security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Back-porting Version Trimming (#3681)"

Browse Source 
This reverts commit 71d2c59b5c.
This commit is contained in:
Mika Ayenson
2024-05-22 13:51:46 -05:00
parent 71d2c59b5c
commit 2c3dbfc039
1036 changed files with 11405 additions and 12359 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_cat_network_activity.toml
+15 -15
View File
@@ -2,7 +2,9 @@
creation_date = "2023/09/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[transform]
[[transform.osquery]]
@@ -29,14 +31,13 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is
capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This
activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or
files to another host in the network or exfiltrate data while attempting to evade detection in the process.
This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat
is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel.
This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools
or files to another host in the network or exfiltrate data while attempting to evade detection in the process.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -130,14 +131,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
@@ -153,7 +153,6 @@ sequence by host.id, process.entity_id with maxspan=1s
)]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -161,6 +160,7 @@ framework = "MITRE ATT&CK"
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -168,6 +168,7 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -175,4 +176,3 @@ framework = "MITRE ATT&CK"
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
rules/linux/command_and_control_linux_chisel_client_activity.toml
+17 -19
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[transform]
[[transform.osquery]]
@@ -29,15 +31,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection
attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding
and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication
channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized
access to internal systems.
This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt.
Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure
communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass
network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal
systems.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -107,8 +108,8 @@ This rule looks for a sequence of command line arguments that are consistent wit
"""
references = [
"https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform",
"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding",
]
"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"
]
risk_score = 47
rule_id = "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd"
setup = """## Setup
@@ -138,14 +139,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
@@ -158,17 +158,15 @@ sequence by host.id, process.entity_id with maxspan=1s
"ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/command_and_control_linux_chisel_server_activity.toml
+17 -19
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[transform]
[[transform.osquery]]
@@ -29,15 +31,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received
connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP
tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to
establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating
tunnels that allow unauthorized access to internal systems.
This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection
within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels,
enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish
covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that
allow unauthorized access to internal systems.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -107,8 +108,8 @@ This rule looks for a sequence of command line arguments that are consistent wit
"""
references = [
"https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform",
"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding",
]
"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"
]
risk_score = 47
rule_id = "ac8805f6-1e08-406c-962e-3937057fa86f"
setup = """## Setup
@@ -138,14 +139,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1m
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
@@ -158,17 +158,15 @@ sequence by host.id, process.entity_id with maxspan=1m
"ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/command_and_control_linux_kworker_netcon.toml
+42 -40
View File
@@ -2,14 +2,16 @@
creation_date = "2023/10/18"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2024/04/30"
[rule]
author = ["Elastic"]
description = """
This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the
kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel
space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks.
kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel
space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks.
Attackers may attempt to evade detection by masquerading as a kernel worker process.
"""
from = "now-9m"
@@ -47,15 +49,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and
process.name:kworker* and not destination.ip:(
@@ -71,49 +72,50 @@ process.name:kworker* and not destination.ip:(
) and not destination.port:2049
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat.technique]]
name = "Masquerading"
id = "T1036"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique]]
name = "Rootkit"
id = "T1014"
reference = "https://attack.mitre.org/techniques/T1014/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1014"
name = "Rootkit"
reference = "https://attack.mitre.org/techniques/T1014/"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1041"
name = "Exfiltration Over C2 Channel"
reference = "https://attack.mitre.org/techniques/T1041/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
[[rule.threat.technique]]
name = "Exfiltration Over C2 Channel"
id = "T1041"
reference = "https://attack.mitre.org/techniques/T1041/"
[rule.new_terms]
field = "new_terms_fields"
value = ["process.name", "destination.ip", "destination.port"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules/linux/command_and_control_linux_proxychains_activity.toml
+15 -17
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/23"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[transform]
[[transform.osquery]]
@@ -29,13 +31,12 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the
routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted
resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and
This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the
routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted
resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and
perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
"""
from = "now-9m"
@@ -111,33 +112,30 @@ risk_score = 21
rule_id = "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name == "proxychains"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml
+14 -17
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/23"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[transform]
[[transform.osquery]]
@@ -29,15 +31,13 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool
that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to
restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade
detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and
intentions.
restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection,
and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
@@ -137,17 +137,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name == "proxychains" and process.args : (
@@ -157,17 +156,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
+16 -19
View File
@@ -2,7 +2,9 @@
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/04/30"
[transform]
[[transform.osquery]]
@@ -29,14 +31,12 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can
leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels,
and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote
control.
This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can
leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels,
and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
@@ -108,8 +108,8 @@ This rule looks for several utilities that are capable of setting up tunnel netw
"""
references = [
"https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform",
"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding",
]
"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"
]
risk_score = 47
rule_id = "6ee947e9-de7e-4281-a55d-09289bdf947e"
setup = """## Setup
@@ -139,16 +139,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and (
(
@@ -169,17 +168,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
+12 -13
View File
@@ -2,7 +2,9 @@
creation_date = "2023/06/14"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/12/12"
[transform]
[[transform.osquery]]
@@ -29,7 +31,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
@@ -168,13 +169,13 @@ Packetbeat is a real-time network packet analyzer that you can use for applicati
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
@@ -199,15 +200,14 @@ not destination.ip:(
not destination.port:(22 or 80 or 443)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
@@ -216,8 +216,7 @@ reference = "https://attack.mitre.org/tactics/TA0011/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "destination.ip", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules/linux/command_and_control_tunneling_via_earthworm.toml
+10 -9
View File
@@ -2,7 +2,9 @@
creation_date = "2021/04/12"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
[transform]
[[transform.osquery]]
@@ -29,7 +31,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
@@ -149,13 +150,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/credential_access_collection_sensitive_files.toml
+17 -16
View File
@@ -2,7 +2,9 @@
creation_date = "2020/12/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
@@ -61,14 +63,14 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Collection",
"Tactic: Credential Access",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Collection",
"Tactic: Credential Access",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
@@ -107,37 +109,37 @@ event.category:process and host.os.type:linux and event.type:start and
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.001"
name = "Credentials In Files"
reference = "https://attack.mitre.org/techniques/T1552/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1560"
name = "Archive Collected Data"
reference = "https://attack.mitre.org/techniques/T1560/"
[[rule.threat.technique.subtechnique]]
id = "T1560.001"
name = "Archive via Utility"
reference = "https://attack.mitre.org/techniques/T1560/001/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
@@ -146,8 +148,7 @@ reference = "https://attack.mitre.org/tactics/TA0009/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.command_line", "process.parent.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"
rules/linux/credential_access_credential_dumping.toml
+21 -19
View File
@@ -2,23 +2,28 @@
creation_date = "2023/02/27"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/19"
[rule]
author = ["Elastic"]
description = """
Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host
machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password'
files. Using the combined file generated from the utility, the malicious threat actors can use them as input for
password-cracking utilities or prepare themselves for future operations by gathering credential information of the
victim.
Identifies the execution of the unshadow utility which is part of John the Ripper,
a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve
the combined contents of the '/etc/shadow' and '/etc/password' files.
Using the combined file generated from the utility, the malicious threat actors can use them as input
for password-cracking utilities or prepare themselves for future operations by gathering
credential information of the victim.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Linux Credential Dumping via Unshadow"
references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"]
references = [
"https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/",
]
risk_score = 47
rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c"
setup = """## Setup
@@ -48,37 +53,34 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process.name == "unshadow" and process.args_count >= 3
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
id = "T1003.008"
name = "/etc/passwd and /etc/shadow"
reference = "https://attack.mitre.org/techniques/T1003/008/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
rules/linux/credential_access_gdb_init_process_hooking.toml
+17 -15
View File
@@ -2,12 +2,14 @@
creation_date = "2023/08/30"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory
This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory
dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include
"truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly.
"""
@@ -16,7 +18,10 @@ index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Linux init (PID 1) Secret Dump via GDB"
references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"]
references = [
"https://github.com/controlplaneio/truffleproc",
"https://github.com/hajzer/bash-memory-dump"
]
risk_score = 47
rule_id = "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f"
setup = """## Setup
@@ -46,37 +51,34 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process.name == "gdb" and process.args in ("--pid", "-p") and process.args == "1"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
id = "T1003.007"
name = "Proc Filesystem"
reference = "https://attack.mitre.org/techniques/T1003/007/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
rules/linux/credential_access_gdb_process_hooking.toml
+18 -16
View File
@@ -2,13 +2,15 @@
creation_date = "2023/08/30"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt
secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and
secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and
"bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly.
"""
from = "now-9m"
@@ -16,22 +18,24 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana
language = "eql"
license = "Elastic License v2"
name = "Linux Process Hooking via GDB"
references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"]
references = [
"https://github.com/controlplaneio/truffleproc",
"https://github.com/hajzer/bash-memory-dump"
]
risk_score = 21
rule_id = "66c058f3-99f4-4d18-952b-43348f2577a0"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name == "gdb" and process.args in ("--pid", "-p") and
@@ -39,22 +43,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action
process.args != "1"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
id = "T1003.007"
name = "Proc Filesystem"
reference = "https://attack.mitre.org/techniques/T1003/007/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
rules/linux/credential_access_potential_linux_local_account_bruteforce.toml
+13 -14
View File
@@ -2,13 +2,15 @@
creation_date = "2023/07/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/20"
[rule]
author = ["Elastic"]
description = """
Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a
short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a
Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a
short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a
set of customly crafted passwords in an attempt to gain access to these accounts.
"""
from = "now-9m"
@@ -45,14 +47,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id, process.parent.executable, user.id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and
@@ -63,22 +64,20 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s
] with runs=10
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"
[[rule.threat.technique.subtechnique]]
id = "T1110.001"
name = "Password Guessing"
reference = "https://attack.mitre.org/techniques/T1110/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
+10 -5
View File
@@ -2,13 +2,15 @@
creation_date = "2022/09/14"
integration = ["system"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
description = """
Identifies multiple external consecutive login failures targeting a user account from the same source address within a
short time interval. Adversaries will often brute force login attempts across multiple users with a common or known
Identifies multiple external consecutive login failures targeting a user account from the same source address within
a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known
password, in an attempt to gain access to these accounts.
"""
from = "now-9m"
@@ -77,9 +79,12 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst
- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
tags = ["Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access"
]
type = "eql"
query = '''
sequence by host.id, source.ip, user.name with maxspan=15s
[ authentication where host.os.type == "linux" and
rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml
+10 -5
View File
@@ -2,13 +2,15 @@
creation_date = "2023/02/21"
integration = ["system"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
description = """
Identifies multiple internal consecutive login failures targeting a user account from the same source address within a
short time interval. Adversaries will often brute force login attempts across multiple users with a common or known
Identifies multiple internal consecutive login failures targeting a user account from the same source address within
a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known
password, in an attempt to gain access to these accounts.
"""
from = "now-9m"
@@ -73,9 +75,12 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst
- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
tags = ["Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access"
]
type = "eql"
query = '''
sequence by host.id, source.ip, user.name with maxspan=15s
[ authentication where host.os.type == "linux" and
rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml
+16 -17
View File
@@ -2,16 +2,18 @@
creation_date = "2023/07/06"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/19"
[rule]
author = ["Elastic"]
description = """
An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different
combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can
include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and
potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting
a specific user account from the same source address and within a short time interval, followed by a successful
An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different
combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can
include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and
potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting
a specific user account from the same source address and within a short time interval, followed by a successful
authentication.
"""
from = "now-9m"
@@ -58,14 +60,13 @@ However, if more advanced configuration is required to detect specific behavior,
"""
severity = "medium"
tags = [
"Data Source: Auditd Manager",
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
]
"Data Source: Auditd Manager",
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access"
]
type = "eql"
query = '''
sequence by host.id, auditd.data.addr, related.user with maxspan=5s
[authentication where host.os.type == "linux" and event.action == "authenticated" and
@@ -76,13 +77,14 @@ sequence by host.id, auditd.data.addr, related.user with maxspan=5s
auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] | tail 1
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"
[[rule.threat.technique.subtechnique]]
id = "T1110.001"
name = "Password Guessing"
@@ -93,10 +95,7 @@ id = "T1110.003"
name = "Password Spraying"
reference = "https://attack.mitre.org/techniques/T1110/003/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml
+15 -16
View File
@@ -2,16 +2,18 @@
creation_date = "2023/07/06"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/19"
[rule]
author = ["Elastic"]
description = """
An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and
An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and
password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact
can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks
within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising
the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a
can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks
within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising
the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a
specific user account within a short time interval, followed by a successful authentication.
"""
from = "now-9m"
@@ -58,14 +60,13 @@ However, if more advanced configuration is required to detect specific behavior,
"""
severity = "medium"
tags = [
"Data Source: Auditd Manager",
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
]
"Data Source: Auditd Manager",
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access"
]
type = "eql"
query = '''
sequence by host.id, related.user with maxspan=5s
[authentication where host.os.type == "linux" and event.action == "authenticated" and
@@ -74,13 +75,14 @@ sequence by host.id, related.user with maxspan=5s
auditd.data.terminal : "*rdp*" and event.outcome == "success"] | tail 1
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"
[[rule.threat.technique.subtechnique]]
id = "T1110.001"
name = "Password Guessing"
@@ -91,10 +93,7 @@ id = "T1110.003"
name = "Password Spraying"
reference = "https://attack.mitre.org/techniques/T1110/003/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml
+14 -10
View File
@@ -2,16 +2,18 @@
creation_date = "2022/09/14"
integration = ["system"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
description = """
Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can
attempt to login into multiple users with a common or known password to gain access to accounts.
Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt
to login into multiple users with a common or known password to gain access to accounts.
"""
from = "now-9m"
index = ["auditbeat-*", "filebeat-*", "logs-system.auth-*"]
index = ["auditbeat-*", "filebeat-*", "logs-system.auth-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Successful SSH Brute Force Attack"
@@ -79,9 +81,13 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst
- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access"
]
type = "eql"
query = '''
sequence by host.id, source.ip, user.name with maxspan=15s
[authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and
@@ -91,13 +97,14 @@ sequence by host.id, source.ip, user.name with maxspan=15s
event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"
[[rule.threat.technique.subtechnique]]
id = "T1110.001"
name = "Password Guessing"
@@ -108,10 +115,7 @@ id = "T1110.003"
name = "Password Spraying"
reference = "https://attack.mitre.org/techniques/T1110/003/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
rules/linux/credential_access_proc_credential_dumping.toml
+16 -17
View File
@@ -2,15 +2,17 @@
creation_date = "2023/04/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/20"
[rule]
author = ["Elastic"]
description = """
Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz.
Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a
known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the
process and extracting lines that have a high probability of containing cleartext passwords.
Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits
a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by
dumping the process and extracting lines that have a high probability of containing cleartext passwords.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -19,7 +21,7 @@ license = "Elastic License v2"
name = "Potential Linux Credential Dumping via Proc Filesystem"
references = [
"https://github.com/huntergregal/mimipenguin",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781"
]
risk_score = 47
rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311"
@@ -50,15 +52,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Use Case: Vulnerability",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Use Case: Vulnerability",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id, process.parent.name with maxspan=1m
[process where host.os.type == "linux" and process.name == "ps" and event.action == "exec"
@@ -67,27 +68,25 @@ sequence by host.id, process.parent.name with maxspan=1m
and process.args : "/tmp/*"]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
id = "T1003.007"
name = "Proc Filesystem"
reference = "https://attack.mitre.org/techniques/T1003/007/"
[[rule.threat.technique]]
id = "T1212"
name = "Exploitation for Credential Access"
reference = "https://attack.mitre.org/techniques/T1212/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
rules/linux/credential_access_ssh_backdoor_log.toml
+4 -10
View File
@@ -2,7 +2,9 @@
creation_date = "2020/12/21"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
@@ -64,15 +66,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
"""
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Tactic: Credential Access",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
+16 -16
View File
@@ -2,7 +2,9 @@
creation_date = "2023/02/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/20"
[rule]
author = ["Elastic"]
@@ -44,16 +46,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
(
@@ -73,22 +75,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
id = "T1562"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
id = "T1562.001"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
id = "TA0005"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml
+4 -9
View File
@@ -2,7 +2,9 @@
creation_date = "2020/04/27"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
@@ -55,14 +57,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
+12 -13
View File
@@ -2,7 +2,9 @@
creation_date = "2020/04/17"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
@@ -59,26 +61,25 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name in ("base16", "base32", "base32plain", "base32hex") and
not process.args in ("--help", "--version")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1027"
name = "Obfuscated Files or Information"
@@ -89,9 +90,7 @@ id = "T1140"
name = "Deobfuscate/Decode Files or Information"
reference = "https://attack.mitre.org/techniques/T1140/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
+21 -22
View File
@@ -2,14 +2,16 @@
creation_date = "2023/08/29"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and
rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if
it does, the activity should be investigated.
This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move
and rename system binaries to evade detection. Copying a system binary to a different location should not occur often,
so if it does, the activity should be investigated.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -45,14 +47,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
@@ -83,27 +84,25 @@ sequence by host.id, process.entity_id with maxspan=1s
) and not file.path : ("/tmp/rear*", "/var/tmp/rear*", "/var/tmp/dracut*", "/var/tmp/mkinitramfs*")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.003"
name = "Rename System Utilities"
reference = "https://attack.mitre.org/techniques/T1036/003/"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.003"
name = "Rename System Utilities"
reference = "https://attack.mitre.org/techniques/T1036/003/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_chattr_immutable_file.toml
+12 -11
View File
@@ -2,7 +2,9 @@
creation_date = "2022/07/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/11"
[rule]
author = ["Elastic"]
@@ -62,13 +64,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -79,20 +81,19 @@ process where host.os.type == "linux" and event.type == "start" and user.id == "
not process.parent.name in ("systemd", "cf-agent", "ntpdate", "xargs", "px", "preinst", "auth")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1222"
name = "File and Directory Permissions Modification"
reference = "https://attack.mitre.org/techniques/T1222/"
[[rule.threat.technique.subtechnique]]
id = "T1222.002"
name = "Linux and Mac File and Directory Permissions Modification"
reference = "https://attack.mitre.org/techniques/T1222/002/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
rules/linux/defense_evasion_clear_kernel_ring_buffer.toml
+23 -24
View File
@@ -2,7 +2,9 @@
creation_date = "2023/10/24"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
@@ -44,48 +46,45 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name == "dmesg" and process.args == "-c"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"
[[rule.threat.technique.subtechnique]]
id = "T1070.002"
name = "Clear Linux or Mac System Logs"
reference = "https://attack.mitre.org/techniques/T1070/002/"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
id = "T1562"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
id = "T1562.001"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[[rule.threat.technique]]
name = "Indicator Removal"
id = "T1070"
reference = "https://attack.mitre.org/techniques/T1070/"
[[rule.threat.technique.subtechnique]]
name = "Clear Linux or Mac System Logs"
id = "T1070.002"
reference = "https://attack.mitre.org/techniques/T1070/002/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
id = "TA0005"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_disable_apparmor_attempt.toml
+14 -15
View File
@@ -2,12 +2,14 @@
creation_date = "2023/08/28"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces
This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces
fine-grained access control policies to restrict the actions and resources that specific applications and processes can
access. Adversaries may disable security tools to avoid possible detection of their tools and activities.
"""
@@ -45,17 +47,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and (
@@ -64,22 +65,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_disable_selinux_attempt.toml
+13 -14
View File
@@ -2,7 +2,9 @@
creation_date = "2020/04/22"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
@@ -57,38 +59,35 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name == "setenforce" and process.args == "0"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml
+18 -19
View File
@@ -2,16 +2,18 @@
creation_date = "2023/04/11"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.5.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, which is used to modify
the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as
"/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and
their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps
of VM-related files and configurations on the system.
Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag,
which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related
paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization
software, and their presence in the touch command arguments may indicate that a threat actor is attempting to
tamper with timestamps of VM-related files and configurations on the system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
@@ -50,39 +52,36 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name == "touch" and process.args == "-r" and
process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"
[[rule.threat.technique.subtechnique]]
id = "T1070.006"
name = "Timestomp"
reference = "https://attack.mitre.org/techniques/T1070/006/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_file_deletion_via_shred.toml
+12 -12
View File
@@ -2,7 +2,9 @@
creation_date = "2020/04/27"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/20"
[rule]
author = ["Elastic"]
@@ -45,13 +47,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -61,22 +63,20 @@ process where host.os.type == "linux" and event.type == "start" and process.name
) and not process.parent.name == "logrotate"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"
[[rule.threat.technique.subtechnique]]
id = "T1070.004"
name = "File Deletion"
reference = "https://attack.mitre.org/techniques/T1070/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_file_mod_writable_dir.toml
+11 -12
View File
@@ -2,7 +2,9 @@
creation_date = "2020/04/21"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2024/02/20"
[rule]
author = ["Elastic"]
@@ -62,30 +64,28 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:linux and event.category:process and event.type:start and
process.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and
not process.parent.name:(apt-key or update-motd-updates-available)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1222"
name = "File and Directory Permissions Modification"
reference = "https://attack.mitre.org/techniques/T1222/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
@@ -94,8 +94,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.parent.executable", "process.command_line"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules/linux/defense_evasion_hidden_file_dir_tmp.toml
+12 -10
View File
@@ -2,7 +2,9 @@
creation_date = "2020/04/29"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/20"
[rule]
author = ["Elastic"]
@@ -67,12 +69,12 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -83,24 +85,24 @@ process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
not process.name in ("ls", "find", "grep", "git", "jq", "basename")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[[rule.threat.technique.subtechnique]]
id = "T1564.001"
name = "Hidden Files and Directories"
reference = "https://attack.mitre.org/techniques/T1564/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
rules/linux/defense_evasion_hidden_shared_object.toml
+12 -13
View File
@@ -2,7 +2,9 @@
creation_date = "2022/07/20"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/20"
[rule]
author = ["Elastic"]
@@ -61,37 +63,34 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and
not process.name == "dockerd"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[[rule.threat.technique.subtechnique]]
id = "T1564.001"
name = "Hidden Files and Directories"
reference = "https://attack.mitre.org/techniques/T1564/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_kernel_module_removal.toml
+15 -14
View File
@@ -2,7 +2,9 @@
creation_date = "2020/04/24"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
@@ -52,13 +54,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -68,39 +70,38 @@ process.name == "rmmod" or (process.name == "modprobe" and process.args in ("--r
process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1547"
name = "Boot or Logon Autostart Execution"
reference = "https://attack.mitre.org/techniques/T1547/"
[[rule.threat.technique.subtechnique]]
id = "T1547.006"
name = "Kernel Modules and Extensions"
reference = "https://attack.mitre.org/techniques/T1547/006/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/linux/defense_evasion_kthreadd_masquerading.toml
+24 -23
View File
@@ -2,21 +2,25 @@
creation_date = "2024/02/01"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such
Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such
as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to
hide their malicious programs by masquerading as legitimate kernel processes.
hide their malicious programs by masquerading as legitimate kernel processes.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Executable Masquerading as Kernel Process"
references = ["https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/"]
references = [
"https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/",
]
risk_score = 21
rule_id = "202829f6-0271-4e88-b882-11a655c590d4"
setup = """## Setup
@@ -47,42 +51,39 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process.name : ("kworker*", "kthread*") and process.executable != null
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.004"
name = "Masquerade Task or Service"
reference = "https://attack.mitre.org/techniques/T1036/004/"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.004"
name = "Masquerade Task or Service"
reference = "https://attack.mitre.org/techniques/T1036/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_log_files_deleted.toml
+12 -12
View File
@@ -2,7 +2,9 @@
creation_date = "2020/11/03"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
@@ -62,13 +64,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -91,22 +93,20 @@ file where host.os.type == "linux" and event.type == "deletion" and
not process.name in ("gzip", "executor", "dockerd")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"
[[rule.threat.technique.subtechnique]]
id = "T1070.002"
name = "Clear Linux or Mac System Logs"
reference = "https://attack.mitre.org/techniques/T1070/002/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_mount_execution.toml
+22 -21
View File
@@ -2,25 +2,29 @@
creation_date = "2023/04/11"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from
the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other
users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the
logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide
their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening
hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and
detected.
Identifies the execution of mount process with hidepid parameter, which can make processes invisible to
other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide
the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user
can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for
the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more.
With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option,
which can now be monitored and detected.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Hidden Process via Mount Hidepid"
references = ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"]
references = [
"https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/",
]
risk_score = 47
rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204"
setup = """## Setup
@@ -50,34 +54,31 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name == "mount" and process.args == "/proc" and process.args == "-o" and
process.args : "*hidepid=2*"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_potential_proot_exploits.toml
+24 -22
View File
@@ -2,27 +2,32 @@
creation_date = "2023/03/07"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount
--bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to
multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack
is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a
consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also
provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The
post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute
malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment.
Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one.
Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of
chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot
to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts.
In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution.
With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions,
such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other
architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF),
can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or
orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent
it can be easily tuned to work for one.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Defense Evasion via PRoot"
references = ["https://proot-me.github.io/"]
references = [
"https://proot-me.github.io/",
]
risk_score = 47
rule_id = "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0"
setup = """## Setup
@@ -52,32 +57,29 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process.parent.name == "proot"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1211"
name = "Exploitation for Defense Evasion"
reference = "https://attack.mitre.org/techniques/T1211/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_rename_esxi_files.toml
+5 -11
View File
@@ -2,7 +2,9 @@
creation_date = "2023/04/11"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.5.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
@@ -47,16 +49,9 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action == "rename" and
file.Ext.original.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem")
@@ -80,5 +75,4 @@ reference = "https://attack.mitre.org/techniques/T1036/003/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_rename_esxi_index_file.toml
+7 -13
View File
@@ -2,14 +2,16 @@
creation_date = "2023/04/11"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.5.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
description = """
Identifies instances where the "index.html" file within the "/usr/lib/vmware/*" directory is renamed on a Linux system.
The rule monitors for the "rename" event action associated with this specific file and path, which could indicate
malicious activity.
The rule monitors for the "rename" event action associated with this specific file and path,
which could indicate malicious activity.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -47,16 +49,9 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and
file.Ext.original.path : "/usr/lib/vmware/*"
@@ -79,5 +74,4 @@ reference = "https://attack.mitre.org/techniques/T1036/003/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
+13 -14
View File
@@ -2,13 +2,15 @@
creation_date = "2023/09/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching
directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux
This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching
directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux
to execute commands while attempting to evade detection.
"""
from = "now-9m"
@@ -20,16 +22,15 @@ risk_score = 21
rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process.parent.name in ("screen", "tmux") and process.name : (
@@ -38,17 +39,15 @@ process.parent.name in ("screen", "tmux") and process.name : (
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1218"
name = "System Binary Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1218/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/discovery_dynamic_linker_via_od.toml
+12 -13
View File
@@ -2,7 +2,9 @@
creation_date = "2024/02/01"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
@@ -48,17 +50,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name == "od" and process.args in (
@@ -67,17 +68,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1057"
name = "Process Discovery"
reference = "https://attack.mitre.org/techniques/T1057/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_esxi_software_via_find.toml
+13 -16
View File
@@ -2,7 +2,9 @@
creation_date = "2023/04/11"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.5.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
@@ -17,9 +19,7 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana
language = "eql"
license = "Elastic License v2"
name = "ESXI Discovery via Find"
references = [
"https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
]
references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"]
risk_score = 47
rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f"
setup = """## Setup
@@ -49,33 +49,30 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name == "find" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1518"
name = "Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_esxi_software_via_grep.toml
+14 -17
View File
@@ -2,12 +2,14 @@
creation_date = "2023/04/11"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.5.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments
Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments
related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", or
"vmem". These file extensions are associated with VM-related file formats, and their presence in grep command arguments
may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.
@@ -17,9 +19,7 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana
language = "eql"
license = "Elastic License v2"
name = "ESXI Discovery via Grep"
references = [
"https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
]
references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"]
risk_score = 47
rule_id = "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4"
setup = """## Setup
@@ -49,17 +49,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name in ("grep", "egrep", "pgrep") and process.args in (
@@ -67,17 +66,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1518"
name = "Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_kernel_module_enumeration.toml
+12 -13
View File
@@ -2,7 +2,9 @@
creation_date = "2020/04/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
@@ -51,16 +53,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (
(process.name:(lsmod or modinfo)) or
@@ -71,15 +72,14 @@ or readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or
weak-modules or zfs)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
@@ -88,8 +88,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["process.parent.command_line", "process.command_line", "host.id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules/linux/discovery_linux_hping_activity.toml
+12 -13
View File
@@ -2,7 +2,9 @@
creation_date = "2020/02/18"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
@@ -63,33 +65,30 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name in ("hping", "hping2", "hping3")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_linux_nping_activity.toml
+12 -13
View File
@@ -2,7 +2,9 @@
creation_date = "2020/02/18"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
@@ -63,33 +65,30 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name == "nping"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_ping_sweep_detected.toml
+16 -17
View File
@@ -2,14 +2,16 @@
creation_date = "2023/09/04"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/20"
[rule]
author = ["Elastic"]
description = """
This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans.
Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while
attempting to evade detection or due to the lack of network mapping tools available on the compromised host.
This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans.
Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while
attempting to evade detection or due to the lack of network mapping tools available on the compromised host.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
@@ -46,31 +48,29 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.category:process and host.os.type:linux and event.action:(exec or exec_event or executed or process_started) and
event.type:start and process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
@@ -79,8 +79,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.threshold]
field = ["host.id", "process.parent.entity_id", "process.executable"]
value = 1
[[rule.threshold.cardinality]]
field = "process.args"
value = 100
rules/linux/discovery_proc_maps_read.toml
+10 -11
View File
@@ -2,7 +2,9 @@
creation_date = "2024/01/29"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
@@ -47,15 +49,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.entry_leader.name in (
@@ -63,17 +64,15 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1057"
name = "Process Discovery"
reference = "https://attack.mitre.org/techniques/T1057/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_pspy_process_monitoring_detected.toml
+13 -14
View File
@@ -2,14 +2,16 @@
creation_date = "2023/07/20"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/19"
[rule]
author = ["Elastic"]
description = """
This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the
openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process
monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege
This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the
openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process
monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege
escalation vectors.
"""
from = "now-9m"
@@ -46,23 +48,22 @@ However, if more advanced configuration is required to detect specific behavior,
"""
severity = "low"
tags = [
"Data Source: Auditd Manager",
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
]
"Data Source: Auditd Manager",
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery"
]
type = "eql"
query = '''
sequence by process.pid, host.id with maxspan=5s
[file where host.os.type == "linux" and auditd.data.syscall == "openat" and file.path == "/proc" and
auditd.data.a0 : ("ffffffffffffff9c", "ffffff9c") and auditd.data.a2 : ("80000", "88000") ] with runs=10
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1057"
name = "Process Discovery"
@@ -73,9 +74,7 @@ id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_sudo_allowed_command_enumeration.toml
+13 -14
View File
@@ -2,14 +2,16 @@
creation_date = "2023/08/30"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/20"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for
the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo
permissions, potentially allowing to escalate privileges to root.
This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for
the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions,
potentially allowing to escalate privileges to root.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -45,15 +47,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name == "sudo" and process.args == "-l" and process.args_count == 2 and
@@ -61,17 +62,15 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish
not group.Ext.real.id : "0" and not user.Ext.real.id : "0" and not process.args == "dpkg"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1033"
name = "System Owner/User Discovery"
reference = "https://attack.mitre.org/techniques/T1033/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_suid_sguid_enumeration.toml
+13 -19
View File
@@ -2,15 +2,17 @@
creation_date = "2023/07/24"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID
(Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the
privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case
an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this
This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID
(Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the
privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In
case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this
misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.
"""
from = "now-9m"
@@ -46,17 +48,9 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Tactic: Privilege Escalation",
"Data Source: Elastic Defend",
]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name == "find" and process.args : "-perm" and process.args : (
@@ -67,36 +61,37 @@ process.name == "find" and process.args : "-perm" and process.args : (
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1083"
name = "File and Directory Discovery"
reference = "https://attack.mitre.org/techniques/T1083/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.001"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1548/001/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -104,4 +99,3 @@ framework = "MITRE ATT&CK"
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/linux/discovery_suspicious_which_command_execution.toml
+15 -16
View File
@@ -2,14 +2,16 @@
creation_date = "2023/08/30"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may
leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a
system to escalate privileges or move latteraly across the network.
This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage
the which command to enumerate the system for useful installed utilities that may be used after compromising a system to
escalate privileges or move latteraly across the network.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
@@ -20,16 +22,15 @@ risk_score = 21
rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" and
@@ -38,20 +39,18 @@ not process.args == "--tty-only"
/* potential tuning if rule would turn out to be noisy
and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and
process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
*/
*/
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_unusual_user_enumeration_via_id.toml
+6 -13
View File
@@ -2,13 +2,15 @@
creation_date = "2023/08/29"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
This rule monitors for a sequence of 20 "id" command executions within 1 second by the same parent process. This
behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These
behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These
scripts leverage the "id" command to enumerate the privileges of all users present on the system.
"""
from = "now-9m"
@@ -44,15 +46,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
type = "eql"
query = '''
sequence by host.id, process.parent.entity_id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
@@ -60,17 +55,15 @@ sequence by host.id, process.parent.entity_id with maxspan=1s
not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1033"
name = "System Owner/User Discovery"
reference = "https://attack.mitre.org/techniques/T1033/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_virtual_machine_fingerprinting.toml
+4 -9
View File
@@ -2,7 +2,9 @@
creation_date = "2020/04/27"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
@@ -62,14 +64,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
"""
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "query"
rules/linux/execution_abnormal_process_id_file_created.toml
+14 -14
View File
@@ -2,7 +2,9 @@
creation_date = "2022/05/11"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2024/02/20"
[rule]
author = ["Elastic"]
@@ -98,15 +100,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Threat: BPFDoor",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Threat: BPFDoor",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "new_terms"
@@ -124,15 +126,14 @@ vzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or met
not file.name : (jem.*.pid)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1106"
name = "Native API"
reference = "https://attack.mitre.org/techniques/T1106/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
@@ -141,8 +142,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "file.path"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
+17 -18
View File
@@ -2,18 +2,20 @@
creation_date = "2023/10/11"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6."
min_stack_version = "8.6.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction
Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction
with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow
during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be
executed with and without the use of environment variables. For increased visibility, enable the collection of
http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of
this rule.
during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed
with and without the use of environment variables. For increased visibility, enable the collection of http_proxy,
HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
@@ -22,7 +24,7 @@ name = "Potential curl CVE-2023-38545 Exploitation"
references = [
"https://curl.se/docs/CVE-2023-38545.html",
"https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/",
"https://twitter.com/_JohnHammond/status/1711986412554531015",
"https://twitter.com/_JohnHammond/status/1711986412554531015"
]
risk_score = 47
rule_id = "f41296b4-9975-44d6-9486-514c6f635b2d"
@@ -66,16 +68,15 @@ For more information on capturing environment variables refer to the [helper gui
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Use Case: Vulnerability",
"Tactic: Execution",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Use Case: Vulnerability",
"Tactic: Execution",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "curl"
and (
@@ -86,17 +87,15 @@ not process.parent.name in ("cf-agent", "agent-run", "agent-check", "rudder", "a
not process.args == "/opt/rudder/bin/curl"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1203"
name = "Exploitation for Client Execution"
reference = "https://attack.mitre.org/techniques/T1203/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_file_execution_followed_by_deletion.toml
+7 -14
View File
@@ -2,13 +2,15 @@
creation_date = "2023/08/28"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a
directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute
directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute
malicious code and delete itself to hide its tracks.
"""
from = "now-9m"
@@ -44,15 +46,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
type = "eql"
query = '''
sequence by host.id, user.id with maxspan=1m
[file where host.os.type == "linux" and event.action == "creation" and
@@ -66,22 +61,20 @@ sequence by host.id, user.id with maxspan=1m
"/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml
+4 -9
View File
@@ -2,7 +2,9 @@
creation_date = "2020/02/18"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
@@ -109,14 +111,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
type = "eql"
query = '''
rules/linux/execution_interpreter_tty_upgrade.toml
+14 -16
View File
@@ -2,13 +2,15 @@
creation_date = "2023/09/20"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/03/08"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
[rule]
author = ["Elastic"]
description = """
Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a
simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more
Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade
a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more
stable connection.
"""
from = "now-9m"
@@ -44,17 +46,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
tags = ["Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and (
(process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or
@@ -63,22 +63,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_nc_listener_via_rlwrap.toml
+13 -15
View File
@@ -2,13 +2,15 @@
creation_date = "2023/09/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses
the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction
the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction
with netcat to gain a more stable reverse shell.
"""
false_positives = [
@@ -52,39 +54,35 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
]
tags = ["Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process.name == "rlwrap" and process.args in ("nc", "ncat", "netcat", "nc.openbsd", "socat") and
process.args : "*l*" and process.args_count >= 4
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
+28 -26
View File
@@ -2,24 +2,28 @@
creation_date = "2024/03/13"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0"
min_stack_version = "8.6.0"
updated_date = "2024/03/13"
[rule]
author = ["Elastic"]
description = """
Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a
Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a
network connection. The mprotect() system call is used to change the access protections on a region of memory that has
already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space,
enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many
cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed
thoroughly.
cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed
thoroughly.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Network Connection from Binary with RWX Memory Region"
references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"]
references = [
"https://man7.org/linux/man-pages/man2/mprotect.2.html"
]
risk_score = 47
rule_id = "32300431-c2d5-432d-8ec8-0e03f9924756"
setup = """## Setup
@@ -41,16 +45,15 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
sample by host.id, process.pid, process.name
/* auditd.data.a2 == "7" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */
@@ -59,34 +62,33 @@ sample by host.id, process.pid, process.name
not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_network_event_post_compilation.toml
+23 -23
View File
@@ -2,13 +2,15 @@
creation_date = "2023/08/28"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network
connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server.
This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network
connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server.
Attackers may spawn reverse shells to establish persistence onto a target system.
"""
from = "now-9m"
@@ -45,14 +47,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id with maxspan=1m
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
@@ -63,34 +64,33 @@ sequence by host.id with maxspan=1m
not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.name
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_perl_tty_shell.toml
+4 -9
View File
@@ -2,7 +2,9 @@
creation_date = "2020/04/16"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
@@ -55,14 +57,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
"""
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "query"
rules/linux/execution_potential_hack_tool_executed.toml
+13 -14
View File
@@ -2,12 +2,14 @@
creation_date = "2023/09/22"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/03/08"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
[rule]
author = ["Elastic"]
description = """
Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from
Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from
this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as
well.
"""
@@ -45,18 +47,17 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager",
]
timestamp_override = "event.ingested"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager"
]
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name in (
@@ -77,7 +78,6 @@ process where host.os.type == "linux" and event.type == "start" and event.action
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -85,4 +85,3 @@ framework = "MITRE ATT&CK"
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_process_started_from_process_id_file.toml
+13 -13
View File
@@ -2,7 +2,9 @@
creation_date = "2022/05/11"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/20"
[rule]
author = ["Elastic"]
@@ -66,15 +68,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Threat: BPFDoor",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Threat: BPFDoor",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -83,17 +85,15 @@ process where host.os.type == "linux" and event.type == "start" and user.id == "
process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)"""
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_process_started_in_shared_memory_directory.toml
+12 -11
View File
@@ -2,7 +2,9 @@
creation_date = "2022/05/10"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/13"
[rule]
author = ["Elastic"]
@@ -57,14 +59,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Threat: BPFDoor",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Threat: BPFDoor",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -75,15 +77,14 @@ not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/
"/var/run/argo/argoexec") and not process.parent.command_line : "/usr/bin/runc init"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
rules/linux/execution_python_tty_shell.toml
+13 -13
View File
@@ -2,7 +2,9 @@
creation_date = "2020/04/15"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/03/08"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
[rule]
author = ["Elastic"]
@@ -43,15 +45,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
@@ -64,22 +66,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.006"
name = "Python"
reference = "https://attack.mitre.org/techniques/T1059/006/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_remote_code_execution_via_postgresql.toml
+17 -18
View File
@@ -2,16 +2,18 @@
creation_date = "2022/06/20"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a
PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public
facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks,
which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for
unauthorized access and malicious actions.
This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within
a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a
public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection
attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities
for unauthorized access and malicious actions.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
@@ -46,14 +48,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
tags = ["Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -65,22 +66,20 @@ user.name == "postgres" and (
) and not process.parent.name : "puppet"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_shell_evasion_linux_binary.toml
+8 -16
View File
@@ -2,13 +2,15 @@
creation_date = "2022/05/06"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
description = """
Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive
system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator,
Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive
system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator,
and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.
"""
from = "now-9m"
@@ -125,17 +127,9 @@ Session View uses process data collected by the Elastic Defend integration, but
For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
(
@@ -190,22 +184,20 @@ process where host.os.type == "linux" and event.type == "start" and
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_shell_via_background_process.toml
+25 -25
View File
@@ -2,13 +2,15 @@
creation_date = "2023/09/20"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp
channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further.
Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp
channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
@@ -43,51 +45,49 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
]
timestamp_override = "event.ingested"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_shell_via_child_tcp_utility_linux.toml
+22 -22
View File
@@ -2,7 +2,9 @@
creation_date = "2023/11/02"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/05/17"
[rule]
author = ["Elastic"]
@@ -17,7 +19,7 @@ language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Child"
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
]
risk_score = 47
rule_id = "2138bb70-5a5e-42fd-be5e-b38edf6a6777"
@@ -50,14 +52,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=5s
[network where event.type == "start" and host.os.type == "linux" and
@@ -70,34 +71,33 @@ sequence by host.id, process.entity_id with maxspan=5s
)]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_shell_via_java_revshell_linux.toml
+22 -22
View File
@@ -2,7 +2,9 @@
creation_date = "2023/07/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/13"
[rule]
author = ["Elastic"]
@@ -16,7 +18,7 @@ language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Java"
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
]
risk_score = 47
rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd"
@@ -47,14 +49,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id with maxspan=5s
[network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and
@@ -76,34 +77,33 @@ sequence by host.id with maxspan=5s
)] by process.parent.entity_id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
+24 -24
View File
@@ -2,13 +2,15 @@
creation_date = "2023/07/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/13"
[rule]
author = ["Elastic"]
description = """
This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by
the specified utilities that are initialized from a single process followed by a network connection attempt will be
This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by
the specified utilities that are initialized from a single process followed by a network connection attempt will be
captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.
"""
from = "now-9m"
@@ -17,7 +19,7 @@ language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Suspicious Child Process"
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
]
risk_score = 47
rule_id = "76e4d92b-61c1-4a95-ab61-5fd94179a1ee"
@@ -48,14 +50,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and (
@@ -85,34 +86,33 @@ sequence by host.id, process.entity_id with maxspan=1s
destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_shell_via_meterpreter_linux.toml
+23 -23
View File
@@ -2,14 +2,16 @@
creation_date = "2023/08/10"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0"
min_stack_version = "8.6.0"
updated_date = "2024/02/19"
[rule]
author = ["Elastic"]
description = """
This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged
This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged
by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting
this pattern is indicative of a successful meterpreter shell connection.
this pattern is indicative of a successful meterpreter shell connection.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
@@ -58,15 +60,14 @@ However, if more advanced configuration is required to detect specific behavior,
"""
severity = "medium"
tags = [
"Data Source: Auditd Manager",
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
]
"Data Source: Auditd Manager",
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
sample by host.id, process.pid, user.id
[file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/etc/machine-id"]
@@ -76,34 +77,33 @@ sample by host.id, process.pid, user.id
[file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/proc/net/if_inet6"]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_shell_via_suspicious_binary.toml
+23 -23
View File
@@ -2,14 +2,16 @@
creation_date = "2023/07/05"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary
(located in a commonly abused location or executed manually) followed by a network event and ending with a shell being
spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish
spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish
persistence onto a target system.
"""
from = "now-9m"
@@ -18,7 +20,7 @@ language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Suspicious Binary"
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
]
risk_score = 47
rule_id = "fa3a59dc-33c3-43bf-80a9-e8437a922c7f"
@@ -49,14 +51,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
@@ -78,34 +79,33 @@ sequence by host.id, process.entity_id with maxspan=1s
process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
+22 -22
View File
@@ -2,7 +2,9 @@
creation_date = "2023/07/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/05/17"
[rule]
author = ["Elastic"]
@@ -17,7 +19,7 @@ language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell"
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
]
risk_score = 47
rule_id = "48b3d2e3-f4e8-41e6-95e6-9b2091228db3"
@@ -48,14 +50,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id with maxspan=5s
[network where event.type == "start" and host.os.type == "linux" and
@@ -68,34 +69,33 @@ sequence by host.id with maxspan=5s
)] by process.parent.entity_id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_shell_via_udp_cli_utility_linux.toml
+20 -20
View File
@@ -2,14 +2,16 @@
creation_date = "2023/07/04"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0"
min_stack_version = "8.6.0"
updated_date = "2024/03/13"
[rule]
author = ["Elastic"]
description = """
This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This
This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This
activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the
auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux
auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux
UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.
"""
from = "now-9m"
@@ -18,7 +20,7 @@ language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via UDP"
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
]
risk_score = 47
rule_id = "a5eb21b7-13cc-4b94-9fe2-29bb2914e037"
@@ -63,11 +65,10 @@ tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
]
"Tactic: Execution"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
sample by host.id, process.pid, process.parent.pid
[process where host.os.type == "linux" and event.type == "start" and event.action == "executed" and process.name : (
@@ -86,34 +87,33 @@ sample by host.id, process.pid, process.parent.pid
not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
+23 -28
View File
@@ -2,7 +2,9 @@
creation_date = "2023/06/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
@@ -17,7 +19,9 @@ index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Content Extracted or Decompressed via Funzip"
references = ["https://attack.mitre.org/software/S0482/"]
references = [
"https://attack.mitre.org/software/S0482/"
]
risk_score = 47
rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66"
setup = """## Setup
@@ -46,17 +50,9 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and
@@ -65,39 +61,38 @@ not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xa
not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
id = "T1059.004"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Defense Evasion"
id = "TA0005"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat.technique]]
id = "T1027"
name = "Obfuscated Files or Information"
id = "T1027"
reference = "https://attack.mitre.org/techniques/T1027/"
[[rule.threat.technique]]
id = "T1140"
name = "Deobfuscate/Decode Files or Information"
id = "T1140"
reference = "https://attack.mitre.org/techniques/T1140/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/execution_suspicious_executable_running_system_commands.toml
+20 -27
View File
@@ -2,15 +2,17 @@
creation_date = "2023/06/14"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the execution of several commonly used system commands executed by a previously unknown
executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially
malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code.
Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the
executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially
malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code.
Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the
system and its data from potential compromise.
"""
from = "now-9m"
@@ -46,14 +48,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "new_terms"
@@ -69,30 +64,28 @@ process.executable:(
not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
name = "Command and Scripting Interpreter"
id = "T1059"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
name = "Unix Shell"
id = "T1059.004"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "user.id", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules/linux/execution_suspicious_mining_process_creation_events.toml
+21 -22
View File
@@ -2,7 +2,9 @@
creation_date = "2023/02/08"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
@@ -44,37 +46,34 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.type == "creation" and event.action : ("creation", "file_create_event") and
file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.service", "pnsd.service", "apache4.service", "pastebin.service", "xvf.service")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
name = "Command and Scripting Interpreter"
id = "T1059"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
name = "Unix Shell"
id = "T1059.004"
reference = "https://attack.mitre.org/techniques/T1059/004/"
rules/linux/execution_tc_bpf_filter.toml
+14 -14
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2022/07/11"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/20"
integration = ["endpoint"]
[rule]
author = ["Elastic"]
@@ -50,14 +52,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Threat: TripleCross",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Threat: TripleCross",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -67,22 +69,20 @@ process.args == "filter" and process.args == "add" and process.args == "bpf" and
not process.parent.executable == "/usr/sbin/libvirtd"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
+21 -20
View File
@@ -2,7 +2,9 @@
creation_date = "2024/03/13"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2024/03/13"
[rule]
author = ["Elastic"]
@@ -11,14 +13,16 @@ Monitors for the execution of a previously unknown unix binary with read, write
The mprotect() system call is used to change the access protections on a region of memory that has already been
allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or
disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases
overly permissive, and should be analyzed thoroughly.
overly permissive, and should be analyzed thoroughly.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "kuery"
license = "Elastic License v2"
name = "Unknown Execution of Binary with RWX Memory Region"
references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"]
references = [
"https://man7.org/linux/man-pages/man2/mprotect.2.html"
]
risk_score = 47
rule_id = "23bcd283-2bc0-4db2-81d4-273fc051e5c0"
setup = """## Setup
@@ -40,43 +44,40 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules/linux/impact_data_encrypted_via_openssl.toml
+11 -18
View File
@@ -2,7 +2,9 @@
creation_date = "2023/06/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
@@ -17,8 +19,8 @@ language = "eql"
license = "Elastic License v2"
name = "Suspicious Data Encryption via OpenSSL Utility"
references = [
"https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
"https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html",
"https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
"https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html",
]
risk_score = 47
rule_id = "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73"
@@ -48,15 +50,8 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Impact",
"Data Source: Elastic Defend",
]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"]
type = "eql"
query = '''
sequence by host.id, user.name, process.parent.entity_id with maxspan=5s
[ process where host.os.type == "linux" and event.action == "exec" and
@@ -67,17 +62,15 @@ sequence by host.id, user.name, process.parent.entity_id with maxspan=5s
not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") ] with runs=10
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1486"
name = "Data Encrypted for Impact"
reference = "https://attack.mitre.org/techniques/T1486/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
id = "TA0040"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat.technique]]
name = "Data Encrypted for Impact"
id = "T1486"
reference = "https://attack.mitre.org/techniques/T1486/"
rules/linux/impact_esxi_process_kill.toml
+15 -16
View File
@@ -2,15 +2,17 @@
creation_date = "2023/04/11"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.5.0"
updated_date = "2024/02/20"
[rule]
author = ["Elastic"]
description = """
Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system by a "kill"
command. The rule monitors for the "end" event type, which signifies the termination of a process. The presence of a
"kill" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to
interfere with the virtualized environment on the targeted system.
Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system
by a "kill" command. The rule monitors for the "end" event type, which signifies the termination of a process.
The presence of a "kill" command as the parent process for terminating VMware processes may indicate that a
threat actor is attempting to interfere with the virtualized environment on the targeted system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
@@ -49,32 +51,29 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Impact",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Impact",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "end" and process.name in ("vmware-vmx", "vmx")
and process.parent.name == "kill"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1489"
name = "Service Stop"
reference = "https://attack.mitre.org/techniques/T1489/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
rules/linux/impact_potential_linux_ransomware_file_encryption.toml
+14 -15
View File
@@ -2,15 +2,17 @@
creation_date = "2023/03/20"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/21"
[rule]
author = ["Elastic"]
description = """
This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same
process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands
payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack
is the mass encryption of the file system, after which a new file extension is added to the file.
This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same
process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and
demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware
attack is the mass encryption of the file system, after which a new file extension is added to the file.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -46,14 +48,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Impact",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Impact",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by process.entity_id, host.id with maxspan=1s
[file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*"
@@ -70,17 +71,15 @@ sequence by process.entity_id, host.id with maxspan=1s
] with runs=25
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1486"
name = "Data Encrypted for Impact"
reference = "https://attack.mitre.org/techniques/T1486/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
rules/linux/impact_potential_linux_ransomware_note_detected.toml
+13 -14
View File
@@ -2,16 +2,18 @@
creation_date = "2023/03/20"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/21"
[rule]
author = ["Elastic"]
description = """
This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a
file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of
This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with
a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of
malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the
decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a
new file extension is added to the file.
new file extension is added to the file.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -47,14 +49,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Impact",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Impact",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by process.entity_id, host.id with maxspan=1s
[file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*"
@@ -74,17 +75,15 @@ sequence by process.entity_id, host.id with maxspan=1s
]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1486"
name = "Data Encrypted for Impact"
reference = "https://attack.mitre.org/techniques/T1486/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
rules/linux/impact_process_kill_threshold.toml
+17 -15
View File
@@ -2,11 +2,15 @@
creation_date = "2022/07/27"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/21"
[rule]
author = ["Elastic"]
description = "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n"
description = """
This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "kuery"
@@ -74,31 +78,30 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Impact",
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager",
]
timestamp_override = "event.ingested"
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Impact",
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager"
]
type = "threshold"
timestamp_override = "event.ingested"
query = '''
event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1489"
name = "Service Stop"
reference = "https://attack.mitre.org/techniques/T1489/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
@@ -107,4 +110,3 @@ reference = "https://attack.mitre.org/tactics/TA0040/"
[rule.threshold]
field = ["host.id", "process.executable", "user.name"]
value = 10
rules/linux/lateral_movement_ssh_it_worm_download.toml
+16 -17
View File
@@ -2,13 +2,15 @@
creation_date = "2023/09/21"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
[rule]
author = ["Elastic"]
description = """
Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's
autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh.
Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's
autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
@@ -46,17 +48,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Lateral Movement",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Lateral Movement",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
and process.name in ("curl", "wget") and process.args : (
@@ -65,32 +66,30 @@ process where host.os.type == "linux" and event.type == "start" and event.action
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[[rule.threat.technique.subtechnique]]
id = "T1021.004"
name = "SSH"
reference = "https://attack.mitre.org/techniques/T1021/004/"
[[rule.threat.technique]]
id = "T1563"
name = "Remote Service Session Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/"
[[rule.threat.technique.subtechnique]]
id = "T1563.001"
name = "SSH Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/001/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/linux/lateral_movement_telnet_network_activity_external.toml
+10 -11
View File
@@ -2,7 +2,9 @@
creation_date = "2020/04/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/21"
[rule]
author = ["Elastic"]
@@ -65,14 +67,13 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Lateral Movement",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Lateral Movement",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by process.entity_id
[process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"]
@@ -86,17 +87,15 @@ sequence by process.entity_id
]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/linux/lateral_movement_telnet_network_activity_internal.toml
+10 -11
View File
@@ -2,7 +2,9 @@
creation_date = "2020/04/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/21"
[rule]
author = ["Elastic"]
@@ -65,14 +67,13 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Lateral Movement",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Lateral Movement",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by process.entity_id
[process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"]
@@ -86,17 +87,15 @@ sequence by process.entity_id
]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/linux/persistence_apt_package_manager_execution.toml
+21 -20
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2024/02/01"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
integration = ["endpoint"]
[rule]
author = ["Elastic"]
@@ -48,16 +50,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Tactic: Execution",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Tactic: Execution",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id with maxspan=5s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
@@ -72,9 +73,9 @@ sequence by host.id with maxspan=5s
] by process.parent.entity_id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
@@ -85,28 +86,29 @@ id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -114,4 +116,3 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/persistence_apt_package_manager_netcon.toml
+17 -16
View File
@@ -1,14 +1,16 @@
[metadata]
creation_date = "2024/02/01"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
integration = ["endpoint"]
[rule]
author = ["Elastic"]
description = """
Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT
backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based
Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an
APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based
systems, providing functions for installing, updating, upgrading, and removing software along with managing package
repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs,
thereby ensuring continued unauthorized access or control each time APT is used for package management.
@@ -48,16 +50,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Tactic: Command and Control",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Tactic: Command and Control",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id with maxspan=5s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
@@ -69,9 +70,9 @@ sequence by host.id with maxspan=5s
] by process.parent.entity_id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
@@ -82,11 +83,11 @@ id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -94,6 +95,7 @@ framework = "MITRE ATT&CK"
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -101,4 +103,3 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/persistence_chkconfig_service_add.toml
+32 -22
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2022/07/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/13"
integration = ["endpoint"]
[transform]
[[transform.osquery]]
@@ -12,11 +14,20 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/
[[transform.osquery]]
label = "Osquery - Retrieve Additional File Listing Information"
query = """
SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS
file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS
file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT
JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE
'/etc/rc%.d/%')
SELECT
f.path,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime, 'unixepoch') AS file_last_access_time,
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
datetime(f.btime, 'unixepoch') AS file_created_time,
f.size AS size_bytes
FROM
file f
LEFT JOIN users u ON f.uid = u.uid
LEFT JOIN groups g ON f.gid = g.gid
WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')
"""
[[transform.osquery]]
@@ -43,13 +54,12 @@ query = "SELECT * FROM users WHERE username = {{user.name}}"
label = "Osquery - Investigate the Account Authentication Status"
query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
[rule]
author = ["Elastic"]
description = """
Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize
this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has
either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run
either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run
providing long-term persistence.
"""
from = "now-9m"
@@ -132,7 +142,9 @@ This rule monitors the usage of the `chkconfig` binary to manually add a service
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"]
references = [
"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"
]
risk_score = 47
rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6"
setup = """## Setup
@@ -162,14 +174,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Threat: Lightning Framework",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Threat: Lightning Framework",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -183,22 +195,20 @@ not process.parent.name in ("rpm", "qualys-scan-util", "qualys-cloud-agent", "up
not process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[[rule.threat.technique.subtechnique]]
id = "T1037.004"
name = "RC Scripts"
reference = "https://attack.mitre.org/techniques/T1037/004/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/linux/persistence_credential_access_modify_ssh_binaries.toml
+19 -19
View File
@@ -2,7 +2,9 @@
creation_date = "2020/12/21"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/21"
[transform]
[[transform.osquery]]
@@ -29,7 +31,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}"
label = "Osquery - Investigate the Account Authentication Status"
query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
[rule]
author = ["Elastic"]
description = """
@@ -146,18 +147,17 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Tactic: Persistence",
"Tactic: Lateral Movement",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Tactic: Persistence",
"Tactic: Lateral Movement",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:file and host.os.type:linux and event.type:change and
process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and
@@ -169,56 +169,56 @@ event.category:file and host.os.type:linux and event.type:change and
not process.executable:/usr/share/elasticsearch/*
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[[rule.threat.technique.subtechnique]]
id = "T1021.004"
name = "SSH"
reference = "https://attack.mitre.org/techniques/T1021/004/"
[[rule.threat.technique]]
id = "T1563"
name = "Remote Service Session Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/"
[[rule.threat.technique.subtechnique]]
id = "T1563.001"
name = "SSH Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/001/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/linux/persistence_cron_job_creation.toml
+58 -34
View File
@@ -2,33 +2,59 @@
creation_date = "2023/06/09"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
min_stack_version = "8.6.0"
updated_date = "2024/02/21"
[transform]
[[transform.osquery]]
label = "Osquery - Retrieve File Listing Information"
query = """
SELECT * FROM file WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE
'/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE
'/etc/cron.monthly/%' )
SELECT * FROM file WHERE (
path LIKE '/etc/cron.allow.d/%' OR
path LIKE '/etc/cron.d/%' OR
path LIKE '/etc/cron.hourly/%' OR
path LIKE '/etc/cron.daily/%' OR
path LIKE '/etc/cron.weekly/%' OR
path LIKE '/etc/cron.monthly/%'
)
"""
[[transform.osquery]]
label = "Osquery - Retrieve rc-local.service File Information"
query = """
SELECT * FROM file WHERE ( path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab' OR path =
'/usr/sbin/cron' OR path = '/usr/sbin/anacron' )
SELECT * FROM file WHERE (
path = '/etc/cron.allow' OR
path = '/etc/cron.deny' OR
path = '/etc/crontab' OR
path = '/usr/sbin/cron' OR
path = '/usr/sbin/anacron'
)
"""
[[transform.osquery]]
label = "Osquery - Retrieve Additional File Listing Information"
query = """
SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS
file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS
file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT
JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE
'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR
path LIKE '/etc/cron.monthly/%' )
SELECT
f.path,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime, 'unixepoch') AS file_last_access_time,
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
datetime(f.btime, 'unixepoch') AS file_created_time,
f.size AS size_bytes
FROM
file f
LEFT JOIN users u ON f.uid = u.uid
LEFT JOIN groups g ON f.gid = g.gid
WHERE (
path LIKE '/etc/cron.allow.d/%' OR
path LIKE '/etc/cron.d/%' OR
path LIKE '/etc/cron.hourly/%' OR
path LIKE '/etc/cron.daily/%' OR
path LIKE '/etc/cron.weekly/%' OR
path LIKE '/etc/cron.monthly/%'
)
"""
[[transform.osquery]]
@@ -51,7 +77,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}"
label = "Osquery - Investigate the Account Authentication Status"
query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
[rule]
author = ["Elastic"]
description = """
@@ -135,7 +160,7 @@ This rule monitors the creation of previously unknown cron jobs by monitoring fo
- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = [
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"
]
risk_score = 47
rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9"
@@ -166,18 +191,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Tactic: Privilege Escalation",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Tactic: Privilege Escalation",
"Tactic: Execution",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and
file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or
@@ -192,54 +216,55 @@ and not (
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.003"
name = "Cron"
reference = "https://attack.mitre.org/techniques/T1053/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.003"
name = "Cron"
reference = "https://attack.mitre.org/techniques/T1053/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.003"
name = "Cron"
reference = "https://attack.mitre.org/techniques/T1053/003/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
@@ -248,8 +273,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "file.path", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"
rules/linux/persistence_dynamic_linker_backup.toml
+48 -27
View File
@@ -1,27 +1,48 @@
[metadata]
creation_date = "2022/07/12"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/19"
integration = ["endpoint"]
[transform]
[[transform.osquery]]
label = "Osquery - Retrieve File Listing Information"
query = """
SELECT * FROM file WHERE ( path = '/etc/ld.so.preload' OR path = '/lib64/ld-linux-x86-64.so.2' OR path =
'/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path = '/usr/lib64/ld-linux-x86-64.so.2' OR path =
'/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' )
SELECT * FROM file WHERE (
path = '/etc/ld.so.preload' OR
path = '/lib64/ld-linux-x86-64.so.2' OR
path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR
path = '/usr/lib64/ld-linux-x86-64.so.2' OR
path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2'
)
"""
[[transform.osquery]]
label = "Osquery - Retrieve Additional File Listing Information"
query = """
SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS
file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS
file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT
JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path = '/etc/ld.so.preload' OR path =
'/lib64/ld-linux-x86-64.so.2' OR path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path =
'/usr/lib64/ld-linux-x86-64.so.2' OR path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' )
SELECT
f.path,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime, 'unixepoch') AS file_last_access_time,
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
datetime(f.btime, 'unixepoch') AS file_created_time,
f.size AS size_bytes
FROM
file f
LEFT JOIN users u ON f.uid = u.uid
LEFT JOIN groups g ON f.gid = g.gid
WHERE (
path = '/etc/ld.so.preload' OR
path = '/lib64/ld-linux-x86-64.so.2' OR
path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR
path = '/usr/lib64/ld-linux-x86-64.so.2' OR
path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2'
)
"""
[[transform.osquery]]
@@ -44,14 +65,13 @@ query = "SELECT * FROM users WHERE username = {{user.name}}"
label = "Osquery - Investigate the Account Authentication Status"
query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
[rule]
author = ["Elastic"]
description = """
Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup
copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to
inject and preload a malicious shared object file. This activity should never occur and if it does then it should be
considered highly suspicious or malicious.
Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a
backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in
order to inject and preload a malicious shared object file. This activity should never occur and if it does then it
should be considered highly suspicious or malicious.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -125,7 +145,9 @@ The detection rule 'Dynamic Linker Copy' is designed to identify such abuse by m
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"]
references = [
"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"
]
risk_score = 73
rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0"
setup = """## Setup
@@ -155,13 +177,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Threat: Orbit",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Threat: Orbit",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
@@ -174,20 +196,19 @@ sequence by process.entity_id with maxspan=1m
[file where host.os.type == "linux" and event.action == "creation" and file.extension == "so"]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.006"
name = "Dynamic Linker Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
rules/linux/persistence_etc_file_creation.toml
+95 -74
View File
@@ -2,26 +2,49 @@
creation_date = "2022/07/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/21"
[transform]
[[transform.osquery]]
label = "Osquery - Retrieve File Listing Information"
query = """
SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%'
OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE
'/usr/lib/systemd/system/%' )
SELECT * FROM file WHERE (
path LIKE '/etc/ld.so.conf.d/%' OR
path LIKE '/etc/cron.d/%' OR
path LIKE '/etc/sudoers.d/%' OR
path LIKE '/etc/rc%.d/%' OR
path LIKE '/etc/init.d/%' OR
path LIKE '/etc/systemd/system/%' OR
path LIKE '/usr/lib/systemd/system/%'
)
"""
[[transform.osquery]]
label = "Osquery - Retrieve Additional File Listing Information"
query = """
SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS
file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS
file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT
JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE
'/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE
'/etc/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' )
SELECT
f.path,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime, 'unixepoch') AS file_last_access_time,
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
datetime(f.btime, 'unixepoch') AS file_created_time,
f.size AS size_bytes
FROM
file f
LEFT JOIN users u ON f.uid = u.uid
LEFT JOIN groups g ON f.gid = g.gid
WHERE (
path LIKE '/etc/ld.so.conf.d/%' OR
path LIKE '/etc/cron.d/%' OR
path LIKE '/etc/sudoers.d/%' OR
path LIKE '/etc/rc%.d/%' OR
path LIKE '/etc/init.d/%' OR
path LIKE '/etc/systemd/system/%' OR
path LIKE '/usr/lib/systemd/system/%'
)
"""
[[transform.osquery]]
@@ -48,7 +71,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}"
label = "Osquery - Investigate the Account Authentication Status"
query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
[rule]
author = ["Elastic"]
description = """
@@ -135,7 +157,7 @@ This rule monitors for the creation of the most common system-wide configuration
"""
references = [
"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/",
"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/",
"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"
]
risk_score = 47
rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042"
@@ -166,18 +188,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Threat: Orbit",
"Threat: Lightning Framework",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Threat: Orbit",
"Threat: Lightning Framework",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.id == "0" and
file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*",
@@ -192,76 +213,76 @@ file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/r
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[[rule.threat.technique.subtechnique]]
id = "T1037.004"
name = "RC Scripts"
reference = "https://attack.mitre.org/techniques/T1037/004/"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.002"
name = "Systemd Service"
reference = "https://attack.mitre.org/techniques/T1543/002/"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.006"
name = "Dynamic Linker Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[[rule.threat.technique.subtechnique]]
id = "T1037.004"
name = "RC Scripts"
reference = "https://attack.mitre.org/techniques/T1037/004/"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.006"
name = "Dynamic Linker Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.002"
name = "Systemd Service"
reference = "https://attack.mitre.org/techniques/T1543/002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.003"
name = "Cron"
reference = "https://attack.mitre.org/techniques/T1053/003/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.003"
name = "Cron"
reference = "https://attack.mitre.org/techniques/T1053/003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"
rules/linux/persistence_init_d_file_creation.toml
+33 -24
View File
@@ -2,7 +2,9 @@
creation_date = "2023/03/21"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2024/02/21"
[transform]
[[transform.osquery]]
@@ -16,11 +18,20 @@ query = "SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/
[[transform.osquery]]
label = "Osquery - Retrieve Additional File Listing Information"
query = """
SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS
file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS
file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT
JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE
'/run/systemd/generator.late/%')
SELECT
f.path,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime, 'unixepoch') AS file_last_access_time,
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
datetime(f.btime, 'unixepoch') AS file_created_time,
f.size AS size_bytes
FROM
file f
LEFT JOIN users u ON f.uid = u.uid
LEFT JOIN groups g ON f.gid = g.gid
WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')
"""
[[transform.osquery]]
@@ -31,14 +42,14 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Crontab Information"
query = "SELECT * FROM crontab"
[rule]
author = ["Elastic"]
description = """
Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts
or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the "systemd-sysv-generator"
can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the
/etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.
or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the
"systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or
alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence
on the system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
@@ -110,7 +121,8 @@ This rule looks for the creation of new files within the `/etc/init.d/` director
references = [
"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/",
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts",
"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/",
"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"
]
risk_score = 47
rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b"
@@ -141,17 +153,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
]
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and
file.path : /etc/init.d/* and not (
@@ -164,15 +175,14 @@ file.path : /etc/init.d/* and not (
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
@@ -181,8 +191,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.new_terms]
field = "new_terms_fields"
value = ["file.path", "process.name", "host.id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"

Some files were not shown because too many files have changed in this diff Show More