[Tuning] Linux DR Tuning - Part 12 (#3464)

* [Tuning] Linux DR Tuning - Part 12

* Update persistence_shared_object_creation.toml

* Update privilege_escalation_dac_permissions.toml

* Update privilege_escalation_enlightenment_window_manager.toml

* Update privilege_escalation_enlightenment_window_manager.toml

* Min stack rule-bending test

* formatting fix

* Revert "Merge branch 'linux-dr-tuning-12' of https://github.com/elastic/detection-rules into linux-dr-tuning-12"

This reverts commit 0170cddd905b4b983f8413eebbc11c9c7b3719ce, reversing
changes made to 29d4a747603faf0ac7c2d502786533b0cd93a5d5.

* Revert "Min stack rule-bending test"

This reverts commit 29d4a747603faf0ac7c2d502786533b0cd93a5d5.

* Update privilege_escalation_enlightenment_window_manager.toml

* Update privilege_escalation_chown_chmod_unauthorized_file_read.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

Removed changes from:
- rules/linux/privilege_escalation_dac_permissions.toml

(selectively cherry picked from commit 9c4ba4559d)

rules/linux/persistence_shared_object_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
 min_stack_version = "8.6.0"
-updated_date = "2023/12/19"
+updated_date = "2024/02/21"
 
 [transform]
 [[transform.osquery]]
@@ -172,12 +172,13 @@ tags = [
     ]
 timestamp_override = "event.ingested"
 type = "new_terms"
-
 query = '''
 host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and 
-file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and 
-process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher"
-  or "pacman" or "apt-get" or "dnf" or "podman" or "platform-python"))
+file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (
+  process.name:("dockerd" or "dpkg" or "rpm" or "snapd" or "yum" or "vmis-launcher" or "pacman" or
+  "apt-get" or "dnf" or "podman" or "platform-python") or 
+  (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*)
+)
 '''
 
 [[rule.threat]]

rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/07/28"
-integration = ["endpoint"]
+integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/02/21"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ commands or input containing wildcards (e.g., *, ?, []) to execute unintended op
 tricking the system into interpreting the wildcard characters in unexpected ways.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "endgame-*"]
+index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Unauthorized Access via Wildcard Injection Detected"
@@ -49,12 +49,21 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 
 """
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Privilege Escalation",
+        "Tactic: Credential Access",
+        "Data Source: Elastic Endgame",
+        "Data Source: Elastic Defend",
+        "Data Source: Auditd Manager"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and 
-process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*"
+process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
+event.type == "start" and process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*"
 '''
 
 [[rule.threat]]

rules/linux/privilege_escalation_kworker_uid_elevation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/26"
+updated_date = "2024/02/21"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ hijack the execution flow by hooking certain functions/syscalls through a rootki
 root via a special modified command.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Kworker UID Elevation"
@@ -57,13 +57,14 @@ tags = [
         "Use Case: Threat Detection",
         "Tactic: Privilege Escalation",
         "Tactic: Defense Evasion",
-        "Data Source: Elastic Defend"
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame"
         ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action == "session_id_change" and event.type == "change" and
-process.name : "kworker*" and user.id == "0"
+process where host.os.type == "linux" and event.action == "session_id_change" and process.name : "kworker*" and
+user.id == "0"
 '''
 
 [[rule.threat]]
@@ -96,4 +97,3 @@ reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Rootkit"
 id = "T1014"
 reference = "https://attack.mitre.org/techniques/T1014/"
-