diff --git a/rules/linux/discovery_security_file_access_via_common_utility.toml b/rules/linux/discovery_security_file_access_via_common_utility.toml index b49aec9fe..c80d99582 100644 --- a/rules/linux/discovery_security_file_access_via_common_utility.toml +++ b/rules/linux/discovery_security_file_access_via_common_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/12" [rule] author = ["Elastic"] @@ -96,22 +96,32 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2") and - process.name in ("cat", "grep", "less", "more", "strings", "awk", "find", "xargs") and - process.args like ( - "/etc/security/*", "/etc/pam.d/*", "/etc/login.defs", "/lib/security/*", "/lib64/security/*", - "/usr/lib/security/*", "/usr/lib64/security/*", "/usr/lib/x86_64-linux-gnu/security/*", - "/home/*/.aws/credentials", "/home/*/.aws/config", "/home/*/.config/gcloud/*credentials.json", - "/home/*/.config/gcloud/configurations/config_default", "/home/*/.azure/accessTokens.json", - "/home/*/.azure/azureProfile.json" - ) and -not process.parent.name in ("wazuh-modulesd", "lynis") +event.action in ("exec", "exec_event", "start", "ProcessRollup2") and +process.name in ("cat", "less", "more", "strings", "find", "xargs") and +process.parent.executable != null and +process.args like ( + "/etc/security/*", "/etc/pam.d/*", "/etc/login.defs", "/lib/security/*", "/lib64/security/*", + "/usr/lib/security/*", "/usr/lib64/security/*", "/usr/lib/x86_64-linux-gnu/security/*", + "/home/*/.aws/credentials", "/home/*/.aws/config", "/home/*/.config/gcloud/*credentials.json", + "/home/*/.config/gcloud/configurations/config_default", "/home/*/.azure/accessTokens.json", + "/home/*/.azure/azureProfile.json" +) and not ( + process.parent.name in ("wazuh-modulesd", "lynis") or + process.command_line in ("cat /etc/login.defs" , "cat /home/asterisk/.aws/credentials") or + ?process.parent.command_line in ( + "/bin/sh /usr/sbin/lynis audit system --cronjob", + "/usr/bin/find -L /etc/security/limits.conf /etc/security/limits.d -type f -exec /usr/bin/cat {} ;", + "/usr/bin/find /etc/security/limits.conf /etc/security/limits.d -type f -exec /usr/bin/cat {} ;" + ) or + ?process.parent.args in ("/opt/imperva/ragent/bin/get_sys_resources.sh", "/usr/sbin/lynis", "./terra_linux.sh") or + process.args == "/usr/bin/coreutils" or + (process.parent.name == "pwsh" and process.parent.command_line like "*Evaluate-STIG*") or + ?process.parent.executable == "/usr/sap/audit_scripts/auto_audit_gral.sh" +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -119,4 +129,3 @@ framework = "MITRE ATT&CK" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml index 52cc3a0fa..e4cb75c2f 100644 --- a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml +++ b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/12/12" [rule] author = ["Elastic"] @@ -57,7 +57,10 @@ tags = [ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=5s - [process where host.os.type == "linux" and event.type == "start" and event.action == "exec"] + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sudo" and not ( + process.args == "su" or + process.command_line like ("sudo su*", "sudo ./opt/Limpar_ram.sh", "*BECOME-SUCCESS*") + )] [network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "ipv4_connection_attempt_event") and process.name == "sudo" and not ( destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(