DR Linux Rule Tuning 8.9 (#2859)

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
2023-07-10 20:02:42 +05:30
parent 1283a21fb7
commit 3ed8c56942
17 changed files with 177 additions and 190 deletions
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2022/09/14"
+deprecation_date = "2023/06/22"
 integration = ["system"]
-maturity = "production"
+maturity = "deprecated"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 updated_date = "2023/06/22"
@@ -52,6 +53,7 @@ rule_id = "a5f0d057-d540-44f5-924d-c6a2ae92f045"
 severity = "high"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access"]
 type = "eql"
+
 query = '''
 sequence by host.id, source.ip with maxspan=10s
  [authentication where host.os.type == "linux" and event.action  in ("ssh_login", "user_login") and
@@ -82,8 +84,6 @@ reference = "https://attack.mitre.org/techniques/T1110/003/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
-
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -95,7 +95,10 @@ id = "T1021.004"
 name = "SSH"
 reference = "https://attack.mitre.org/techniques/T1021/004/"

+
+
 [rule.threat.tactic]
 id = "TA0008"
 name = "Lateral Movement"
 reference = "https://attack.mitre.org/tactics/TA0008/"
+
@@ -44,6 +44,9 @@ or
    process.args : "elastic-agent" and
    process.args : "stop")
  or
+  /* pkill , killall used to stop Elastic Agent on Linux */
+  ( event.type == "end" and process.name : ("pkill", "killall") and process.args: "elastic-agent")
+  or
  /* Unload Elastic Agent extension on MacOS */
  (process.name : "kextunload" and
    process.args : "com.apple.iokit.EndpointSecurity" and
@@ -46,9 +46,9 @@ type = "eql"
 query = '''
 sequence by process.entity_id with maxspan=1m
 [network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and user.id == "0" and
-    not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")]
+    not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd","/usr/bin/ssh","/usr/bin/sshpass")]
 [process where host.os.type == "linux" and event.action == "session_id_change" and user.id == "0" and
-    not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")]
+    not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd","/usr/bin/ssh","/usr/bin/sshpass")]
 '''


@@ -4,7 +4,7 @@ integration = ["system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/06/28"

 [rule]
 author = ["Elastic"]
@@ -55,7 +55,7 @@ type = "eql"
 query = '''
 sequence by host.id, source.ip, user.name with maxspan=3s
  [authentication where host.os.type == "linux" and event.action  in ("ssh_login", "user_login") and
-   event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=2
+   event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10

  [authentication where host.os.type == "linux" and event.action  in ("ssh_login", "user_login") and
   event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ]
@@ -4,7 +4,7 @@ integration = ["system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/03/21"
+updated_date = "2023/06/28"

 [rule]
 author = ["Elastic"]
@@ -69,7 +69,7 @@ sequence by host.id, source.ip, user.name with maxspan=5s
       "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32",
       "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4",
       "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", 
-       "::1", "FE80::/10", "FF00::/8") ] with runs = 3
+       "::1", "FE80::/10", "FF00::/8") ] with runs = 10
 '''


@@ -4,7 +4,7 @@ integration = ["system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/06/28"

 [rule]
 author = ["Elastic"]
@@ -65,7 +65,7 @@ sequence by host.id, source.ip, user.name with maxspan=5s
       "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32",
       "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4",
       "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", 
-       "::1", "FE80::/10", "FF00::/8") ] with runs = 3
+       "::1", "FE80::/10", "FF00::/8") ] with runs = 10
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/06/28"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ detection by security controls.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Attempt to Disable Syslog Service"
 risk_score = 47
@@ -22,14 +22,14 @@ rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194"
 severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"

 query = '''
-event.category:process and host.os.type:linux and event.type:(start or process_started) and
-  ((process.name:service and process.args:stop) or
-     (process.name:chkconfig and process.args:off) or
-     (process.name:systemctl and process.args:(disable or stop or kill)))
-  and process.args:(syslog or rsyslog or "syslog-ng")
+process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
+ ( (process.name == "service" and process.args == "stop") or
+   (process.name == "chkconfig" and process.args == "off") or
+   (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))
+ ) and process.args in ("syslog", "rsyslog", "syslog-ng")
 '''


@@ -2,8 +2,8 @@
 creation_date = "2022/05/11"
 integration = ["endpoint"]
 maturity = "production"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup"
-min_stack_version = "8.3.0"
+min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
+min_stack_version = "8.6.0"
 updated_date = "2023/06/22"

 [rule]
@@ -22,7 +22,7 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["logs-endpoint.events.*", "endgame-*"]
-language = "eql"
+language = "kuery"
 license = "Elastic License v2"
 name = "Abnormal Process ID or Lock File Created"
 note = """## Triage and analysis
@@ -76,56 +76,34 @@ rule_id = "cac91072-d165-11ec-a764-f661ea17fbce"
 severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Endgame"]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "new_terms"

 query = '''
-/* add file size filters when data is available */
-file where host.os.type == "linux" and event.type == "creation" and user.id == "0" and
-    file.path regex~ """(/var/run|/run)/\w+\.(pid|lock|reboot)""" and file.extension in ("pid","lock","reboot") and
-
-    /* handle common legitimate files */
-
-    not file.name in (
-    "auditd.pid",
-    "python*",
-    "apport.pid",
-    "apport.lock",
-    "kworker*",
-    "gdm3.pid",
-    "sshd.pid",
-    "acpid.pid",
-    "unattended-upgrades.lock",
-    "unattended-upgrades.pid",
-    "cmd.pid",
-    "yum.pid",
-    "netconfig.pid",
-    "docker.pid",
-    "atd.pid",
-    "lfd.pid",
-    "atop.pid",
-    "nginx.pid",
-    "dhclient.pid",
-    "smtpd.pid",
-    "stunnel.pid",
-    "1_waagent.pid",
-    "crond.pid",
-    "cron.reboot",
-    "sssd.pid",
-    "tomcat8.pid"
-    )
+host.os.type : "linux" and event.category : "file" and event.action : ("creation" or "file_create_event") and
+user.id : "0" and file.path : (/var/run/* or /run/*) and file.extension : ("pid" or "lock" or "reboot") and not 
+file.name : ("auditd.pid" or "python*" or "apport.pid" or "apport.lock" or "kworker*" or "gdm3.pid" or "sshd.pid" or 
+"acpid.pid" or "unattended-upgrades.lock" or "unattended-upgrades.pid" or "cmd.pid" or "yum.pid" or "netconfig.pid" or 
+"docker.pid" or "atd.pid" or "lfd.pid" or "atop.pid" or "nginx.pid" or "dhclient.pid" or "smtpd.pid" or "stunnel.pid" or 
+"1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid")
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1106"
 name = "Native API"
 reference = "https://attack.mitre.org/techniques/T1106/"

-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"

+[rule.new_terms]
+field = "new_terms_fields"
+value = ["process.executable", "file.path"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/15"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2023/06/22"
+updated_date = "2023/06/29"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -13,24 +13,25 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a
 interactive tty after obtaining initial access to a host.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Interactive Terminal Spawned via Python"
 risk_score = 73
 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f"
 severity = "high"
+timestamp_override = "event.ingested"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
-timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
-timeline_title = "Comprehensive Process Timeline"
 type = "eql"

 query = '''
-sequence with maxspan=1m
-  [process where host.os.type == "linux" and event.type == "start" and process.name : "python*"] by process.entity_id
-  [process where host.os.type == "linux" and event.type == "start" and 
-   process.executable : "/bin/*sh"
-  ] by process.parent.entity_id
+process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
+(
+  (process.parent.name : "python*" and process.name : "*sh" and process.parent.args_count >= 3 and
+   process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or
+  (process.parent.name : "python*" and process.name : "*sh" and process.args : "*sh" and process.args_count == 1
+   and process.parent.args_count == 1)
+)
 '''


@@ -50,4 +51,3 @@ reference = "https://attack.mitre.org/techniques/T1059/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
@@ -9,12 +9,12 @@ updated_date = "2023/06/22"
 [rule]
 author = ["Elastic"]
 description = """
-Identifies Linux binary(s) abuse to breakout of restricted shells or environments by spawning an interactive system
-shell. The linux utility(s) activity of spawning shell is not a standard use of the binary for a user or system
-administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access.
+Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive 
+system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, 
+and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "endgame-*"]
+index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Linux Restricted Shell Breakout via Linux Binary(s)"
@@ -100,61 +100,68 @@ severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
-  (
-    /* launch shells from unusual process */
-    (process.name == "capsh" and process.args == "--") or
-
-    /* launching shells from unusual parents or parent+arg combos */
-    (process.name in ("bash", "sh", "dash","ash") and
-        (process.parent.name in ("byebug","git","ftp","strace","nawk", "mawk", "awk", "gawk", "tar", "zip")) or
-
-        /* shells specified in parent args */
-        /* nice rule is broken in 8.2 */
-        (process.parent.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash") and
-            (
-             (process.parent.name == "nice") or
-             (process.parent.name == "cpulimit" and process.parent.args == "-f") or
-             (process.parent.name == "find" and process.parent.args == "-exec" and process.parent.args == ";") or
-             (process.parent.name == "flock" and process.parent.args == "-u" and process.parent.args == "/")
-            )
-        ) or
-
-         /* shells specified in args */
-         (process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash") and
-            (process.parent.name == "crash" and process.parent.args == "-h") or
-            (process.name == "sensible-pager" and process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog")
-            /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */
-          )
+(
+  /* launching shell from capsh */
+  (process.name == "capsh" and process.args == "--") or
+  
+  /* launching shells from unusual parents or parent+arg combos */
+  (process.name : "*sh" and (
+    (process.parent.name : ("byebug", "ftp", "strace", "zip", "*awk", "git", "tar") and 
+    (
+      process.parent.args : "BEGIN {system(*)}" or
+      (process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or process.args : ("*PAGER*", "!*sh", "exec *sh")) or
+      (
+        (process.parent.args : "exec=*sh" or (process.parent.args : "-I" and process.parent.args : "*sh")) or
+        (process.args : "exec=*sh" or (process.args : "-I" and process.args : "*sh"))
+        )
+      )
    ) or
-    (process.name == "busybox" and process.args_count == 2 and process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash") )or
-    (process.name == "env" and process.args_count == 2 and process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash")) or
-    (process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args in (":!/bin/bash", ":!/bin/sh", ":!bash", ":!sh")) or
-    (process.parent.name in ("c89","c99", "gcc") and process.parent.args in ("sh,-s", "bash,-s", "dash,-s", "ash,-s", "/bin/sh,-s", "/bin/bash,-s", "/bin/dash,-s", "/bin/ash,-s") and process.parent.args == "-wrapper") or
-    (process.parent.name == "expect" and process.parent.args == "-c" and process.parent.args in ("spawn /bin/sh;interact", "spawn /bin/bash;interact", "spawn /bin/dash;interact", "spawn sh;interact", "spawn bash;interact", "spawn dash;interact")) or
-    (process.parent.name == "mysql" and process.parent.args == "-e" and process.parent.args in ("\\!*sh", "\\!*bash", "\\!*dash", "\\!*/bin/sh", "\\!*/bin/bash", "\\!*/bin/dash")) or
-    (process.parent.name == "ssh" and process.parent.args == "-o" and process.parent.args in ("ProxyCommand=;sh 0<&2 1>&2", "ProxyCommand=;bash 0<&2 1>&2", "ProxyCommand=;dash 0<&2 1>&2", "ProxyCommand=;/bin/sh 0<&2 1>&2", "ProxyCommand=;/bin/bash 0<&2 1>&2", "ProxyCommand=;/bin/dash 0<&2 1>&2"))
-  )
-'''
+    
+    /* shells specified in parent args */
+    /* nice rule is broken in 8.2 */
+    (process.parent.args : "*sh" and
+      (
+        (process.parent.name == "nice") or
+        (process.parent.name == "cpulimit" and process.parent.args == "-f") or
+        (process.parent.name == "find" and process.parent.args == "-exec" and process.parent.args == ";" and process.parent.args == "-p") or
+        (process.parent.name == "flock" and process.parent.args == "-u" and process.parent.args == "/")
+      )
+    )
+  )) or

+  /* shells specified in args */
+  (process.args : "*sh" and (
+    (process.parent.name == "crash" and process.parent.args == "-h") or
+    (process.name == "sensible-pager" and process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog")
+    /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */
+    
+  )) or
+  (process.name == "busybox" and event.action == "exec" and process.args_count == 2 and process.args : "*sh" and not process.executable : "/var/lib/docker/overlay2/*/merged/bin/busybox") or
+  (process.name == "env" and process.args_count == 2 and process.args : "*sh") or
+  (process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args : ":!*sh") or
+  (process.parent.name in ("c89", "c99", "gcc") and process.parent.args : "*sh,-s" and process.parent.args == "-wrapper") or
+  (process.parent.name == "expect" and process.parent.args == "-c" and process.parent.args : "spawn *sh;interact") or
+  (process.parent.name == "mysql" and process.parent.args == "-e" and process.parent.args : "\\!*sh") or
+  (process.parent.name == "ssh" and process.parent.args == "-o" and process.parent.args : "ProxyCommand=;*sh 0<&2 1>&2")
+)
+'''

 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1059.004"
 name = "Unix Shell"
 reference = "https://attack.mitre.org/techniques/T1059/004/"

-
-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
@@ -4,16 +4,15 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/03/20"
+updated_date = "2023/06/15"

 [rule]
 author = ["Elastic"]
 description = """
-Ransomware is a type of malware that encrypts a victim's files or systems and demands payment 
-(usually in cryptocurrency) in exchange for the decryption key. One important indicator of a 
-ransomware attack is the mass encryption of the file system, after which a new file extension 
-is added to the file. This rule identifies a sequence of 50 file extension rename events 
-by the same process in a timespan of 1 second.
+This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same 
+process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and 
+demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware
+attack is the mass encryption of the file system, after which a new file extension is added to the file. 
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
@@ -26,9 +25,19 @@ severity = "high"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"]
 type = "eql"
 query = '''
-sequence by host.id, process.entity_id, file.extension with maxspan=1s 
-[ file where host.os.type == "linux" and event.type == "change" and 
-  event.action == "rename" and file.extension != "" ] with runs=50 | tail 1
+sequence by host.id, process.entity_id with maxspan=1s 
+  [ file where host.os.type == "linux" and event.type == "change" and
+    event.action == "rename" and file.extension != "" and 
+    file.path : (
+      "/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*"
+      ) and not 
+    file.extension : (
+      "xml", "json", "conf", "dat", "gz", "info", "mod", "final",
+      "php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old"
+      ) and not 
+    process.name : (
+      "dpkg",  "yum", "dnf", "rpm", "dockerd"
+    ) ] with runs=100 | tail 1
 '''


@@ -4,18 +4,16 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/03/20"
+updated_date = "2023/06/15"

 [rule]
 author = ["Elastic"]
 description = """
-Ransomware is a type of malware that encrypts a victim's files or systems and demands payment 
-(usually in cryptocurrency) in exchange for the decryption key. One important indicator of a 
-ransomware attack is the mass encryption of the file system, after which a new file extension 
-is added to the file. Generally, a ransomware note with contact details is dropped onto the 
-file system which can be used by the victim to contact the attacker. This rule identifies a 
-sequence of a mass file encryption event in conjunction with the creation of a .txt file with 
-a file name containing ransomware keywords executed by the same process in a 1 second timespan.
+This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with 
+a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of
+malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the
+decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a
+new file extension is added to the file. 
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
@@ -29,20 +27,23 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
 type = "eql"
 query = '''
 sequence by host.id, process.entity_id with maxspan=1s 
-  [ file where host.os.type == "linux" and event.type == "change" and 
-  event.action == "rename" and file.extension != "" ] with runs=50
-  [ file where host.os.type == "linux" and event.action == "creation" and 
-  file.extension == "txt" and file.name : (
-    "*crypt*", 
-    "*restore*", 
-    "*lock*", 
-    "*recovery*", 
-    "*data*",
-    "*read*", 
-    "*instruction*", 
-    "*how_to*", 
-    "*ransom*"
-    ) ] | tail 1
+  [ file where host.os.type == "linux" and event.type == "change" and
+    event.action == "rename" and file.extension != "" and 
+    file.path : (
+      "/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*"
+      ) and not 
+    file.extension : (
+      "xml", "json", "conf", "dat", "gz", "info", "mod", "final",
+      "php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old"
+      ) and not 
+    process.name : (
+      "dpkg",  "yum", "dnf", "rpm", "dockerd"
+      ) ] with runs=100
+  [ file where host.os.type == "linux" and event.action == "creation" and file.extension == "txt" and 
+    file.name : (
+      "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", 
+      "*read*", "*instruction*", "*how_to*", "*ransom*"
+      ) ] | tail 1
 '''


@@ -72,6 +72,6 @@ name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"

 [rule.threshold]
-field = ["host.id"]
+field = ["host.id", "process.executable", "user.name"]
 value = 10

@@ -3,7 +3,7 @@ creation_date = "2022/07/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/06/29"
 integration = ["endpoint"]

 [rule]
@@ -27,7 +27,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where host.os.type == "linux" and event.type == "start" and
+process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
 ( 
  (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or
  (process.args : "*chkconfig" and process.args : "--add")
@@ -9,7 +9,9 @@ integration = ["endpoint"]
 [rule]
 author = ["Elastic"]
 description = """
-Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access.
+Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and
+elevate privileges on compromised systems. File creation in these directories should not be entirely common and could
+indicate a malicious binary or script installing persistence mechanisms for long term access.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*", "endgame-*"]
@@ -28,10 +30,11 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-file where host.os.type == "linux" and event.type == "creation" and user.name == "root" and
-file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*")
-and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd", "*/snapd", "*/dnf-automatic",
- "*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd", "/kaniko/executor")
+file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.name == "root" and
+file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*",
+"/usr//lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd",
+"*/snapd", "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd",
+"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension == "swp"
 '''

 [[rule.threat]]
@@ -107,4 +110,3 @@ reference = "https://attack.mitre.org/techniques/T1548/"
 id = "T1548.003"
 name = "Sudo and Sudo Caching"
 reference = "https://attack.mitre.org/techniques/T1548/003/"
-
@@ -28,7 +28,8 @@ timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload
+event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload and
+event.action:(updated or renamed or rename)
 '''


@@ -2,8 +2,8 @@
 creation_date = "2022/09/01"
 integration = ["endpoint"]
 maturity = "production"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup"
-min_stack_version = "8.3.0"
+min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4"
+min_stack_version = "8.4.0"
 updated_date = "2023/06/22"

 [rule]
@@ -14,77 +14,60 @@ privileges to root, threat actors may attempt to read or dump this file in order
 utilize these to move laterally undetected and access additional resources.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
-language = "eql"
+index = ["logs-endpoint.events.*", "endgame-*"]
+language = "kuery"
 license = "Elastic License v2"
 name = "Potential Shadow File Read via Command Line Utilities"
 references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"]
 risk_score = 47
 rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame"]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "new_terms"

 query = '''
-process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "root"
-  and (process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow"))
-  and not process.executable:
-    ("/usr/bin/tar",
-    "/bin/tar",
-    "/usr/bin/gzip",
-    "/bin/gzip",
-    "/usr/bin/zip",
-    "/bin/zip",
-    "/usr/bin/stat",
-    "/bin/stat",
-    "/usr/bin/cmp",
-    "/bin/cmp",
-    "/usr/bin/sudo",
-    "/bin/sudo",
-    "/usr/bin/find",
-    "/bin/find",
-    "/usr/bin/ls",
-    "/bin/ls",
-    "/usr/bin/uniq",
-    "/bin/uniq",
-    "/usr/bin/unzip",
-    "/bin/unzip",
-    "/usr/sbin/restorecon",
-    "/sbin/restorecon")
-  and not process.parent.executable: "/bin/dracut" and
-  not (process.executable : ("/bin/chown", "/usr/bin/chown") and process.args : "root:shadow") and
-  not (process.executable : ("/bin/chmod", "/usr/bin/chmod") and process.args : "640")
+host.os.type : "linux" and event.category : "process" and event.action : ("exec" or "exec_event") and
+(process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) and not 
+(process.executable : ("/bin/chown" or "/usr/bin/chown") and process.args : "root:shadow") and not 
+(process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640")
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1068"
 name = "Exploitation for Privilege Escalation"
 reference = "https://attack.mitre.org/techniques/T1068/"

-
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1003.008"
 name = "/etc/passwd and /etc/shadow"
 reference = "https://attack.mitre.org/techniques/T1003/008/"

-
-
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"

+[rule.new_terms]
+field = "new_terms_fields"
+value = ["process.command_line"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"