diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index 1c1d0f98d..17a93037c 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" -updated_date = "2023/12/19" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -172,12 +172,13 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and -file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and -process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher" - or "pacman" or "apt-get" or "dnf" or "podman" or "platform-python")) +file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not ( + process.name:("dockerd" or "dpkg" or "rpm" or "snapd" or "yum" or "vmis-launcher" or "pacman" or + "apt-get" or "dnf" or "podman" or "platform-python") or + (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*) +) ''' [[rule.threat]] diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index 34c410034..43df66fcd 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/07/28" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ commands or input containing wildcards (e.g., *, ?, []) to execute unintended op tricking the system into interpreting the wildcard characters in unexpected ways. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Unauthorized Access via Wildcard Injection Detected" @@ -49,12 +49,21 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and -process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*" +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*" ''' [[rule.threat]] diff --git a/rules/linux/privilege_escalation_dac_permissions.toml b/rules/linux/privilege_escalation_dac_permissions.toml index af9545cef..e563e7deb 100644 --- a/rules/linux/privilege_escalation_dac_permissions.toml +++ b/rules/linux/privilege_escalation_dac_permissions.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0" min_stack_version = "8.11.0" -updated_date = "2024/01/08" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ CAP_DAC_READ_SEARCH (where a process can read any file or perform any executable """ from = "now-9m" index = ["logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Potential Privilege Escalation via Linux DAC permissions" risk_score = 47 @@ -48,13 +48,19 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and -(process.thread.capabilities.permitted: "CAP_DAC_*" or process.thread.capabilities.effective: "CAP_DAC_*") and -process.command_line : ("*sudoers*", "*passwd*", "*shadow*", "*/root/*") and user.id != "0" +event.category:process and host.os.type:linux and event.type:start and event.action:exec and +(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and +process.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not user.id:"0" ''' [[rule.threat]] @@ -69,3 +75,11 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.command_line", "process.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-10d" diff --git a/rules/linux/privilege_escalation_kworker_uid_elevation.toml b/rules/linux/privilege_escalation_kworker_uid_elevation.toml index 4f9b18945..0d7a73a38 100644 --- a/rules/linux/privilege_escalation_kworker_uid_elevation.toml +++ b/rules/linux/privilege_escalation_kworker_uid_elevation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/26" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ hijack the execution flow by hooking certain functions/syscalls through a rootki root via a special modified command. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Kworker UID Elevation" @@ -57,13 +57,14 @@ tags = [ "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action == "session_id_change" and event.type == "change" and -process.name : "kworker*" and user.id == "0" +process where host.os.type == "linux" and event.action == "session_id_change" and process.name : "kworker*" and +user.id == "0" ''' [[rule.threat]] @@ -96,4 +97,3 @@ reference = "https://attack.mitre.org/tactics/TA0005/" name = "Rootkit" id = "T1014" reference = "https://attack.mitre.org/techniques/T1014/" -