security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[Rule Tuning] Linux DR Tuning - 5 (#5494)

Browse Source 
* [Rule Tuning] Linux DR Tuning - 5

* Fix query syntax for shared object detection rule

* Update defense_evasion_kernel_module_removal.toml

* Fix condition for process working directory check

* Refactor query in defense_evasion_symlink_binary rule

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2026-01-07 15:55:06 +01:00
committed by GitHub
parent 066096f766
commit 473df70fbb
30 changed files with 280 additions and 221 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/defense_evasion_hidden_directory_creation.toml
+11 -11
View File
@@ -2,7 +2,7 @@
creation_date = "2024/11/01"
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -98,39 +98,40 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "exec_event") and
process.name == "mkdir" and process.parent.executable like (
"/dev/shm/*", "/tmp/*", "/var/tmp/*", "/var/run/*", "/root/*", "/boot/*", "/var/www/html/*", "/opt/.*"
) and process.args like (".*", "/*/.*") and process.args_count <= 3 and not (
process.parent.executable like ("/tmp/newroot/*", "/run/containerd/*") or
) and process.args like (".*", "/*/.*") and process.args_count <= 3 and
not (
process.command_line like ("mkdir -p .", "mkdir ./*") or
process.args == "/root/.ssh" or
process.args like ("/root/.ssh", "/home/*/.ssh", "/root/.cache/install4j") or
process.parent.executable like (
"/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img", "/tmp/snap.rootfs_*"
)
"/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img", "/tmp/snap.rootfs_*",
"/root/.acme.sh/acme.sh", "/tmp/buildpacks/*go/bin/test-compile", "/tmp/newroot/*", "/run/containerd/*"
) or
process.parent.name in ("libtool", "jpenable", "configure")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[[rule.threat.technique.subtechnique]]
id = "T1564.001"
name = "Hidden Files and Directories"
reference = "https://attack.mitre.org/techniques/T1564/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -138,4 +139,3 @@ framework = "MITRE ATT&CK"
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/linux/defense_evasion_hidden_file_dir_tmp.toml
+7 -6
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/29"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/02/04"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -23,7 +23,7 @@ language = "eql"
license = "Elastic License v2"
max_signals = 33
name = "Creation of Hidden Files and Directories via CommandLine"
risk_score = 47
risk_score = 21
rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae"
setup = """## Setup
@@ -65,7 +65,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
#### Custom Ingest Pipeline
For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
"""
severity = "medium"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -80,9 +80,10 @@ query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
not process.name in (
"ls", "find", "grep", "git", "jq", "basename", "check_snmp", "snmpget", "snmpwalk", "cc1plus", "snap",
"command-not-found", "sqlite", "apk", "fgrep", "locate", "objdump"
process.name like (
"touch", "tee", "cp", "mv", "install", "dd", "vi", "vim", "nano", "truncate", "sed", "awk", "curl", "wget",
"ftp", "scp", "rsync", "sftp", "tar", "unzip", "gunzip", "7z", "bzip2", "xz", "python*", "php*", "perl*",
"ruby*", "node*", "java", "printf", "echo", "cat", ".*"
)
'''
note = """## Triage and analysis
rules/linux/defense_evasion_hidden_shared_object.toml
+6 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2022/07/20"
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -106,28 +106,26 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and
not process.name in ("dockerd", "azcopy", "podman")
file where host.os.type == "linux" and event.type == "creation" and
(file.extension == "so" or file.name like "*.so.*") and file.name : ".*.so" and
not process.name in ("dockerd", "azcopy", "podman", "opencode") and not file.name like "._*"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[[rule.threat.technique.subtechnique]]
id = "T1564.001"
name = "Hidden Files and Directories"
reference = "https://attack.mitre.org/techniques/T1564/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_interactive_shell_from_system_user.toml
+20 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2024/11/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/24"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -15,7 +15,8 @@ index = ["logs-endpoint.events.process*"]
language = "kuery"
license = "Elastic License v2"
name = "Unusual Interactive Shell Launched from System User"
risk_score = 21
references = ["https://www.elastic.co/security-labs/continuation-on-persistence-mechanisms"]
risk_score = 47
rule_id = "9c5b2382-19d2-4b5d-8f14-9e1631a3acdb"
setup = """## Setup
@@ -44,7 +45,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -52,7 +53,7 @@ tags = [
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Resources: Investigation Guide"
]
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
@@ -65,11 +66,22 @@ event.category:process and host.os.type:linux and event.type:start and event.act
process.parent.name:(
apt-key or apt-config or gpgv or gpgconf or man-db.postinst or sendmail or rpm or nullmailer-inject
) or
process.args:(/etc/apt/trusted.gpg.d/* or /tmp/apt-key-gpg*) or
process.args:(/etc/apt/trusted.gpg.d/* or /tmp/apt-key-gpg* or "/usr/bin/dnf") or
process.name:(awk or apt-config or dpkg or grep or gpgv or sed) or
(user.name:_apt and process.name:(sqv or apt-key or gpgconf or sort or mktemp or find or cmp or gpg-connect-agent)) or
(user.name:man and process.name:mandb) or
(user.name:daemon and process.name:at)
(user.name:daemon and process.name:at) or
process.parent.args:("/usr/bin/apt-key" or "/var/lib/dpkg/info/man-db.postinst") or
process.parent.executable:(
"/usr/lib/polkit-1/polkitd" or "./runc" or "/usr/bin/apt-get" or "/opt/gitlab/embedded/bin/bundle" or "/run/podman-init" or
/tmp/newroot/* or /var/lib/docker/overlay2/* or /usr/libexec/platform-python*
) or
process.parent.command_line:"runc init" or
process.executable:(
"/opt/gitlab/embedded/bin/bundle" or "/usr/bin/env" or "/usr/bin/readlink" or "/usr/bin/date" or "/usr/bin/dircolors" or
"/usr/sbin/sendmail" or "/usr/bin/atrm" or "/usr/bin/atq" or "/run/podman-init" or "/usr/bin/basename" or "/usr/bin/locale" or
"/usr/bin/tr"
)
)
'''
note = """## Triage and analysis
@@ -108,6 +120,7 @@ In Linux environments, system users are typically non-interactive and serve spec
- Implement stricter access controls and monitoring for system user accounts to prevent unauthorized interactive shell launches in the future.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Update detection mechanisms and rules to enhance monitoring for similar threats, ensuring that any future attempts are quickly identified and addressed."""
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -132,4 +145,4 @@ value = ["process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
value = "now-5d"
rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml
+14 -5
View File
@@ -2,7 +2,7 @@
creation_date = "2025/02/21"
integration = ["endpoint", "crowdstrike"]
maturity = "production"
updated_date = "2025/10/17"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -52,7 +52,7 @@ Base64 encoding is a method to encode binary data into ASCII text, often used fo
- Implement enhanced monitoring and logging for base64 decoding activities and interpreter executions to detect similar threats in the future.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if broader organizational impacts exist.
"""
risk_score = 47
risk_score = 73
rule_id = "5bdad1d5-5001-4a13-ae99-fa8619500f1a"
setup = """## Setup
@@ -79,7 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -106,9 +106,18 @@ sequence by host.id, process.parent.entity_id with maxspan=3s
)]
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.name like~ (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl*", "ruby*", "lua*", "php*"
)]
) and
not (
?process.parent.command_line in ("bash ./run_tests.sh unit-integration", "/bin/sh /var/lib/dpkg/info/nmap-common.postinst configure") or
process.command_line == "/usr/bin/perl /usr/bin/shasum -a 256" or
?process.working_directory like (
"/usr/local/zeek", "/opt/zeek", "/var/lib/docker/overlay2/*/opt/zeek", "/usr/local/zeek_old_install",
"/var/lib/docker/overlay2/*/usr/local/zeek", "/proc/self/fd/*/usr/local/zeek"
) or
(?process.parent.name == "zsh" and ?process.parent.command_line like "*extendedglob*") or
(process.name like "python*" and ?process.parent.name == "python*")
)]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
rules/linux/defense_evasion_journalctl_clear_logs.toml
+5 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2025/10/01"
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/10/06"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -55,7 +55,7 @@ This detection flags attempts to purge systemd journal logs by invoking journalc
- Preserve evidence by archiving remaining /var/log/journal entries, journald.conf and its mtime, modified unit files under /etc/systemd/system, and shell/auth logs, and capture a disk snapshot before making further changes.
- Escalate to incident response if root executed "journalctl --vacuum-time/size/files" outside a documented maintenance window, if Storage=volatile was set or retention reduced below policy, or if the same actor performed vacuums on multiple hosts within 24 hours.
"""
risk_score = 21
risk_score = 47
rule_id = "09073bf4-a8ea-4bce-9fd5-2bb56b4d31f4"
setup = """## Setup
@@ -82,7 +82,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -100,7 +100,8 @@ type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name == "journalctl" and process.args like ("--vacuum-time=*", "--vacuum-size=*", "--vacuum-files=*")
process.name == "journalctl" and process.args like ("--vacuum-time=*", "--vacuum-size=*", "--vacuum-files=*") and
not process.parent.args == "/etc/cron.daily/clean-journal-logs"
'''
[[rule.threat]]
rules/linux/defense_evasion_kernel_module_removal.toml
+18 -16
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/24"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -63,7 +63,7 @@ Kernel modules dynamically extend a Linux kernel's capabilities without rebootin
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign.
- Implement enhanced monitoring and alerting for similar activities across the network to detect and respond to future attempts promptly."""
references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"]
risk_score = 47
risk_score = 21
rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef"
setup = """## Setup
@@ -90,7 +90,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -104,50 +104,52 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
(
process.name == "rmmod" or
(process.name == "modprobe" and process.args in ("--remove", "-r"))
) and
process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
(
process.name == "rmmod" or
(process.name == "modprobe" and process.args in ("--remove", "-r"))
) and
process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
not (
?process.parent.args like "/var/tmp/rpm-tmp*" or
?process.working_directory like~ ("/tmp/makeself*NVIDIA-Linux*", "/tmp/self*NVIDIA-Linux*")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1547"
name = "Boot or Logon Autostart Execution"
reference = "https://attack.mitre.org/techniques/T1547/"
[[rule.threat.technique.subtechnique]]
id = "T1547.006"
name = "Kernel Modules and Extensions"
reference = "https://attack.mitre.org/techniques/T1547/006/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/linux/defense_evasion_kill_command_executed.toml
+8 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2025/02/21"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/09/29"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -92,10 +92,14 @@ query = '''
event.category:process and host.os.type:linux and event.type:start and event.action:exec and
process.name:(kill or pkill or killall) and not (
process.args:("-HUP" or "-SIGUSR1" or "-USR2" or "-WINCH" or "-USR1") or
process.parent.command_line:"runc init"
process.parent.command_line:"runc init" or
process.parent.executable:(
"/usr/lib/systemd/systemd" or "/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent" or "/bin/xargs" or
"/usr/bin/xargs" or "/usr/bin/sudo" or "/usr/sbin/safe_asterisk" or "/usr/local/manageengine/uems_agent/bin/dcservice" or
"/lib/systemd/systemd" or "/opt/nessus_agent/sbin/nessuscli" or "/etc/rubrik/start_stop_bootstrap.sh" or
"/usr/local/manageengine/uems_agent/bin/dcpatchscan")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -148,4 +152,4 @@ value = ["host.id", "process.parent.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
value = "now-5d"
rules/linux/defense_evasion_kthreadd_masquerading.toml
+5 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2024/02/01"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -56,7 +56,7 @@ In Linux environments, kernel processes like `kthreadd` and `kworker` typically
- Update and patch the system to close any vulnerabilities that may have been exploited by the attacker, ensuring all software and security tools are up to date.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
references = ["https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/"]
risk_score = 21
risk_score = 73
rule_id = "202829f6-0271-4e88-b882-11a655c590d4"
setup = """## Setup
@@ -84,7 +84,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -98,33 +98,30 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
process.name : ("kworker*", "kthread*") and process.executable != null
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.004"
name = "Masquerade Task or Service"
reference = "https://attack.mitre.org/techniques/T1036/004/"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_ld_preload_cmdline.toml
+11 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2025/04/30"
integration = ["endpoint", "crowdstrike"]
maturity = "production"
updated_date = "2025/10/17"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -51,7 +51,7 @@ LD_PRELOAD and LD_LIBRARY_PATH are environment variables in Linux that influence
- Implement stricter access controls and monitoring on the affected system to prevent unauthorized changes to environment variables.
- Update and enhance detection rules to include additional indicators of compromise related to LD_PRELOAD and LD_LIBRARY_PATH misuse, ensuring future attempts are identified promptly.
"""
risk_score = 21
risk_score = 73
rule_id = "65613f5e-0d48-4b55-ad61-2fb9567cb1ad"
setup = """## Setup
@@ -78,7 +78,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -98,9 +98,16 @@ process.parent.name:(* and not (
nxrunner or nxserver or perl or rear or sapcontrol or setsid or spoold or sshd or steam or su or sudo or titanagent or
vls_agent or zabbix_agentd
)) and
not process.parent.executable:(
/tmp/CVU_19_resource*/exectask or /u01/app/oracle/*oracle/CVU_19_oracle*/exectask or "/opt/ds_agent/ds_agent" or
"/opt/McAfee/agent/scripts/ma" or "/usr/local/bin/AppProtection/BootTimeChecker" or "/usr/bin/gmake" or "./runc" or
"/usr/openv/db/bin/nbdb_unload"
) and
not process.parent.args:"/opt/McAfee/agent/scripts/ma" and
process.name:(bash or csh or dash or fish or ksh or sh or tcsh or zsh) and
process.args:-c and process.command_line:(*LD_LIBRARY_PATH=* or *LD_PRELOAD=*)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -161,4 +168,4 @@ value = ["process.parent.name", "process.command_line", "host.id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
value = "now-5d"
rules/linux/defense_evasion_ld_so_creation.toml
+9 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2024/12/16"
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/09/29"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -97,7 +97,8 @@ type = "eql"
query = '''
file where host.os.type == "linux" and event.type == "creation" and process.executable != null and
file.path like~ ("/lib/ld-linux*.so*", "/lib64/ld-linux*.so*", "/usr/lib/ld-linux*.so*", "/usr/lib64/ld-linux*.so*") and
not process.executable in (
not (
process.executable in (
"/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
"/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum",
"/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic",
@@ -107,10 +108,14 @@ not process.executable in (
"/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon",
"/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/libexec/platform-python",
"/usr/lib/snapd/snap-update-ns", "./usr/bin/podman", "/usr/bin/crio", "/usr/bin/buildah", "/bin/dnf5",
"/usr/bin/dnf5", "/usr/bin/pamac"
"/usr/bin/dnf5", "/usr/bin/pamac", "/dev/fd/3"
) or
process.executable like (
"/snap/docker/*/bin/dockerd", "/usr/bin/python*", "/nix/store/*/docker/dockerd", "/var/lib/docker/overlay2/*/dockerd",
"/rpool/data/*usr/bin/dockerd"
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
rules/linux/defense_evasion_log_files_deleted.toml
+11 -23
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/03"
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -109,43 +109,31 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.type == "deletion" and
file.path :
(
"/var/run/utmp",
"/var/log/wtmp",
"/var/log/btmp",
"/var/log/lastlog",
"/var/log/faillog",
"/var/log/syslog",
"/var/log/messages",
"/var/log/secure",
"/var/log/auth.log",
"/var/log/boot.log",
"/var/log/kern.log",
"/var/log/dmesg"
) and
not process.name in ("gzip", "executor", "dockerd")
file where host.os.type == "linux" and event.type == "deletion" and file.path in (
"/var/run/utmp", "/var/log/wtmp", "/var/log/btmp", "/var/log/lastlog", "/var/log/faillog",
"/var/log/syslog", "/var/log/messages", "/var/log/secure", "/var/log/auth.log", "/var/log/boot.log",
"/var/log/kern.log", "/var/log/dmesg"
) and not (
process.name in ("gzip", "executor", "dockerd") or
(process.executable in ("/usr/bin/podman", "/dev/fd/3") and file.name == "lastlog")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"
[[rule.threat.technique.subtechnique]]
id = "T1070.002"
name = "Clear Linux or Mac System Logs"
reference = "https://attack.mitre.org/techniques/T1070/002/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_mount_execution.toml
+7 -10
View File
@@ -2,7 +2,7 @@
creation_date = "2023/04/11"
integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -62,7 +62,7 @@ The 'hidepid' mount option in Linux allows users to restrict visibility of proce
- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
- Implement enhanced monitoring and alerting for future attempts to use the 'hidepid' option, ensuring rapid detection and response."""
references = ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"]
risk_score = 47
risk_score = 73
rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204"
setup = """## Setup
@@ -89,7 +89,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -103,25 +103,22 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "executed", "process_started") and
process.name == "mount" and process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" and
not process.parent.command_line like "/opt/cloudlinux/*"
event.action in ("exec", "exec_event", "start", "executed", "process_started") and
process.name == "mount" and process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" and
not process.parent.command_line like "/opt/cloudlinux/*"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_multi_base64_decoding_attempt.toml
+6 -5
View File
@@ -2,7 +2,7 @@
creation_date = "2025/07/24"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/09/01"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -57,7 +57,7 @@ Base64 encoding is a common method to encode binary data into ASCII text, often
- Review and update access controls and permissions for the directories involved to prevent unauthorized access and execution of potentially harmful scripts or binaries.
"""
risk_score = 21
risk_score = 47
rule_id = "03d856c2-7f74-4540-a530-e20af5e39789"
setup = """## Setup
@@ -84,7 +84,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -109,7 +109,8 @@ sequence by process.parent.entity_id with maxspan=3s
) or
process.working_directory like (
"/opt/microsoft/omsagent/plugin", "/opt/rapid7/ir_agent/*", "/tmp/newroot/*"
)
) or
(process.parent.name == "zsh" and process.parent.command_line like "*extendedglob*")
)]
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.executable != null and
process.name in ("base64", "base64plain", "base64url", "base64mime", "base64pem", "base32", "base16") and
@@ -160,4 +161,4 @@ framework = "MITRE ATT&CK"
[[rule.threat.technique.subtechnique]]
name = "Malicious File"
id = "T1204.002"
reference = "https://attack.mitre.org/techniques/T1204/002/"
reference = "https://attack.mitre.org/techniques/T1204/002/"
rules/linux/defense_evasion_potential_kubectl_impersonation.toml
+5 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2025/06/19"
integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/07/21"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -60,7 +60,7 @@ Kubectl is a command-line tool for interacting with Kubernetes clusters, allowin
- Escalate the incident to the security operations team for a comprehensive review and to determine if additional security measures or incident response actions are required.
- Implement additional logging and monitoring for kubectl commands and Kubernetes API interactions to enhance detection capabilities for similar threats in the future.
"""
risk_score = 21
risk_score = 47
rule_id = "3c6685eb-9eaa-43a4-be1b-a7f9f1f5e63d"
setup = """## Setup
@@ -87,7 +87,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"Domain: Container",
@@ -113,7 +113,8 @@ process.name == "kubectl" and (
process.parent.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/home/*") or
process.parent.name like (".*", "*.sh")
)
) and process.args like~ ("--kubeconfig*", "--token*", "--as*", "--as-group*", "--as-uid*")
) and process.args like~ ("--kubeconfig*", "--token*", "--as*", "--as-group*", "--as-uid*") and
not process.parent.args like ("/snap/microk8s/*/apiservice-kicker", "/snap/microk8s/*/microk8s-start.wrapper")
'''
[[rule.threat]]
rules/linux/defense_evasion_potential_kubectl_masquerading.toml
+4 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2025/06/19"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/07/07"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -60,7 +60,7 @@ Kubectl is a command-line tool for interacting with Kubernetes clusters, crucial
- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been affected.
"""
references = ["https://kubernetes.io/docs/reference/kubectl/"]
risk_score = 21
risk_score = 47
rule_id = "2388c687-cb2c-4b7b-be8f-6864a2385048"
setup = """## Setup
@@ -87,7 +87,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"Domain: Container",
@@ -107,7 +107,7 @@ query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "executed", "process_started") and
(
process.executable like~ ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/var/www/*", "./kubectl", "/home/*/kubectl") or
process.executable like~ ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/var/www/*", "./kubectl") or
process.name like ".*"
) and
process.command_line like~ (
rules/linux/defense_evasion_potential_proot_exploits.toml
+4 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2023/03/07"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -61,7 +61,7 @@ PRoot is a versatile tool that emulates a chroot-like environment, allowing user
- Implement enhanced monitoring for PRoot activity across the environment to detect any future unauthorized use. This includes setting up alerts for any process executions with PRoot as the parent process.
- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected."""
references = ["https://proot-me.github.io/"]
risk_score = 47
risk_score = 73
rule_id = "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0"
setup = """## Setup
@@ -88,7 +88,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -102,23 +102,20 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
process.parent.name == "proot"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1211"
name = "Exploitation for Defense Evasion"
reference = "https://attack.mitre.org/techniques/T1211/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_prctl_process_name_tampering.toml
+10 -8
View File
@@ -2,15 +2,16 @@
creation_date = "2025/01/09"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2025/05/05"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
description = """
This rule leverages Auditd data to detect the use of the `prctl` syscall to potentially hide a process
by changing its name. The `prctl` syscall is used to control various process attributes. Attackers can use
this syscall to change the name of a process to a hidden directory or file, making it harder to detect. The query
looks for the `prctl` syscall with the `PR_SET_NAME` argument set to `f` (PR_SET_NAME is used to set the name of a process).
This rule leverages Auditd data to detect the use of the "prctl" syscall to potentially hide a process
by changing its name. The "prctl" syscall is used to control various process attributes. Attackers can use
this syscall to change the name of a process to a hidden directory or file, making it harder to detect. The
query looks for the "prctl" syscall with the "PR_SET_NAME" argument set to "f" (PR_SET_NAME is used to set
the name of a process).
"""
from = "now-9m"
index = ["logs-auditd_manager.auditd-*", "auditbeat-*"]
@@ -22,7 +23,7 @@ references = [
"https://haxrob.net/hiding-in-plain-sight-part-2/",
"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd",
]
risk_score = 47
risk_score = 73
rule_id = "fef62ecf-0260-4b71-848b-a8624b304828"
setup = """## Setup
@@ -48,7 +49,7 @@ However, if more advanced configuration is required to detect specific behavior,
- For this detection rule the following additional audit rules are required to be added to the integration:
-- "-a exit,always -F arch=b64 -S prctl -k prctl_detection"
"""
severity = "medium"
severity = "high"
tags = [
"Data Source: Auditd Manager",
"Domain: Endpoint",
@@ -64,7 +65,8 @@ process where host.os.type == "linux" and auditd.data.syscall == "prctl" and aud
process.executable like (
"/boot/*", "/dev/shm/*", "/etc/cron.*/*", "/etc/init.d/*", "/var/run/*", "/etc/update-motd.d/*",
"/tmp/*", "/var/log/*", "/var/tmp/*", "/home/*", "/run/shm/*", "/run/*", "./*"
)
) and
not process.executable like ("/home/*/.vscode-server/*", "/tmp/VeeamAgent*", "/home/*/.xmonad/xmonad*linux*")
'''
note = """## Triage and analysis
rules/linux/defense_evasion_rename_esxi_files.toml
+14 -9
View File
@@ -2,7 +2,7 @@
creation_date = "2023/04/11"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/05/05"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -57,11 +57,18 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action == "rename" and
file.Ext.original.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem")
and not file.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem")
file where host.os.type == "linux" and event.action == "rename" and (
file.Ext.original.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem") or
(file.name == "index.html" and file.Ext.original.path like "/usr/lib/vmware/*")
)
and not (
file.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem") or
process.executable like (
"/usr/sbin/gdm", "/usr/share/dotnet/dotnet", "/usr/bin/dotnet", "/usr/sbin/apache2",
"/var/lib/docker/overlay2/*/usr/bin/dotnet", "/usr/lib/3cxpbx/3cxSystemService"
)
)
'''
note = """## Triage and analysis
@@ -99,22 +106,20 @@ VMware ESXi files are critical for virtual machine operations, storing configura
- Implement additional monitoring on the affected system and similar environments to detect any further attempts at file masquerading or other suspicious activities.
- Review and update access controls and permissions for VMware ESXi files to ensure only authorized users have the ability to rename or modify these files."""
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.003"
name = "Rename Legitimate Utilities"
reference = "https://attack.mitre.org/techniques/T1036/003/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_rename_esxi_index_file.toml
+5 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2023/04/11"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/05/05"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ from = "now-9m"
index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Renaming of ESXI index.html File"
name = "Deprecated - Suspicious Renaming of ESXI index.html File"
references = [
"https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
]
@@ -57,7 +57,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and
file.Ext.original.path : "/usr/lib/vmware/*"
@@ -67,7 +66,7 @@ note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Suspicious Renaming of ESXI index.html File
### Investigating Deprecated - Suspicious Renaming of ESXI index.html File
VMware ESXi hosts use the index.html file within their web interface for management tasks. Adversaries may rename this file to evade detection or to replace it with a malicious version, facilitating unauthorized access or data exfiltration. The detection rule monitors Linux systems for renaming actions targeting this file in the VMware directory, flagging potential defense evasion attempts by correlating file path and event actions.
@@ -98,22 +97,20 @@ VMware ESXi hosts use the index.html file within their web interface for managem
- Implement additional monitoring on the affected host and similar systems to detect any further attempts to rename or modify critical files.
- Review and update access controls and permissions on the VMware ESXi host to ensure that only authorized personnel have the ability to modify critical system files."""
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.003"
name = "Rename Legitimate Utilities"
reference = "https://attack.mitre.org/techniques/T1036/003/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_root_certificate_installation.toml
+12 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2024/08/28"
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -96,7 +96,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and
process.name in ("update-ca-trust", "update-ca-certificates") and not (
@@ -105,26 +104,31 @@ process.name in ("update-ca-trust", "update-ca-certificates") and not (
"ipa-client-install", "su", "platform-python", "python*", "kesl", "execd", "systemd", "flock"
) or
process.parent.args like "/var/tmp/rpm*" or
(process.parent.name in ("sh", "bash", "zsh") and process.args == "-e")
(process.parent.name in ("sh", "bash", "zsh") and process.args == "-e") or
process.parent.executable in (
"/app/update-cert-trust.sh", "/opt/puppetlabs/puppet/bin/puppet", "/opt/puppetlabs/puppet/bin/ruby",
"/start-haproxy", "/usr/bin/entrypoint.sh", "/usr/bin/crun"
) or
process.parent.args like (
"/entrypoint.sh", "/entrypoint", "./bootstrap-RHEL*", "lib/apk/exec/ca-certificates-*trigger"
) or
?process.working_directory == "/var/lib/rancher"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1553"
name = "Subvert Trust Controls"
reference = "https://attack.mitre.org/techniques/T1553/"
[[rule.threat.technique.subtechnique]]
id = "T1553.004"
name = "Install Root Certificate"
reference = "https://attack.mitre.org/techniques/T1553/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml
+10 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2024/08/28"
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/07/02"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -93,28 +93,31 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event")
and file.path : "/etc/selinux/config" and not process.name in ("dockerd", "platform-python")
and file.path : "/etc/selinux/config" and not (
process.name in ("dockerd", "platform-python") or
process.executable like (
"/usr/libexec/platform-python*", "/dev/fd/3", "/usr/bin/podman", "/usr/local/cpanel/3rdparty/perl/*/bin/perl",
"/kaniko/executor", "/usr/lib/systemd/systemd", "/usr/bin/insights-client", "/bin/podman"
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_ssl_certificate_deletion.toml
+14 -9
View File
@@ -2,7 +2,7 @@
creation_date = "2024/08/28"
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -90,45 +90,50 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.type == "deletion" and file.path : "/etc/ssl/certs/*" and
file.extension in ("pem", "crt") and not process.name in ("dockerd", "pacman")
file where host.os.type == "linux" and event.type == "deletion" and process.executable != null and
file.path : "/etc/ssl/certs/*" and file.extension in ("pem", "crt") and
not (
process.name in ("dockerd", "pacman") or
process.executable in (
"/kaniko/executor", "/usr/sbin/update-ca-certificates", "/usr/bin/gnurm", "/usr/bin/podman",
"/usr/local/bin/executor", "/opt/kaniko/executor", "/.envbuilder/bin/envbuilder", "/opt/kaspersky/kesl/libexec/kesl"
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"
[[rule.threat.technique.subtechnique]]
id = "T1070.004"
name = "File Deletion"
reference = "https://attack.mitre.org/techniques/T1070/004/"
[[rule.threat.technique]]
id = "T1553"
name = "Subvert Trust Controls"
reference = "https://attack.mitre.org/techniques/T1553/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1485"
name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
+4 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2023/09/04"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -55,9 +55,9 @@ Tmux and screen are terminal multiplexers that allow users to manage multiple te
- Escalate the incident to the security operations team for further investigation and to determine if additional systems are compromised.
- Implement network monitoring to detect any unusual outbound connections or data exfiltration attempts from the affected host.
- Update and enhance detection rules to include additional suspicious command patterns or behaviors observed during the investigation."""
risk_score = 21
risk_score = 47
rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89"
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -71,7 +71,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
@@ -81,17 +80,15 @@ process where host.os.type == "linux" and event.type == "start" and
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1218"
name = "System Binary Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1218/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_suspicious_path_mounted.toml
+12 -5
View File
@@ -3,7 +3,7 @@
creation_date = "2025/04/25"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/07/07"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -52,7 +52,7 @@ In Linux environments, the mount command integrates filesystems, enabling access
- Escalate the incident to the security operations team for further investigation and to assess the scope of the threat, including potential lateral movement or additional compromised systems.
- Enhance monitoring and detection capabilities by configuring alerts for unusual mount activities and integrating threat intelligence feeds to identify similar tactics used by adversaries.
"""
risk_score = 21
risk_score = 47
rule_id = "68e90a9b-0eab-425e-be3b-902b0cd1fe9c"
setup = """## Setup
@@ -79,7 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -94,11 +94,18 @@ query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "mount" and
process.args like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*", "/root/*", "/mount") and process.parent.executable != null and
not (
process.parent.executable like ("/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/sbin/*", "/usr/sbin/*", "/usr/local/sbin/*", "/usr/libexec/*") or
process.parent.executable like (
"/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/sbin/*", "/usr/sbin/*", "/usr/local/sbin/*", "/usr/libexec/*",
"/usr/local/nutanix/ngt/*/python"
) or
process.parent.executable in (
"/usr/lib/uptrack/ksplice-apply", "/usr/lib/Acronis/BackupAndRecovery/mms",
"/usr/lib/Acronis/BackupAndRecovery/service_process-bin", "/usr/lib/systemd/systemd", "/etc/grub.d/10_linux_zfs",
"./tools/image-summary", "/nfsplugin", "/usr/share/ksplice/ksplice-apply", "/lib/systemd/systemd"
) or
process.parent.name == "snapd"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml
+11 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2025/04/30"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/07/07"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -70,7 +70,8 @@ tags = [
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.parent.executable:* and
host.os.type:linux and event.category:process and event.type:start and event.action:exec and
process.parent.executable:(* and not (/bin/make or /sbin/weak-modules or /usr/bin/make or /usr/sbin/weak-modules)) and
(process.name:ln or process.name:busybox and process.args:ln or process.name:cp and process.args:--symbolic-link) and
process.args:(
(
@@ -79,10 +80,13 @@ process.args:(
) and (
/*/.* or /dev/shm/* or /home/* or /root/* or /tmp/* or /var/tmp/*
) and
not (/usr/bin/coreutils or /tmp/mkinitcpio* or /var/tmp/dracut* or /var/tmp/mkinitramfs*)
)
not (
/usr/bin/coreutils or /tmp/mkinitcpio* or /var/tmp/dracut* or /var/tmp/mkinitramfs* or /var/tmp/pamac-build* or
/var/tmp/portage/* or usr/lib/python3/dist-packages/*
)
) and not
process.parent.args:(/usr/bin/qemu-aarch64-static or /usr/sbin/weak-modules or /usr/share/initramfs-tools/hooks/ntfs_3g or /var/tmp/rpm-tmp*)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -108,8 +112,8 @@ framework = "MITRE ATT&CK"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.parent.name"]
value = ["agent.id", "process.parent.name"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"
value = "now-5d"
rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml
+14 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2025/04/29"
integration = ["endpoint", "crowdstrike"]
maturity = "production"
updated_date = "2025/10/17"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -56,9 +56,9 @@ Kernel features in Linux systems are critical for maintaining security and stabi
- Escalate the incident to the security operations center (SOC) or relevant security team for further investigation and correlation with other potential threats across the network.
- Review and update security policies and configurations to prevent unauthorized kernel modifications, including enforcing stricter access controls and auditing procedures.
"""
risk_score = 21
risk_score = 47
rule_id = "3aff6ab1-18bd-427e-9d4c-c5732110c261"
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -89,9 +89,19 @@ process.command_line : (
(process.name == "grep" and process.args_count == 3 and not process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")) or
(process.name == "sysctl" and process.args like ("*-w*", "*--write*", "*=*")) or
(process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and process.args : "*echo *")
) and
not (
process.parent.executable in (
"/opt/novell/groupwise/agents/bin/gwia", "/opt/novell/groupwise/agents/bin/gwmta", "/opt/novell/groupwise/agents/bin/gwpoa",
"/opt/illumio_ven/system/etc/init.d/illumio-firewall", "/usr/bin/oracle-database-preinstall-19c-verify", "/usr/bin/make",
"/usr/local/qualys/cloud-agent/bin/qualys-scan-util"
) or
process.parent.executable like "/tmp/CVU_19_resource*/checkmemlock.sh" or
process.parent.args == "/usr/share/mysql/mysql-systemd-start" or
process.parent.command_line like "*ansible*" or
(process.parent.name in ("crond", "cron") and process.command_line like "*drop_caches*")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
rules/linux/defense_evasion_unsual_kill_signal.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2025/07/16"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2025/07/21"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -55,7 +55,7 @@ references = [
"https://github.com/m0nad/Diamorphine/blob/master/diamorphine.c#L302",
"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd",
]
risk_score = 47
risk_score = 73
rule_id = "cf307a5a-d503-44a4-8158-db196d99c9df"
setup = """## Setup
@@ -74,7 +74,7 @@ For this detection rule to trigger, the following additional audit rules are req
```
Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
"""
severity = "medium"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
rules/linux/defense_evasion_unusual_preload_env_vars.toml
+7 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/12/16"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -69,7 +69,11 @@ tags = [
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.category:process and host.os.type:linux and event.type:start and event.action:exec and process.env_vars:*
event.category:process and host.os.type:linux and event.type:start and event.action:exec and process.env_vars:* and
not (
process.parent.executable:(/snap/* or "/opt/infraonagent/infraonwindowsagent" or "/worker/Capa/capa") or
process.parent.name:"cmk-update-agent"
)
'''
note = """## Triage and analysis
@@ -149,4 +153,4 @@ value = ["process.env_vars"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
value = "now-5d"
rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml
+13 -13
View File
@@ -2,7 +2,7 @@
creation_date = "2025/03/11"
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/07/02"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -51,7 +51,7 @@ In Linux environments, the `/var/log` directory is crucial for storing system lo
- Escalate the incident to the security operations team for further analysis and to determine if additional systems are compromised.
- Update and enhance monitoring rules to detect similar suspicious activities in the future, focusing on process execution from insecure locations and unauthorized file creation in critical directories.
"""
risk_score = 21
risk_score = 47
rule_id = "ddf26e25-3e30-42b2-92db-bde8eb82ad67"
setup = """## Setup
@@ -78,7 +78,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -93,48 +93,49 @@ tags = [
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.category:file and host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and
(process.executable:(/tmp/* or /var/tmp/* or /dev/shm/* or ./* or /boot/*) or process.name:.*) and
file.path:/var/log/* and not file.extension:*
file.path:/var/log/* and not file.extension:* and
not process.executable:("./usr/bin/podman" or "./install" or /tmp/vmis.*/install/vmware-installer/vmis-launcher or /tmp/ubuntu-release-upgrader-*)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[[rule.threat.technique.subtechnique]]
id = "T1564.001"
name = "Hidden Files and Directories"
reference = "https://attack.mitre.org/techniques/T1564/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -146,8 +147,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.new_terms]
field = "new_terms_fields"
value = ["file.path", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"
value = "now-5d"