diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index ff40e1b5d..739563144 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -67,9 +67,8 @@ sequence by process.entity_id, host.id with maxspan=1s "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader", "rustup-init" ) ] with runs=25 - [file where host.os.type == "linux" and event.action == "creation" and file.name : ( - "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*" - ) + [file where host.os.type == "linux" and event.action == "creation" and + file.name : ("*restore*", "*lock*", "*recovery*", "*read*", "*instruction*", "*how_to*", "*ransom*") ] ''' diff --git a/rules/linux/persistence_apt_package_manager_file_creation.toml b/rules/linux/persistence_apt_package_manager_file_creation.toml index 0ff8b8a97..a9d7f872d 100644 --- a/rules/linux/persistence_apt_package_manager_file_creation.toml +++ b/rules/linux/persistence_apt_package_manager_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -83,6 +83,7 @@ file.path : "/etc/apt/apt.conf.d/*" and not ( "/etc/kernel/*" ) or process.executable == null or + process.name in ("pveupdate", "perl") or (process.name == "sed" and file.name : "sed*") or (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 040bc52f6..68cc6cadb 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/17" [transform] [[transform.osquery]] @@ -172,33 +172,27 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.action in ("exec", "exec_event") and ( (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or (process.args : "*chkconfig" and process.args : "--add") -) and -not process.parent.name in ("rpm", "qualys-scan-util", "qualys-cloud-agent", "update-alternatives") and -not process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*") +) and not ( + process.parent.name in ("rpm", "qualys-scan-util", "qualys-cloud-agent", "update-alternatives") or + process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*") or + process.args in ("jexec", "sapinit", "httpd", "dbora") +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" -[[rule.threat.technique.subtechnique]] -id = "T1037.004" -name = "RC Scripts" -reference = "https://attack.mitre.org/techniques/T1037/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 7a8e8107c..a92a8823f 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/17" [transform] [[transform.osquery]] @@ -166,59 +166,62 @@ event.category:file and host.os.type:linux and event.type:change and /usr/bin/ssh or /usr/sbin/sshd) or file.name:libkeyutils.so) and - not process.executable:/usr/share/elasticsearch/* + not ( + process.executable:/usr/share/elasticsearch/* or + process.name : (apk or ansible-admin or systemd or dnf or python*) + ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" + [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 144d4f96a..e03f4d782 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/17" [transform] [[transform.osquery]] @@ -195,69 +195,72 @@ event.action in ("rename", "creation") and file.path : ( "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/opt/imunify360/venv/bin/python3", "/opt/eset/efs/lib/utild", "/usr/sbin/anacron", "/usr/bin/podman", "/kaniko/kaniko-executor" ) or - file.path : "/var/spool/cron/crontabs/tmp.*" or + file.path like ("/var/spool/cron/crontabs/tmp.*", "/etc/cron.d/jumpcloud-updater") or file.extension in ("swp", "swpx", "swx", "dpkg-remove") or file.Ext.original.extension == "dpkg-new" or process.executable : ( "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/libexec/platform-python*" ) or process.executable == null or - process.name in ("crontab", "crond", "executor", "puppet", "droplet-agent.postinst", "cf-agent") or + process.name in ( + "crond", "executor", "puppet", "droplet-agent.postinst", "cf-agent", "schedd", "imunify-notifier", "perl", + "jumpcloud-agent", "crio", "dnf_install", "utild" + ) or (process.name == "sed" and file.name : "sed*") or (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/persistence_dpkg_unusual_execution.toml b/rules/linux/persistence_dpkg_unusual_execution.toml index 12d03b1b3..63beaf410 100644 --- a/rules/linux/persistence_dpkg_unusual_execution.toml +++ b/rules/linux/persistence_dpkg_unusual_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/09" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -60,7 +60,8 @@ process.executable : "/var/lib/dpkg/info/*" and process.session_leader.name != n process.group_leader.name != null and not ( process.parent.name in ("dpkg", "dpkg-reconfigure") or process.session_leader.name == "dpkg" or - process.group_leader.name == "dpkg" + process.group_leader.name == "dpkg" or + process.parent.executable in ("/usr/share/debconf/frontend", "/usr/bin/unattended-upgrade") ) ''' diff --git a/rules/linux/persistence_git_hook_file_creation.toml b/rules/linux/persistence_git_hook_file_creation.toml index 7222f3faf..589deec88 100644 --- a/rules/linux/persistence_git_hook_file_creation.toml +++ b/rules/linux/persistence_git_hook_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -75,15 +75,15 @@ file.extension == null and process.executable != null and not ( "/usr/local/bin/dockerd", "/sbin/dockerd" ) or process.executable : ("/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*") or - process.name in ("git", "dirname") or + process.name in ("git", "dirname", "tar", "gitea", "git-lfs") or (process.name == "sed" and file.name : "sed*") or (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -94,28 +94,29 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -123,4 +124,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index 7b02bcdfb..e3a14a8b2 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/17" [transform] [[transform.osquery]] @@ -166,26 +166,25 @@ and file.path : "/etc/init.d/*" and not ( "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd" ) or file.extension in ("swp", "swpx", "swx", "dpkg-remove") or - process.executable : ( - "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*" - ) or + file.path like ("/etc/init.d/*beat*", "/etc/init.d/elastic-agent*") or + process.executable like ("/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*") or + process.name in ("docker-init", "jumpcloud-agent", "crio") or process.executable == null or + (process.name == "ln" and file.path : "/etc/init.d/rc*.d/*") or (process.name == "sed" and file.name : "sed*") or (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index 60f5ef56b..cd6c0856f 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/17" [transform] [[transform.osquery]] @@ -158,27 +158,28 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" +process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" and +not process.parent.executable like ( + "/opt/ds_agent/*", "/usr/sbin/veeamsnap-loader", "/opt/TrendMicro/vls_agent/*", "/opt/intel/oneapi/*", + "/opt/commvault/Base/linux_drv", "/bin/falcoctl" +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index a29210578..8dedd636a 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/17" [transform] [[transform.osquery]] @@ -221,21 +221,22 @@ file where host.os.type == "linux" and event.type != "deletion" and "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*", "/etc/xdg/autostart/*", "/usr/share/autostart/*" ) and - not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd", - "rpm", "pacman", "podman", "nautilus", "remmina", "cinnamon-settings.py", "executor") + not process.name in ( + "yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd", "rpm", "pacman", + "podman", "nautilus", "remmina", "cinnamon-settings.py", "executor", "xfce4-clipman", "jetbrains-toolbox", + "ansible-admin" + ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -