security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Q2 Linux DR Tuning - Part 3 (#4164)

Browse Source 
* [Rule Tuning] Q2 Linux DR Tuning - Part 3

* Update execution_suspicious_executable_running_system_commands.toml
This commit is contained in:
Ruben Groenewoud
2024-10-18 16:18:14 +02:00
committed by GitHub
parent 3982228132
commit 39fc23cb3d
11 changed files with 101 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_abnormal_process_id_file_created.toml
+22 -11
View File
@@ -2,7 +2,7 @@
creation_date = "2022/05/11"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -109,30 +109,42 @@ tags = [
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and
user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (
file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (
(process.name : (
bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)
) or (
process.executable : (
./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*
))
) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or
vzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat) and
not file.name : (jem.*.pid)
) and not (
process.executable : (
/tmp/newroot/* or /run/containerd/* or /run/k3s/containerd/* or /run/k0s/container* or /snap/* or /vz/* or
/var/lib/docker/* or /etc/*/universal-hooks/pkgs/mysql-community-server/* or /var/lib/snapd/* or /etc/rubrik/* or
/run/udev/data/*
) or
process.name : (
go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or vzctl or ifup or
rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or
s6-ipcserver-socketbinder or xinetd
) or
file.name : (
jem.*.pid or lynis.pid or redis.pid or yum.pid or MFS.pid or jenkins.pid or nvmupdate.pid or openlitespeed.pid or
rhnsd.pid
) or
file.path : (/run/containerd/* or /var/run/docker/containerd/* or /var/run/jem*.pid)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1106"
name = "Native API"
reference = "https://attack.mitre.org/techniques/T1106/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
@@ -140,9 +152,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "file.path"]
value = ["process.executable", "file.name"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml
+8 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/09/27"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/30"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -111,8 +111,13 @@ type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "lp" and
process.parent.name in ("cupsd", "foomatic-rip", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
not process.command_line like ("*/tmp/foomatic-*", "*-sDEVICE=ps2write*")
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not (
process.command_line like (
"*/tmp/foomatic-*", "*-sDEVICE=ps2write*", "*printf*", "/bin/sh -e -c cat", "/bin/bash -c cat",
"/bin/bash -e -c cat"
) or
process.args like "gs*"
)
'''
[[rule.threat]]
rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml
+8 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/09/27"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/30"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -110,8 +110,13 @@ type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.parent.name == "foomatic-rip" and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
not process.command_line like ("*/tmp/foomatic-*", "*-sDEVICE=ps2write*")
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not (
process.command_line like (
"*/tmp/foomatic-*", "*-sDEVICE=ps2write*", "*printf*", "/bin/sh -e -c cat", "/bin/bash -c cat",
"/bin/bash -e -c cat"
) or
process.args like "gs*"
)
'''
[[rule.threat]]
rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/09/27"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/30"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -132,7 +132,7 @@ process.parent.name in ("foomatic-rip", "cupsd") and process.command_line like (
// misc. suspicious command lines
"*/etc/ld.so*", "*/dev/shm/*", "*/var/tmp*", "*echo*", "*>>*", "*|*"
)
) and not process.args like "gs*"
'''
[[rule.threat]]
rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
+9 -10
View File
@@ -2,7 +2,7 @@
creation_date = "2023/10/11"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -75,28 +75,27 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "curl"
and (
process.args : ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or
process.env_vars: ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*")
) and length(process.command_line) > 255 and
not process.parent.name in ("cf-agent", "agent-run", "agent-check", "rudder", "agent-inventory", "cf-execd") and
not process.args == "/opt/rudder/bin/curl"
process.args like ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or
process.env_vars like ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*")
) and length(process.command_line) > 255 and not (
process.parent.name in ("cf-agent", "agent-run", "agent-check", "rudder", "agent-inventory", "cf-execd") or
process.args like "/opt/rudder/*" or
process.parent.executable like ("/vz/root/*", "/var/rudder/*")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1203"
name = "Exploitation for Client Execution"
reference = "https://attack.mitre.org/techniques/T1203/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_file_execution_followed_by_deletion.toml
+8 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/28"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -52,7 +52,6 @@ tags = [
"Data Source: Elastic Defend",
]
type = "eql"
query = '''
sequence by host.id, user.id with maxspan=1m
[file where host.os.type == "linux" and event.action == "creation" and
@@ -60,28 +59,30 @@ sequence by host.id, user.id with maxspan=1m
file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*",
"/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.name
process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
not process.parent.executable like (
"/tmp/VeeamApp*", "/tmp/rajh/spack-stage/*", "plz-out/bin/vault/bridge/test/e2e/base/bridge-dev",
"/usr/bin/ranlib", "/usr/bin/ar", "plz-out/bin/vault/bridge/test/e2e/base/local-k8s"
)] by process.name
[file where host.os.type == "linux" and event.action == "deletion" and not process.name in ("rm", "ld") and
file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*",
"/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
+7 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2024/03/13"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -53,43 +53,42 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
sample by host.id, process.pid, process.name
/* auditd.data.a2 == "7" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */
[process where host.os.type == "linux" and auditd.data.syscall == "mprotect" and auditd.data.a2 == "7"]
[process where host.os.type == "linux" and auditd.data.syscall == "mprotect" and auditd.data.a2 == "7" and
not process.name == "httpd"]
[network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and
not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/execution_network_event_post_compilation.toml
+9 -9
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/28"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -52,45 +52,45 @@ tags = [
"Data Source: Elastic Defend",
]
type = "eql"
query = '''
sequence by host.id with maxspan=1m
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name in ("gcc", "g++", "cc")] by process.args
[file where host.os.type == "linux" and event.action == "creation" and process.name == "ld"] by file.name
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec"] by process.name
[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip != null and
not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.name
[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip != null and not (
cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1") or
process.name in ("simpleX", "conftest", "ssh", "python", "ispnull", "pvtui")
)] by process.name
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/execution_remote_code_execution_via_postgresql.toml
+10 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2022/06/20"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -58,29 +58,31 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "fork", "fork_event") and
user.name == "postgres" and (
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "fork", "fork_event") and user.name == "postgres" and (
(process.parent.args : "*sh" and process.parent.args : "echo*") or
(process.args : "*sh" and process.args : "echo*")
) and not process.parent.name : "puppet"
) and not (
process.parent.name == "puppet" or
process.command_line like "*BECOME-SUCCESS-*" or
process.parent.command_line like "*BECOME-SUCCESS-*"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_shell_openssl_client_or_server.toml
+3 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/07/30"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/07/30"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -60,7 +60,8 @@ process where host.os.type == "linux" and event.type == "start" and event.action
process.name == "openssl" and (
(process.args == "s_client" and process.args : ("-connect", "*:*") and not process.args == "-showcerts") or
(process.args == "s_server" and process.args == "-port")
)
) and
not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/opt/antidot-svc/nrpe/plugins/check_cert")
'''
[[rule.threat]]
rules/linux/execution_suspicious_executable_running_system_commands.toml
+15 -16
View File
@@ -2,7 +2,7 @@
creation_date = "2023/06/14"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/07/18"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -56,24 +56,23 @@ tags = [
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and
process.executable:(
(/etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or
/etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or
/usr/share/* or /var/tmp/*) and not /tmp/go-build*
) and
process.executable:(* and (
/etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or /etc/update-motd.d/* or
/home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or /usr/share/* or /var/tmp/*
) and not /tmp/go-build*) and
process.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and
not process.name:(
apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or snapd
or sudo or top or uptime or which or whoami or yum
) and
not process.parent.executable:(
/opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or
/opt/puppetlabs/puppet/bin/puppet or /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or
/usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or /etc/network/* or /opt/Elastic/* or
/run/k3s/* or /tmp/newroot/* or /usr/bin/*
not (process.name:
(apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or
snapd or sudo or top or uptime or which or whoami or yum) or
process.parent.executable:(
/opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or /opt/puppetlabs/puppet/bin/puppet or
/opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or
/etc/network/* or /opt/Elastic/* or /opt/TrendMicro* or /opt/aws/* or /opt/eset/* or /opt/rapid7/* or /run/containerd/* or /run/k3s/* or
/snap/* or /tmp/dpkg-licenses* or /tmp/newroot/* or /usr/bin/* or /var/lib/amagent/* or /var/lib/docker/* or /vz/*
) or
process.executable:(/run/containerd/* or /srv/snp/docker/* or /tmp/.criu*)
)
'''