diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml b/rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml similarity index 98% rename from rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml rename to rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml index b8b9f94ac..35dc491fb 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml +++ b/rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2022/09/14" +deprecation_date = "2023/06/22" integration = ["system"] -maturity = "production" +maturity = "deprecated" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/06/22" @@ -52,6 +53,7 @@ rule_id = "a5f0d057-d540-44f5-924d-c6a2ae92f045" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access"] type = "eql" + query = ''' sequence by host.id, source.ip with maxspan=10s [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and @@ -82,8 +84,6 @@ reference = "https://attack.mitre.org/techniques/T1110/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -95,7 +95,10 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index ec1d86aa7..49a518262 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -44,6 +44,9 @@ or process.args : "elastic-agent" and process.args : "stop") or + /* pkill , killall used to stop Elastic Agent on Linux */ + ( event.type == "end" and process.name : ("pkill", "killall") and process.args: "elastic-agent") + or /* Unload Elastic Agent extension on MacOS */ (process.name : "kextunload" and process.args : "com.apple.iokit.EndpointSecurity" and diff --git a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml index 8f502951b..f8aa06253 100644 --- a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml +++ b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml @@ -46,9 +46,9 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=1m [network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and user.id == "0" and - not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")] + not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd","/usr/bin/ssh","/usr/bin/sshpass")] [process where host.os.type == "linux" and event.action == "session_id_change" and user.id == "0" and - not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")] + not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd","/usr/bin/ssh","/usr/bin/sshpass")] ''' diff --git a/rules/linux/credential_access_bruteforce_password_guessing.toml b/rules/linux/credential_access_bruteforce_password_guessing.toml index daf89c10b..4a35864cc 100644 --- a/rules/linux/credential_access_bruteforce_password_guessing.toml +++ b/rules/linux/credential_access_bruteforce_password_guessing.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/28" [rule] author = ["Elastic"] @@ -55,7 +55,7 @@ type = "eql" query = ''' sequence by host.id, source.ip, user.name with maxspan=3s [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and - event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=2 + event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10 [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index b2c88a612..a5c038256 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/21" +updated_date = "2023/06/28" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ sequence by host.id, source.ip, user.name with maxspan=5s "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", - "::1", "FE80::/10", "FF00::/8") ] with runs = 3 + "::1", "FE80::/10", "FF00::/8") ] with runs = 10 ''' diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index 58959516d..fae0e736c 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/28" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ sequence by host.id, source.ip, user.name with maxspan=5s "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", - "::1", "FE80::/10", "FF00::/8") ] with runs = 3 + "::1", "FE80::/10", "FF00::/8") ] with runs = 10 ''' diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index b0e4c43c8..a4228f87e 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/28" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ detection by security controls. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] -language = "kuery" +language = "eql" license = "Elastic License v2" name = "Attempt to Disable Syslog Service" risk_score = 47 @@ -22,14 +22,14 @@ rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" -type = "query" +type = "eql" query = ''' -event.category:process and host.os.type:linux and event.type:(start or process_started) and - ((process.name:service and process.args:stop) or - (process.name:chkconfig and process.args:off) or - (process.name:systemctl and process.args:(disable or stop or kill))) - and process.args:(syslog or rsyslog or "syslog-ng") +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and + ( (process.name == "service" and process.args == "stop") or + (process.name == "chkconfig" and process.args == "off") or + (process.name == "systemctl" and process.args in ("disable", "stop", "kill")) + ) and process.args in ("syslog", "rsyslog", "syslog-ng") ''' diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index bb03cdf41..9d5a699de 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -2,8 +2,8 @@ creation_date = "2022/05/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" updated_date = "2023/06/22" [rule] @@ -22,7 +22,7 @@ false_positives = [ ] from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Abnormal Process ID or Lock File Created" note = """## Triage and analysis @@ -76,56 +76,34 @@ rule_id = "cac91072-d165-11ec-a764-f661ea17fbce" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -/* add file size filters when data is available */ -file where host.os.type == "linux" and event.type == "creation" and user.id == "0" and - file.path regex~ """(/var/run|/run)/\w+\.(pid|lock|reboot)""" and file.extension in ("pid","lock","reboot") and - - /* handle common legitimate files */ - - not file.name in ( - "auditd.pid", - "python*", - "apport.pid", - "apport.lock", - "kworker*", - "gdm3.pid", - "sshd.pid", - "acpid.pid", - "unattended-upgrades.lock", - "unattended-upgrades.pid", - "cmd.pid", - "yum.pid", - "netconfig.pid", - "docker.pid", - "atd.pid", - "lfd.pid", - "atop.pid", - "nginx.pid", - "dhclient.pid", - "smtpd.pid", - "stunnel.pid", - "1_waagent.pid", - "crond.pid", - "cron.reboot", - "sssd.pid", - "tomcat8.pid" - ) +host.os.type : "linux" and event.category : "file" and event.action : ("creation" or "file_create_event") and +user.id : "0" and file.path : (/var/run/* or /run/*) and file.extension : ("pid" or "lock" or "reboot") and not +file.name : ("auditd.pid" or "python*" or "apport.pid" or "apport.lock" or "kworker*" or "gdm3.pid" or "sshd.pid" or +"acpid.pid" or "unattended-upgrades.lock" or "unattended-upgrades.pid" or "cmd.pid" or "yum.pid" or "netconfig.pid" or +"docker.pid" or "atd.pid" or "lfd.pid" or "atop.pid" or "nginx.pid" or "dhclient.pid" or "smtpd.pid" or "stunnel.pid" or +"1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.new_terms] +field = "new_terms_fields" +value = ["process.executable", "file.path"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 42fb7d710..6f914f6ae 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/06/29" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -13,24 +13,25 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a interactive tty after obtaining initial access to a host. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Interactive Terminal Spawned via Python" risk_score = 73 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f" severity = "high" +timestamp_override = "event.ingested" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] -timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" -timeline_title = "Comprehensive Process Timeline" type = "eql" query = ''' -sequence with maxspan=1m - [process where host.os.type == "linux" and event.type == "start" and process.name : "python*"] by process.entity_id - [process where host.os.type == "linux" and event.type == "start" and - process.executable : "/bin/*sh" - ] by process.parent.entity_id +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +( + (process.parent.name : "python*" and process.name : "*sh" and process.parent.args_count >= 3 and + process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or + (process.parent.name : "python*" and process.name : "*sh" and process.args : "*sh" and process.args_count == 1 + and process.parent.args_count == 1) +) ''' @@ -50,4 +51,3 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 8fd34ab54..d556a0488 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -9,12 +9,12 @@ updated_date = "2023/06/22" [rule] author = ["Elastic"] description = """ -Identifies Linux binary(s) abuse to breakout of restricted shells or environments by spawning an interactive system -shell. The linux utility(s) activity of spawning shell is not a standard use of the binary for a user or system -administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access. +Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive +system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, +and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Linux Restricted Shell Breakout via Linux Binary(s)" @@ -100,61 +100,68 @@ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and - ( - /* launch shells from unusual process */ - (process.name == "capsh" and process.args == "--") or - - /* launching shells from unusual parents or parent+arg combos */ - (process.name in ("bash", "sh", "dash","ash") and - (process.parent.name in ("byebug","git","ftp","strace","nawk", "mawk", "awk", "gawk", "tar", "zip")) or - - /* shells specified in parent args */ - /* nice rule is broken in 8.2 */ - (process.parent.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash") and - ( - (process.parent.name == "nice") or - (process.parent.name == "cpulimit" and process.parent.args == "-f") or - (process.parent.name == "find" and process.parent.args == "-exec" and process.parent.args == ";") or - (process.parent.name == "flock" and process.parent.args == "-u" and process.parent.args == "/") - ) - ) or - - /* shells specified in args */ - (process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash") and - (process.parent.name == "crash" and process.parent.args == "-h") or - (process.name == "sensible-pager" and process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog") - /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */ - ) +( + /* launching shell from capsh */ + (process.name == "capsh" and process.args == "--") or + + /* launching shells from unusual parents or parent+arg combos */ + (process.name : "*sh" and ( + (process.parent.name : ("byebug", "ftp", "strace", "zip", "*awk", "git", "tar") and + ( + process.parent.args : "BEGIN {system(*)}" or + (process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or process.args : ("*PAGER*", "!*sh", "exec *sh")) or + ( + (process.parent.args : "exec=*sh" or (process.parent.args : "-I" and process.parent.args : "*sh")) or + (process.args : "exec=*sh" or (process.args : "-I" and process.args : "*sh")) + ) + ) ) or - (process.name == "busybox" and process.args_count == 2 and process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash") )or - (process.name == "env" and process.args_count == 2 and process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash")) or - (process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args in (":!/bin/bash", ":!/bin/sh", ":!bash", ":!sh")) or - (process.parent.name in ("c89","c99", "gcc") and process.parent.args in ("sh,-s", "bash,-s", "dash,-s", "ash,-s", "/bin/sh,-s", "/bin/bash,-s", "/bin/dash,-s", "/bin/ash,-s") and process.parent.args == "-wrapper") or - (process.parent.name == "expect" and process.parent.args == "-c" and process.parent.args in ("spawn /bin/sh;interact", "spawn /bin/bash;interact", "spawn /bin/dash;interact", "spawn sh;interact", "spawn bash;interact", "spawn dash;interact")) or - (process.parent.name == "mysql" and process.parent.args == "-e" and process.parent.args in ("\\!*sh", "\\!*bash", "\\!*dash", "\\!*/bin/sh", "\\!*/bin/bash", "\\!*/bin/dash")) or - (process.parent.name == "ssh" and process.parent.args == "-o" and process.parent.args in ("ProxyCommand=;sh 0<&2 1>&2", "ProxyCommand=;bash 0<&2 1>&2", "ProxyCommand=;dash 0<&2 1>&2", "ProxyCommand=;/bin/sh 0<&2 1>&2", "ProxyCommand=;/bin/bash 0<&2 1>&2", "ProxyCommand=;/bin/dash 0<&2 1>&2")) - ) -''' + + /* shells specified in parent args */ + /* nice rule is broken in 8.2 */ + (process.parent.args : "*sh" and + ( + (process.parent.name == "nice") or + (process.parent.name == "cpulimit" and process.parent.args == "-f") or + (process.parent.name == "find" and process.parent.args == "-exec" and process.parent.args == ";" and process.parent.args == "-p") or + (process.parent.name == "flock" and process.parent.args == "-u" and process.parent.args == "/") + ) + ) + )) or + /* shells specified in args */ + (process.args : "*sh" and ( + (process.parent.name == "crash" and process.parent.args == "-h") or + (process.name == "sensible-pager" and process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog") + /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */ + + )) or + (process.name == "busybox" and event.action == "exec" and process.args_count == 2 and process.args : "*sh" and not process.executable : "/var/lib/docker/overlay2/*/merged/bin/busybox") or + (process.name == "env" and process.args_count == 2 and process.args : "*sh") or + (process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args : ":!*sh") or + (process.parent.name in ("c89", "c99", "gcc") and process.parent.args : "*sh,-s" and process.parent.args == "-wrapper") or + (process.parent.name == "expect" and process.parent.args == "-c" and process.parent.args : "spawn *sh;interact") or + (process.parent.name == "mysql" and process.parent.args == "-e" and process.parent.args : "\\!*sh") or + (process.parent.name == "ssh" and process.parent.args == "-o" and process.parent.args : "ProxyCommand=;*sh 0<&2 1>&2") +) +''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index 7975cf5b6..5a9a2eee0 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -4,16 +4,15 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/20" +updated_date = "2023/06/15" [rule] author = ["Elastic"] description = """ -Ransomware is a type of malware that encrypts a victim's files or systems and demands payment -(usually in cryptocurrency) in exchange for the decryption key. One important indicator of a -ransomware attack is the mass encryption of the file system, after which a new file extension -is added to the file. This rule identifies a sequence of 50 file extension rename events -by the same process in a timespan of 1 second. +This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same +process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and +demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware +attack is the mass encryption of the file system, after which a new file extension is added to the file. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -26,9 +25,19 @@ severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"] type = "eql" query = ''' -sequence by host.id, process.entity_id, file.extension with maxspan=1s -[ file where host.os.type == "linux" and event.type == "change" and - event.action == "rename" and file.extension != "" ] with runs=50 | tail 1 +sequence by host.id, process.entity_id with maxspan=1s + [ file where host.os.type == "linux" and event.type == "change" and + event.action == "rename" and file.extension != "" and + file.path : ( + "/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*" + ) and not + file.extension : ( + "xml", "json", "conf", "dat", "gz", "info", "mod", "final", + "php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old" + ) and not + process.name : ( + "dpkg", "yum", "dnf", "rpm", "dockerd" + ) ] with runs=100 | tail 1 ''' diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index 08d5d5650..b7fa43d55 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -4,18 +4,16 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/20" +updated_date = "2023/06/15" [rule] author = ["Elastic"] description = """ -Ransomware is a type of malware that encrypts a victim's files or systems and demands payment -(usually in cryptocurrency) in exchange for the decryption key. One important indicator of a -ransomware attack is the mass encryption of the file system, after which a new file extension -is added to the file. Generally, a ransomware note with contact details is dropped onto the -file system which can be used by the victim to contact the attacker. This rule identifies a -sequence of a mass file encryption event in conjunction with the creation of a .txt file with -a file name containing ransomware keywords executed by the same process in a 1 second timespan. +This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with +a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of +malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the +decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a +new file extension is added to the file. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -29,20 +27,23 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s - [ file where host.os.type == "linux" and event.type == "change" and - event.action == "rename" and file.extension != "" ] with runs=50 - [ file where host.os.type == "linux" and event.action == "creation" and - file.extension == "txt" and file.name : ( - "*crypt*", - "*restore*", - "*lock*", - "*recovery*", - "*data*", - "*read*", - "*instruction*", - "*how_to*", - "*ransom*" - ) ] | tail 1 + [ file where host.os.type == "linux" and event.type == "change" and + event.action == "rename" and file.extension != "" and + file.path : ( + "/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*" + ) and not + file.extension : ( + "xml", "json", "conf", "dat", "gz", "info", "mod", "final", + "php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old" + ) and not + process.name : ( + "dpkg", "yum", "dnf", "rpm", "dockerd" + ) ] with runs=100 + [ file where host.os.type == "linux" and event.action == "creation" and file.extension == "txt" and + file.name : ( + "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", + "*read*", "*instruction*", "*how_to*", "*ransom*" + ) ] | tail 1 ''' diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index 74760ae93..1bce29dd2 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -72,6 +72,6 @@ name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" [rule.threshold] -field = ["host.id"] +field = ["host.id", "process.executable", "user.name"] value = 10 diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 664bfd5c4..e362093a8 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/29" integration = ["endpoint"] [rule] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and ( (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or (process.args : "*chkconfig" and process.args : "--add") diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index ae918434f..ebb4a34e8 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -9,7 +9,9 @@ integration = ["endpoint"] [rule] author = ["Elastic"] description = """ -Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access. +Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and +elevate privileges on compromised systems. File creation in these directories should not be entirely common and could +indicate a malicious binary or script installing persistence mechanisms for long term access. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -28,10 +30,11 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where host.os.type == "linux" and event.type == "creation" and user.name == "root" and -file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*") -and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd", "*/snapd", "*/dnf-automatic", - "*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd", "/kaniko/executor") +file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.name == "root" and +file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*", +"/usr//lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd", +"*/snapd", "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd", +"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension == "swp" ''' [[rule.threat]] @@ -107,4 +110,3 @@ reference = "https://attack.mitre.org/techniques/T1548/" id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 74a69ddc2..200fe3b6a 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -28,7 +28,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload +event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload and +event.action:(updated or renamed or rename) ''' diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index ca073a26c..91d526783 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -2,8 +2,8 @@ creation_date = "2022/09/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" updated_date = "2023/06/22" [rule] @@ -14,77 +14,60 @@ privileges to root, threat actors may attempt to read or dump this file in order utilize these to move laterally undetected and access additional resources. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] -language = "eql" +index = ["logs-endpoint.events.*", "endgame-*"] +language = "kuery" license = "Elastic License v2" name = "Potential Shadow File Read via Command Line Utilities" references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"] risk_score = 47 rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "root" - and (process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) - and not process.executable: - ("/usr/bin/tar", - "/bin/tar", - "/usr/bin/gzip", - "/bin/gzip", - "/usr/bin/zip", - "/bin/zip", - "/usr/bin/stat", - "/bin/stat", - "/usr/bin/cmp", - "/bin/cmp", - "/usr/bin/sudo", - "/bin/sudo", - "/usr/bin/find", - "/bin/find", - "/usr/bin/ls", - "/bin/ls", - "/usr/bin/uniq", - "/bin/uniq", - "/usr/bin/unzip", - "/bin/unzip", - "/usr/sbin/restorecon", - "/sbin/restorecon") - and not process.parent.executable: "/bin/dracut" and - not (process.executable : ("/bin/chown", "/usr/bin/chown") and process.args : "root:shadow") and - not (process.executable : ("/bin/chmod", "/usr/bin/chmod") and process.args : "640") +host.os.type : "linux" and event.category : "process" and event.action : ("exec" or "exec_event") and +(process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) and not +(process.executable : ("/bin/chown" or "/usr/bin/chown") and process.args : "root:shadow") and not +(process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[rule.new_terms] +field = "new_terms_fields" +value = ["process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d"