From 2faa844301f86f01fe8aa517e142baf070401a5d Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 7 Mar 2024 18:09:38 +0100 Subject: [PATCH] [Tuning] Linux DR Tuning - Part 12 (#3464) * [Tuning] Linux DR Tuning - Part 12 * Update persistence_shared_object_creation.toml * Update privilege_escalation_dac_permissions.toml * Update privilege_escalation_enlightenment_window_manager.toml * Update privilege_escalation_enlightenment_window_manager.toml * Min stack rule-bending test * formatting fix * Revert "Merge branch 'linux-dr-tuning-12' of https://github.com/elastic/detection-rules into linux-dr-tuning-12" This reverts commit 0170cddd905b4b983f8413eebbc11c9c7b3719ce, reversing changes made to 29d4a747603faf0ac7c2d502786533b0cd93a5d5. * Revert "Min stack rule-bending test" This reverts commit 29d4a747603faf0ac7c2d502786533b0cd93a5d5. * Update privilege_escalation_enlightenment_window_manager.toml * Update privilege_escalation_chown_chmod_unauthorized_file_read.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Removed changes from: - rules/linux/privilege_escalation_dac_permissions.toml (selectively cherry picked from commit 9c4ba4559d7417d0c0d376a1a55b9bed91916d05) --- .../persistence_shared_object_creation.toml | 11 +++++----- ...on_chown_chmod_unauthorized_file_read.toml | 21 +++++++++++++------ ...lege_escalation_kworker_uid_elevation.toml | 12 +++++------ 3 files changed, 27 insertions(+), 17 deletions(-) diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index 1c1d0f98d..17a93037c 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" -updated_date = "2023/12/19" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -172,12 +172,13 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and -file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and -process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher" - or "pacman" or "apt-get" or "dnf" or "podman" or "platform-python")) +file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not ( + process.name:("dockerd" or "dpkg" or "rpm" or "snapd" or "yum" or "vmis-launcher" or "pacman" or + "apt-get" or "dnf" or "podman" or "platform-python") or + (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*) +) ''' [[rule.threat]] diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index 34c410034..43df66fcd 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/07/28" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ commands or input containing wildcards (e.g., *, ?, []) to execute unintended op tricking the system into interpreting the wildcard characters in unexpected ways. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Unauthorized Access via Wildcard Injection Detected" @@ -49,12 +49,21 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and -process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*" +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*" ''' [[rule.threat]] diff --git a/rules/linux/privilege_escalation_kworker_uid_elevation.toml b/rules/linux/privilege_escalation_kworker_uid_elevation.toml index 4f9b18945..0d7a73a38 100644 --- a/rules/linux/privilege_escalation_kworker_uid_elevation.toml +++ b/rules/linux/privilege_escalation_kworker_uid_elevation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/26" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ hijack the execution flow by hooking certain functions/syscalls through a rootki root via a special modified command. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Kworker UID Elevation" @@ -57,13 +57,14 @@ tags = [ "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action == "session_id_change" and event.type == "change" and -process.name : "kworker*" and user.id == "0" +process where host.os.type == "linux" and event.action == "session_id_change" and process.name : "kworker*" and +user.id == "0" ''' [[rule.threat]] @@ -96,4 +97,3 @@ reference = "https://attack.mitre.org/tactics/TA0005/" name = "Rootkit" id = "T1014" reference = "https://attack.mitre.org/techniques/T1014/" -