From 39fc23cb3d69d19b7ab9df2aa6ceec7aea775975 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 18 Oct 2024 16:18:14 +0200 Subject: [PATCH] [Rule Tuning] Q2 Linux DR Tuning - Part 3 (#4164) * [Rule Tuning] Q2 Linux DR Tuning - Part 3 * Update execution_suspicious_executable_running_system_commands.toml --- ...tion_abnormal_process_id_file_created.toml | 33 ++++++++++++------- ..._cupsd_foomatic_rip_lp_user_execution.toml | 11 +++++-- ...on_cupsd_foomatic_rip_shell_execution.toml | 11 +++++-- ...omatic_rip_suspicious_child_execution.toml | 4 +-- ...ion_curl_cve_2023_38545_heap_overflow.toml | 19 +++++------ ...n_file_execution_followed_by_deletion.toml | 15 +++++---- ...ion_netcon_from_rwx_mem_region_binary.toml | 15 ++++----- ...cution_network_event_post_compilation.toml | 18 +++++----- ..._remote_code_execution_via_postgresql.toml | 18 +++++----- ...cution_shell_openssl_client_or_server.toml | 5 +-- ...us_executable_running_system_commands.toml | 31 +++++++++-------- 11 files changed, 101 insertions(+), 79 deletions(-) diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index ebd86e57f..172affef9 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -109,30 +109,42 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and -user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and ( +file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and ( (process.name : ( bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp) ) or ( process.executable : ( ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/* )) -) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or -vzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat) and -not file.name : (jem.*.pid) +) and not ( + process.executable : ( + /tmp/newroot/* or /run/containerd/* or /run/k3s/containerd/* or /run/k0s/container* or /snap/* or /vz/* or + /var/lib/docker/* or /etc/*/universal-hooks/pkgs/mysql-community-server/* or /var/lib/snapd/* or /etc/rubrik/* or + /run/udev/data/* + ) or + process.name : ( + go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or vzctl or ifup or + rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or + s6-ipcserver-socketbinder or xinetd + ) or + file.name : ( + jem.*.pid or lynis.pid or redis.pid or yum.pid or MFS.pid or jenkins.pid or nvmupdate.pid or openlitespeed.pid or + rhnsd.pid + ) or + file.path : (/run/containerd/* or /var/run/docker/containerd/* or /var/run/jem*.pid) +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -140,9 +152,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.executable", "file.path"] +value = ["process.executable", "file.name"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml index aecb581a2..eb277625d 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/30" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -111,8 +111,13 @@ type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "lp" and process.parent.name in ("cupsd", "foomatic-rip", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and -process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and -not process.command_line like ("*/tmp/foomatic-*", "*-sDEVICE=ps2write*") +process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not ( + process.command_line like ( + "*/tmp/foomatic-*", "*-sDEVICE=ps2write*", "*printf*", "/bin/sh -e -c cat", "/bin/bash -c cat", + "/bin/bash -e -c cat" + ) or + process.args like "gs*" +) ''' [[rule.threat]] diff --git a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml index 23bb75919..cc566589e 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/30" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -110,8 +110,13 @@ type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "foomatic-rip" and -process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and -not process.command_line like ("*/tmp/foomatic-*", "*-sDEVICE=ps2write*") +process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not ( + process.command_line like ( + "*/tmp/foomatic-*", "*-sDEVICE=ps2write*", "*printf*", "/bin/sh -e -c cat", "/bin/bash -c cat", + "/bin/bash -e -c cat" + ) or + process.args like "gs*" +) ''' [[rule.threat]] diff --git a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml index 499abf8d8..50898bab0 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/30" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -132,7 +132,7 @@ process.parent.name in ("foomatic-rip", "cupsd") and process.command_line like ( // misc. suspicious command lines "*/etc/ld.so*", "*/dev/shm/*", "*/var/tmp*", "*echo*", "*>>*", "*|*" -) +) and not process.args like "gs*" ''' [[rule.threat]] diff --git a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml index 668a851f9..e07e6d73e 100644 --- a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml +++ b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -75,28 +75,27 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "curl" and ( - process.args : ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or - process.env_vars: ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*") -) and length(process.command_line) > 255 and -not process.parent.name in ("cf-agent", "agent-run", "agent-check", "rudder", "agent-inventory", "cf-execd") and -not process.args == "/opt/rudder/bin/curl" + process.args like ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or + process.env_vars like ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*") +) and length(process.command_line) > 255 and not ( + process.parent.name in ("cf-agent", "agent-run", "agent-check", "rudder", "agent-inventory", "cf-execd") or + process.args like "/opt/rudder/*" or + process.parent.executable like ("/vz/root/*", "/var/rudder/*") +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index c6b2f93a4..4547501de 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -52,7 +52,6 @@ tags = [ "Data Source: Elastic Defend", ] type = "eql" - query = ''' sequence by host.id, user.id with maxspan=1m [file where host.os.type == "linux" and event.action == "creation" and @@ -60,28 +59,30 @@ sequence by host.id, user.id with maxspan=1m file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and - process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.name + process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + not process.parent.executable like ( + "/tmp/VeeamApp*", "/tmp/rajh/spack-stage/*", "plz-out/bin/vault/bridge/test/e2e/base/bridge-dev", + "/usr/bin/ranlib", "/usr/bin/ar", "plz-out/bin/vault/bridge/test/e2e/base/local-k8s" + )] by process.name [file where host.os.type == "linux" and event.action == "deletion" and not process.name in ("rm", "ld") and file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml index 6dd51edc0..4caaf8cd3 100644 --- a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml +++ b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -53,43 +53,42 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' sample by host.id, process.pid, process.name /* auditd.data.a2 == "7" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */ - [process where host.os.type == "linux" and auditd.data.syscall == "mprotect" and auditd.data.a2 == "7"] + [process where host.os.type == "linux" and auditd.data.syscall == "mprotect" and auditd.data.a2 == "7" and + not process.name == "httpd"] [network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index f35e2868e..366caed4d 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -52,45 +52,45 @@ tags = [ "Data Source: Elastic Defend", ] type = "eql" - query = ''' sequence by host.id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("gcc", "g++", "cc")] by process.args [file where host.os.type == "linux" and event.action == "creation" and process.name == "ld"] by file.name [process where host.os.type == "linux" and event.type == "start" and event.action == "exec"] by process.name - [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip != null and - not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.name + [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip != null and not ( + cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1") or + process.name in ("simpleX", "conftest", "ssh", "python", "ispnull", "pvtui") + )] by process.name ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index 37031b2bf..67ad46d0a 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -58,29 +58,31 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "fork", "fork_event") and -user.name == "postgres" and ( +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event", "fork", "fork_event") and user.name == "postgres" and ( (process.parent.args : "*sh" and process.parent.args : "echo*") or (process.args : "*sh" and process.args : "echo*") -) and not process.parent.name : "puppet" +) and not ( + process.parent.name == "puppet" or + process.command_line like "*BECOME-SUCCESS-*" or + process.parent.command_line like "*BECOME-SUCCESS-*" +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_shell_openssl_client_or_server.toml b/rules/linux/execution_shell_openssl_client_or_server.toml index 3827ebae5..4052b35ac 100644 --- a/rules/linux/execution_shell_openssl_client_or_server.toml +++ b/rules/linux/execution_shell_openssl_client_or_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/30" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -60,7 +60,8 @@ process where host.os.type == "linux" and event.type == "start" and event.action process.name == "openssl" and ( (process.args == "s_client" and process.args : ("-connect", "*:*") and not process.args == "-showcerts") or (process.args == "s_server" and process.args == "-port") -) +) and +not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/opt/antidot-svc/nrpe/plugins/check_cert") ''' [[rule.threat]] diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index e8c5c4c01..799dfcc77 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -56,24 +56,23 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and -process.executable:( - (/etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or - /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or - /usr/share/* or /var/tmp/*) and not /tmp/go-build* -) and +process.executable:(* and ( + /etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or /etc/update-motd.d/* or + /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or /usr/share/* or /var/tmp/* +) and not /tmp/go-build*) and process.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and -not process.name:( - apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or snapd - or sudo or top or uptime or which or whoami or yum -) and -not process.parent.executable:( - /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or - /opt/puppetlabs/puppet/bin/puppet or /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or - /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or /etc/network/* or /opt/Elastic/* or - /run/k3s/* or /tmp/newroot/* or /usr/bin/* +not (process.name: + (apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or + snapd or sudo or top or uptime or which or whoami or yum) or +process.parent.executable:( + /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or /opt/puppetlabs/puppet/bin/puppet or + /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or + /etc/network/* or /opt/Elastic/* or /opt/TrendMicro* or /opt/aws/* or /opt/eset/* or /opt/rapid7/* or /run/containerd/* or /run/k3s/* or + /snap/* or /tmp/dpkg-licenses* or /tmp/newroot/* or /usr/bin/* or /var/lib/amagent/* or /var/lib/docker/* or /vz/* + ) or + process.executable:(/run/containerd/* or /srv/snp/docker/* or /tmp/.criu*) ) '''