2 * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml (cherry picked from commit 0e48747aa640f3b8a9b633999f4dd1c1df0e6780) --- ...ential_linux_local_account_bruteforce.toml | 20 +++++++++---- ...ential_access_proc_credential_dumping.toml | 28 ++++++++++-------- ..._base32_encoding_or_decoding_activity.toml | 29 +++++++++++-------- ...binary_copied_to_suspicious_directory.toml | 4 +-- ...ense_evasion_clear_kernel_ring_buffer.toml | 15 +++++----- 5 files changed, 57 insertions(+), 39 deletions(-) diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index be4c0071c..e1020fb61 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -47,14 +47,22 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' sequence by host.id, process.parent.executable, user.id with maxspan=1s - [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and - not process.parent.name in ( - "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server" - )] with runs=10 + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and + not process.parent.name in ( + "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server", "ma", "gitlab-runner", + "updatedb.findutils", "cron" + ) + ] with runs=10 ''' [[rule.threat]] diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index e5e2399e4..00c31d229 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -52,24 +52,31 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' -sequence by process.parent.name,host.name with maxspan=1m -[process where host.os.type == "linux" and process.name == "ps" and event.action == "exec" - and process.args in ("-eo", "pid", "command") ] - -[process where host.os.type == "linux" and process.name == "strings" and event.action == "exec" - and process.args : "/tmp/*" ] +sequence by host.id, process.parent.name with maxspan=1m + [process where host.os.type == "linux" and process.name == "ps" and event.action == "exec" + and process.args in ("-eo", "pid", "command")] + [process where host.os.type == "linux" and process.name == "strings" and event.action == "exec" + and process.args : "/tmp/*"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" @@ -80,10 +87,7 @@ id = "T1212" name = "Exploitation for Credential Access" reference = "https://attack.mitre.org/techniques/T1212/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 93bcb474a..72d08213d 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/04/17" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -16,8 +16,8 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] -language = "kuery" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +language = "eql" license = "Elastic License v2" name = "Base16 or Base32 Encoding/Decoding Activity" risk_score = 21 @@ -61,18 +61,25 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" -type = "query" - +type = "eql" query = ''' -event.category:process and host.os.type:linux and event.type:(start or process_started) and - process.name:(base16 or base32 or base32plain or base32hex) +process where host.os.type == "linux" and event.type in ("start", "process_started") and +process.name in ("base16", "base32", "base32plain", "base32hex") and not process.args in ("--help", "--version") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" @@ -83,9 +90,7 @@ id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index c2e75aafc..06456d5c6 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/12/12" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ sequence by host.id, process.entity_id with maxspan=1s ) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")] [file where host.os.type == "linux" and event.action == "creation" and file.path : ( "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*" - ) and not file.path : ("/tmp/rear*", "/var/tmp/dracut*")] + ) and not file.path : ("/tmp/rear*", "/var/tmp/rear*", "/var/tmp/dracut*", "/var/tmp/mkinitramfs*")] ''' [[rule.threat]] diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index f0e6bf8aa..5803e7cfc 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/10/24" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Monitors for the deletion of the kernel ring buffer events through dmesg. Attack to evade detection after installing a Linux kernel module (LKM). """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Attempt to Clear Kernel Ring Buffer" @@ -51,13 +51,15 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and -process.name == "dmesg" and process.args : "-c" +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed") and +event.type == "start" and process.name == "dmesg" and process.args : "-c" ''' [[rule.threat]] @@ -87,4 +89,3 @@ reference = "https://attack.mitre.org/techniques/T1070/002/" name = "Defense Evasion" id = "TA0005" reference = "https://attack.mitre.org/tactics/TA0005/" -