From 2996c79ff413d488de422654d27f8acca3f7cc61 Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Sat, 22 Apr 2023 08:00:30 +0530 Subject: [PATCH] Detect Mount Execution With Hidepid Parameter (#2706) --- .../defense_evasion_mount_execution.toml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 rules/linux/defense_evasion_mount_execution.toml diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml new file mode 100644 index 000000000..e806747a8 --- /dev/null +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/04/11" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/04/11" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of mount process with hidepid parameter, which can make processes invisible to +other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide +the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user +can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for +the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. +With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, +which can now be monitored and detected. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Hidden Process via Mount Hidepid" +references = [ + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", +] +risk_score = 47 +rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204" +severity = "medium" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where process.name=="mount" and event.action =="exec" and + process.args: ( "/proc") and process.args: ("-o") and process.args:("*hidepid=2*") and + host.os.type == "linux" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" \ No newline at end of file