security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Detect Mount Execution With Hidepid Parameter (#2706)

Browse Source
This commit is contained in:
shashank-elastic
2023-04-22 08:00:30 +05:30
committed by GitHub
parent 84acf004da
commit 2996c79ff4
1 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/defense_evasion_mount_execution.toml
+52
View File
@@ -0,0 +1,52 @@
[metadata]
creation_date = "2023/04/11"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/04/11"
[rule]
author = ["Elastic"]
description = """
Identifies the execution of mount process with hidepid parameter, which can make processes invisible to
other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide
the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user
can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for
the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more.
With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option,
which can now be monitored and detected.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Hidden Process via Mount Hidepid"
references = [
"https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/",
]
risk_score = 47
rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where process.name=="mount" and event.action =="exec" and
process.args: ( "/proc") and process.args: ("-o") and process.args:("*hidepid=2*") and
host.os.type == "linux"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"