security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1 (#4330)

Browse Source 
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1

* min_stack

* Update defense_evasion_doas_configuration_creation_or_rename.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2025-01-08 14:40:43 -03:00
committed by GitHub
parent 47571956a7
commit 282f613ddf
10 changed files with 64 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_tunneling_via_earthworm.toml
+7 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2021/04/12"
integration = ["endpoint"]
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/06"
[transform]
[[transform.osquery]]
@@ -38,7 +40,7 @@ system within a separate protocol to avoid detection and network filtering, or t
systems.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Protocol Tunneling via EarthWorm"
@@ -155,6 +157,8 @@ tags = [
"Tactic: Command and Control",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/credential_access_ssh_backdoor_log.toml
+6 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/12/21"
integration = ["endpoint"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/31"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/06"
[rule]
author = ["Elastic"]
@@ -13,7 +15,7 @@ enable unauthorized access or to log SSH credentials for exfiltration.
"""
false_positives = ["Updates to approved and trusted SSH executables can trigger this rule."]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential OpenSSH Backdoor Logging Activity"
@@ -72,6 +74,7 @@ tags = [
"Tactic: Credential Access",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/defense_evasion_chattr_immutable_file.toml
+6 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2022/07/22"
integration = ["endpoint"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/10/17"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/06"
[rule]
author = ["Elastic"]
@@ -13,7 +15,7 @@ opened in write mode. Threat actors will commonly utilize this to prevent tamper
files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
max_signals = 33
@@ -68,6 +70,7 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/defense_evasion_creation_of_hidden_files_directories.toml
+6 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint", "auditd_manager"]
integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/10/18"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/06"
[rule]
author = ["Elastic"]
@@ -11,7 +13,7 @@ Identify activity related where adversaries can add the 'hidden' flag to files t
to evade detection.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Hidden Files and Directories via Hidden Flag"
@@ -27,6 +29,7 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml
+6 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2024/08/28"
integration = ["endpoint"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/28"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/06"
[rule]
author = ["Elastic"]
@@ -12,7 +14,7 @@ or modify the Doas configuration file to elevate privileges and execute commands
evade detection.
"""
from = "now-9m"
index = ["logs-endpoint.events.file*", "endgame-*"]
index = ["logs-endpoint.events.file*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Defense Evasion via Doas"
@@ -52,6 +54,7 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/defense_evasion_file_deletion_via_shred.toml
+7 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/04/27"
integration = ["endpoint"]
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/06"
[rule]
author = ["Elastic"]
@@ -12,7 +14,7 @@ a network and how. Adversaries may remove these files over the course of an intr
remove them at the end as part of the post-intrusion cleanup process.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "File Deletion via Shred"
@@ -51,6 +53,8 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/defense_evasion_hidden_shared_object.toml
+6 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2022/07/20"
integration = ["endpoint"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/06"
[rule]
author = ["Elastic"]
@@ -12,7 +14,7 @@ a "." as the first character in the file or folder name. Adversaries can use thi
folders on the system for persistence and defense evasion.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
max_signals = 33
@@ -67,6 +69,7 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/defense_evasion_ld_so_creation.toml
+7 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2024/12/16"
integration = ["endpoint"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/12/16"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/06"
[rule]
author = ["Elastic"]
@@ -12,7 +14,7 @@ needed by an executable. Attackers may attempt to replace the dynamic linker wit
arbitrary code.
"""
from = "now-9m"
index = ["logs-endpoint.events.file*"]
index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Dynamic Linker (ld.so) Creation"
@@ -52,6 +54,8 @@ tags = [
"Tactic: Execution",
"Tactic: Persistence",
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
"Data Source: Elastic Endgame",
]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/defense_evasion_log_files_deleted.toml
+6 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/11/03"
integration = ["endpoint"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/09/23"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/06"
[rule]
author = ["Elastic"]
@@ -11,7 +13,7 @@ Identifies the deletion of sensitive Linux system logs. This may indicate an att
forensic evidence on a system.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "System Log File Deletion"
@@ -69,6 +71,7 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml
+7 -4
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2024/08/28"
integration = ["endpoint"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/28"
min_stack_comments = "Breaking change at 8.16.2 for the SentinelOne Integration."
min_stack_version = "8.16.2"
updated_date = "2025/01/06"
[rule]
author = ["Elastic"]
@@ -12,7 +14,7 @@ provides access control security policies. Modifications to the SELinux configur
impair defenses by disabling or modifying security tools.
"""
from = "now-9m"
index = ["logs-endpoint.events.file*", "endgame-*"]
index = ["logs-endpoint.events.file*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "SELinux Configuration Creation or Renaming"
@@ -51,7 +53,8 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
"Data Source: Elastic Defend",
"Data Source: SentinelOne"
]
timestamp_override = "event.ingested"
type = "eql"