[Rule Tuning] Linux DR Tuning - Part 2 (#3321)

* [Rule Tuning] Linux DR Tuning - Part 2 * [Rule Tuning] Linux DR Tuning - Part 2 * fix * Update execution_shell_suspicious_parent_child_revshell_linux.toml
2024-01-08 10:07:38 +01:00
parent b533642272
commit 36226e5428
7 changed files with 62 additions and 35 deletions
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/11/02"
+updated_date = "2023/12/13"

 [rule]
 author = ["Elastic"]
@@ -53,7 +53,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast

 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Discovery",
+        "Data Source: Elastic Defend"
+        ]
 timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
@@ -61,7 +67,8 @@ event.category:process and host.os.type:linux and event.type:start and (
 (process.name:(lsmod or modinfo)) or 
 (process.name:kmod and process.args:list) or 
 (process.name:depmod and process.args:(--all or -a))
-) 
+) and not process.parent.name:(mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools
+or readykernel or lvm2 or vz-start or iscsi or mdadm)
 '''

 [[rule.threat]]
@@ -79,7 +86,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/"

 [rule.new_terms]
 field = "new_terms_fields"
-value = ["host.id", "process.command_line", "process.parent.executable"]
+value = ["process.parent.command_line", "process.command_line", "process.parent.executable"]

 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/11/02"
+updated_date = "2023/12/13"

 [rule]
 author = ["Elastic"]
@@ -122,7 +122,9 @@ user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* o
  process.executable : (
    ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*
  ))
-) and not process.name : (go or git or containerd* or snap-confine)
+) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or 
+vzctl or ifup or rpcbind) and
+not file.name : (jem.*.pid)
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6."
 min_stack_version = "8.6.0"
-updated_date = "2023/11/02"
+updated_date = "2023/12/13"

 [rule]
 author = ["Elastic"]
@@ -83,7 +83,8 @@ process where host.os.type == "linux" and event.action == "exec" and event.type
 and (
  process.args : ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or 
  process.env_vars: ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*")
-) and length(process.command_line) > 255
+) and length(process.command_line) > 255 and 
+not process.parent.name in ("cf-agent", "agent-run", "rudder", "agent-inventory", "cf-execd")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2023/12/13"

 [rule]
 author = ["Elastic"]
@@ -47,7 +47,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast

 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Execution",
+        "Data Source: Elastic Defend"
+        ]
 type = "eql"
 query = '''
 sequence by host.id with maxspan=1m
@@ -55,7 +61,8 @@ sequence by host.id with maxspan=1m
   process.name in ("gcc", "g++", "cc")] by process.args
  [file where host.os.type == "linux" and event.action == "creation" and process.name == "ld"] by file.name
  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start"] by process.name
-  [network where host.os.type == "linux" and event.action == "connection_attempted"] by process.name
+  [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip != null and 
+   not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.name
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2023/12/13"

 [rule]
 author = ["Elastic"]
@@ -59,26 +59,33 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast

 """
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Execution",
+        "Threat: BPFDoor",
+        "Data Source: Elastic Endgame",
+        "Data Source: Elastic Defend"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"

 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
-process.executable : ("/dev/shm/*", "/run/shm/*", "/var/run/*", "/var/lock/*") and
-not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/*", "/var/run/cloudera-scm-agent/*") and
-user.id == "0"
+user.id == "0" and process.executable : ("/dev/shm/*", "/run/shm/*", "/var/run/*", "/var/lock/*") and
+not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/*", "/var/run/cloudera-scm-agent/*", 
+"/var/run/argo/argoexec") and not process.parent.command_line : "/usr/bin/runc init"
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"

-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2023/12/13"

 [rule]
 author = ["Elastic"]
@@ -60,18 +60,22 @@ type = "eql"
 query = '''
 sequence by host.id with maxspan=5s
  [network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and 
-   process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and
-   destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1"
-  ] by process.entity_id
-  [process where host.os.type == "linux" and event.action == "exec" and process.parent.executable : (
-    "/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*"
-  ) and process.parent.args : "-jar" and process.name in (
-    "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"
-  ) and not process.args : (
-    "-xe", "/tmp/jenkins*.sh", "*/var/lib/jenkins/workspace/*", "vmstat*", "asterisk*", "mpstat*", "/usr/bin/ps*", "umask", "*yum*", "uptime -s",
-    "df -h . | awk '{print $2}'", "free | awk \"/Mem:/\" | awk '{print $2}'"
-  )
-  ] by process.parent.entity_id
+   process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and 
+   not (destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
+     destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
+     "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
+     "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
+     "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
+     "FF00::/8"
+    )
+  )] by process.entity_id
+  [process where host.os.type == "linux" and event.action == "exec" and 
+   process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and
+   process.parent.args : "-jar" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
+   and not process.parent.args in (
+     "/usr/share/java/jenkins.war", "/etc/remote-iot/services/remoteiot.jar",
+     "/usr/lib64/NetExtender.jar", "/usr/lib/jenkins/jenkins.war"
+   )] by process.parent.entity_id
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2023/12/13"

 [rule]
 author = ["Elastic"]
@@ -76,9 +76,8 @@ sequence by host.id, process.entity_id with maxspan=1s
    (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or 
    (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or
    (process.name : "openssl" and process.args : "-connect") or
-    (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args in (
-      "-z", "-zv", "-vz", "-v"
-    )) or
+    (process.name : ("nc", "ncat", "netcat") and process.args == "-e" and process.args_count >= 3 and 
+     not process.args == "-z") or
    (process.name : "telnet" and process.args_count >= 3)
  ) and process.parent.name : (
    "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*",