security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Q2 Linux DR Tuning - Part 4 (#4165)

Browse Source
This commit is contained in:
Ruben Groenewoud
2024-10-18 17:13:44 +02:00
committed by GitHub
parent b309bcb7ae
commit 42f6c8f9a5
10 changed files with 69 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/impact_potential_linux_ransomware_note_detected.toml
+3 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2023/03/20"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/07/18"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -67,9 +67,8 @@ sequence by process.entity_id, host.id with maxspan=1s
"systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader", "rustup-init"
)
] with runs=25
[file where host.os.type == "linux" and event.action == "creation" and file.name : (
"*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*"
)
[file where host.os.type == "linux" and event.action == "creation" and
file.name : ("*restore*", "*lock*", "*recovery*", "*read*", "*instruction*", "*how_to*", "*ransom*")
]
'''
rules/linux/persistence_apt_package_manager_file_creation.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/03"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -83,6 +83,7 @@ file.path : "/etc/apt/apt.conf.d/*" and not (
"/etc/kernel/*"
) or
process.executable == null or
process.name in ("pveupdate", "perl") or
(process.name == "sed" and file.name : "sed*") or
(process.name == "perl" and file.name : "e2scrub_all.tmp*")
)
rules/linux/persistence_chkconfig_service_add.toml
+7 -13
View File
@@ -2,7 +2,7 @@
creation_date = "2022/07/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/17"
[transform]
[[transform.osquery]]
@@ -172,33 +172,27 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
(
(process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or
(process.args : "*chkconfig" and process.args : "--add")
) and
not process.parent.name in ("rpm", "qualys-scan-util", "qualys-cloud-agent", "update-alternatives") and
not process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*")
) and not (
process.parent.name in ("rpm", "qualys-scan-util", "qualys-cloud-agent", "update-alternatives") or
process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*") or
process.args in ("jexec", "sapinit", "httpd", "dbora")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[[rule.threat.technique.subtechnique]]
id = "T1037.004"
name = "RC Scripts"
reference = "https://attack.mitre.org/techniques/T1037/004/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/linux/persistence_credential_access_modify_ssh_binaries.toml
+12 -9
View File
@@ -2,7 +2,7 @@
creation_date = "2020/12/21"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/17"
[transform]
[[transform.osquery]]
@@ -166,59 +166,62 @@ event.category:file and host.os.type:linux and event.type:change and
/usr/bin/ssh or
/usr/sbin/sshd) or
file.name:libkeyutils.so) and
not process.executable:/usr/share/elasticsearch/*
not (
process.executable:/usr/share/elasticsearch/* or
process.name : (apk or ansible-admin or systemd or dnf or python*)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[[rule.threat.technique.subtechnique]]
id = "T1021.004"
name = "SSH"
reference = "https://attack.mitre.org/techniques/T1021/004/"
[[rule.threat.technique]]
id = "T1563"
name = "Remote Service Session Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/"
[[rule.threat.technique.subtechnique]]
id = "T1563.001"
name = "SSH Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/001/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/linux/persistence_cron_job_creation.toml
+14 -11
View File
@@ -2,7 +2,7 @@
creation_date = "2023/06/09"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/17"
[transform]
[[transform.osquery]]
@@ -195,69 +195,72 @@ event.action in ("rename", "creation") and file.path : (
"/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/opt/imunify360/venv/bin/python3",
"/opt/eset/efs/lib/utild", "/usr/sbin/anacron", "/usr/bin/podman", "/kaniko/kaniko-executor"
) or
file.path : "/var/spool/cron/crontabs/tmp.*" or
file.path like ("/var/spool/cron/crontabs/tmp.*", "/etc/cron.d/jumpcloud-updater") or
file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
file.Ext.original.extension == "dpkg-new" or
process.executable : (
"/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/libexec/platform-python*"
) or
process.executable == null or
process.name in ("crontab", "crond", "executor", "puppet", "droplet-agent.postinst", "cf-agent") or
process.name in (
"crond", "executor", "puppet", "droplet-agent.postinst", "cf-agent", "schedd", "imunify-notifier", "perl",
"jumpcloud-agent", "crio", "dnf_install", "utild"
) or
(process.name == "sed" and file.name : "sed*") or
(process.name == "perl" and file.name : "e2scrub_all.tmp*")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.003"
name = "Cron"
reference = "https://attack.mitre.org/techniques/T1053/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.003"
name = "Cron"
reference = "https://attack.mitre.org/techniques/T1053/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.003"
name = "Cron"
reference = "https://attack.mitre.org/techniques/T1053/003/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/persistence_dpkg_unusual_execution.toml
+3 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/07/09"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/07/09"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -60,7 +60,8 @@ process.executable : "/var/lib/dpkg/info/*" and process.session_leader.name != n
process.group_leader.name != null and not (
process.parent.name in ("dpkg", "dpkg-reconfigure") or
process.session_leader.name == "dpkg" or
process.group_leader.name == "dpkg"
process.group_leader.name == "dpkg" or
process.parent.executable in ("/usr/share/debconf/frontend", "/usr/bin/unattended-upgrade")
)
'''
rules/linux/persistence_git_hook_file_creation.toml
+7 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -75,15 +75,15 @@ file.extension == null and process.executable != null and not (
"/usr/local/bin/dockerd", "/sbin/dockerd"
) or
process.executable : ("/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*") or
process.name in ("git", "dirname") or
process.name in ("git", "dirname", "tar", "gitea", "git-lfs") or
(process.name == "sed" and file.name : "sed*") or
(process.name == "perl" and file.name : "e2scrub_all.tmp*")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
@@ -94,28 +94,29 @@ id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -123,4 +124,3 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/persistence_init_d_file_creation.toml
+6 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2023/03/21"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/17"
[transform]
[[transform.osquery]]
@@ -166,26 +166,25 @@ and file.path : "/etc/init.d/*" and not (
"/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd"
) or
file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
process.executable : (
"/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*"
) or
file.path like ("/etc/init.d/*beat*", "/etc/init.d/elastic-agent*") or
process.executable like ("/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*") or
process.name in ("docker-init", "jumpcloud-agent", "crio") or
process.executable == null or
(process.name == "ln" and file.path : "/etc/init.d/rc*.d/*") or
(process.name == "sed" and file.name : "sed*") or
(process.name == "perl" and file.name : "e2scrub_all.tmp*")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/linux/persistence_insmod_kernel_module_load.toml
+8 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2022/07/11"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/17"
[transform]
[[transform.osquery]]
@@ -158,27 +158,28 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko"
process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" and
not process.parent.executable like (
"/opt/ds_agent/*", "/usr/sbin/veeamsnap-loader", "/opt/TrendMicro/vls_agent/*", "/opt/intel/oneapi/*",
"/opt/commvault/Base/linux_drv", "/bin/falcoctl"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1547"
name = "Boot or Logon Autostart Execution"
reference = "https://attack.mitre.org/techniques/T1547/"
[[rule.threat.technique.subtechnique]]
id = "T1547.006"
name = "Kernel Modules and Extensions"
reference = "https://attack.mitre.org/techniques/T1547/006/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/linux/persistence_kde_autostart_modification.toml
+7 -6
View File
@@ -2,7 +2,7 @@
creation_date = "2021/01/06"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/17"
[transform]
[[transform.osquery]]
@@ -221,21 +221,22 @@ file where host.os.type == "linux" and event.type != "deletion" and
"/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*",
"/etc/xdg/autostart/*", "/usr/share/autostart/*"
) and
not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd",
"rpm", "pacman", "podman", "nautilus", "remmina", "cinnamon-settings.py", "executor")
not process.name in (
"yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd", "rpm", "pacman",
"podman", "nautilus", "remmina", "cinnamon-settings.py", "executor", "xfce4-clipman", "jetbrains-toolbox",
"ansible-admin"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1547"
name = "Boot or Logon Autostart Execution"
reference = "https://attack.mitre.org/techniques/T1547/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"