[Tuning] Linux DR Tuning - Part 12 (#3464)

* [Tuning] Linux DR Tuning - Part 12 * Update persistence_shared_object_creation.toml * Update privilege_escalation_dac_permissions.toml * Update privilege_escalation_enlightenment_window_manager.toml * Update privilege_escalation_enlightenment_window_manager.toml * Min stack rule-bending test * formatting fix * Revert "Merge branch 'linux-dr-tuning-12' of https://github.com/elastic/detection-rules into linux-dr-tuning-12" This reverts commit 0170cddd905b4b983f8413eebbc11c9c7b3719ce, reversing changes made to 29d4a747603faf0ac7c2d502786533b0cd93a5d5. * Revert "Min stack rule-bending test" This reverts commit 29d4a747603faf0ac7c2d502786533b0cd93a5d5. * Update privilege_escalation_enlightenment_window_manager.toml * Update privilege_escalation_chown_chmod_unauthorized_file_read.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 9c4ba4559d)
2024-03-07 18:09:38 +01:00
parent a6c223de70
commit 28220d0ccd
4 changed files with 48 additions and 24 deletions
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
 min_stack_version = "8.6.0"
-updated_date = "2023/12/19"
+updated_date = "2024/02/21"

 [transform]
 [[transform.osquery]]
@@ -172,12 +172,13 @@ tags = [
    ]
 timestamp_override = "event.ingested"
 type = "new_terms"
-
 query = '''
 host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and 
-file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and 
-process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher"
-  or "pacman" or "apt-get" or "dnf" or "podman" or "platform-python"))
+file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (
+  process.name:("dockerd" or "dpkg" or "rpm" or "snapd" or "yum" or "vmis-launcher" or "pacman" or
+  "apt-get" or "dnf" or "podman" or "platform-python") or 
+  (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*)
+)
 '''

 [[rule.threat]]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/07/28"
-integration = ["endpoint"]
+integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/02/21"

 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ commands or input containing wildcards (e.g., *, ?, []) to execute unintended op
 tricking the system into interpreting the wildcard characters in unexpected ways.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "endgame-*"]
+index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Unauthorized Access via Wildcard Injection Detected"
@@ -49,12 +49,21 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast

 """
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Privilege Escalation",
+        "Tactic: Credential Access",
+        "Data Source: Elastic Endgame",
+        "Data Source: Elastic Defend",
+        "Data Source: Auditd Manager"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and 
-process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*"
+process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
+event.type == "start" and process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0"
 min_stack_version = "8.11.0"
-updated_date = "2024/01/08"
+updated_date = "2024/02/21"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ CAP_DAC_READ_SEARCH (where a process can read any file or perform any executable
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
-language = "eql"
+language = "kuery"
 license = "Elastic License v2"
 name = "Potential Privilege Escalation via Linux DAC permissions"
 risk_score = 47
@@ -48,13 +48,19 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast

 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Privilege Escalation",
+        "Data Source: Elastic Defend"
+        ]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "new_terms"
 query = '''
-process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
-(process.thread.capabilities.permitted: "CAP_DAC_*" or process.thread.capabilities.effective: "CAP_DAC_*") and
-process.command_line : ("*sudoers*", "*passwd*", "*shadow*", "*/root/*") and user.id != "0"
+event.category:process and host.os.type:linux and event.type:start and event.action:exec and
+(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and
+process.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not user.id:"0"
 '''

 [[rule.threat]]
@@ -69,3 +75,11 @@ reference = "https://attack.mitre.org/techniques/T1068/"
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["host.id", "process.command_line", "process.executable"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-10d"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/26"
+updated_date = "2024/02/21"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ hijack the execution flow by hooking certain functions/syscalls through a rootki
 root via a special modified command.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Kworker UID Elevation"
@@ -57,13 +57,14 @@ tags = [
        "Use Case: Threat Detection",
        "Tactic: Privilege Escalation",
        "Tactic: Defense Evasion",
-        "Data Source: Elastic Defend"
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame"
        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action == "session_id_change" and event.type == "change" and
-process.name : "kworker*" and user.id == "0"
+process where host.os.type == "linux" and event.action == "session_id_change" and process.name : "kworker*" and
+user.id == "0"
 '''

 [[rule.threat]]
@@ -96,4 +97,3 @@ reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Rootkit"
 id = "T1014"
 reference = "https://attack.mitre.org/techniques/T1014/"
-