diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index f25bd9e60..7d5fc8e33 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2023/11/22" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ sequence by host.id, process.entity_id with maxspan=1s ) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")] [file where host.os.type == "linux" and event.action == "creation" and file.path : ( "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*" - )] + ) and not file.path : "/tmp/rear*"] ''' [[rule.threat]] diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index 99fd6e6eb..c0e52f76e 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2023/11/22" [rule] author = ["Elastic"] @@ -53,7 +53,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and -process.name == "setcap" and process.args : "cap_set?id+ep" +process.name == "setcap" and process.args : "cap_set?id+ep" and not process.parent.name : "jem" ''' [[rule.threat]] diff --git a/rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index e86ebf774..24243198e 100644 --- a/rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/04" +updated_date = "2023/11/22" bypass_bbr_timing = true [rule] @@ -31,7 +31,7 @@ query = ''' process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.parent.name in ("screen", "tmux") and process.name : ( "nmap", "nc", "ncat", "netcat", "socat", "nc.openbsd", "ngrok", "ping", "java", "python*", "php*", "perl", "ruby", - "lua*", "openssl", "telnet", "awk", "wget", "curl", "whoami", "id" + "lua*", "openssl", "telnet", "awk", "wget", "curl", "id" ) ''' diff --git a/rules_building_block/discovery_suspicious_which_command_execution.toml b/rules_building_block/discovery_suspicious_which_command_execution.toml index 11a5daab6..131216f02 100644 --- a/rules_building_block/discovery_suspicious_which_command_execution.toml +++ b/rules_building_block/discovery_suspicious_which_command_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/13" +updated_date = "2023/11/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ building_block_type = "default" query = ''' process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and -process.name == "which" and process.args_count >= 10 +process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" /* potential tuning if rule would turn out to be noisy and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and