diff --git a/rules/linux/defense_evasion_hidden_directory_creation.toml b/rules/linux/defense_evasion_hidden_directory_creation.toml index 3af9e9052..59a908829 100644 --- a/rules/linux/defense_evasion_hidden_directory_creation.toml +++ b/rules/linux/defense_evasion_hidden_directory_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -98,39 +98,40 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "exec_event") and process.name == "mkdir" and process.parent.executable like ( "/dev/shm/*", "/tmp/*", "/var/tmp/*", "/var/run/*", "/root/*", "/boot/*", "/var/www/html/*", "/opt/.*" -) and process.args like (".*", "/*/.*") and process.args_count <= 3 and not ( - process.parent.executable like ("/tmp/newroot/*", "/run/containerd/*") or +) and process.args like (".*", "/*/.*") and process.args_count <= 3 and +not ( process.command_line like ("mkdir -p .", "mkdir ./*") or - process.args == "/root/.ssh" or + process.args like ("/root/.ssh", "/home/*/.ssh", "/root/.cache/install4j") or process.parent.executable like ( - "/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img", "/tmp/snap.rootfs_*" - ) + "/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img", "/tmp/snap.rootfs_*", + "/root/.acme.sh/acme.sh", "/tmp/buildpacks/*go/bin/test-compile", "/tmp/newroot/*", "/run/containerd/*" + ) or + process.parent.name in ("libtool", "jpenable", "configure") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -138,4 +139,3 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index ab2a7a74d..bb71c416c 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Creation of Hidden Files and Directories via CommandLine" -risk_score = 47 +risk_score = 21 rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae" setup = """## Setup @@ -65,7 +65,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). """ -severity = "medium" +severity = "low" tags = [ "Domain: Endpoint", "OS: Linux", @@ -80,9 +80,10 @@ query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and -not process.name in ( - "ls", "find", "grep", "git", "jq", "basename", "check_snmp", "snmpget", "snmpwalk", "cc1plus", "snap", - "command-not-found", "sqlite", "apk", "fgrep", "locate", "objdump" +process.name like ( + "touch", "tee", "cp", "mv", "install", "dd", "vi", "vim", "nano", "truncate", "sed", "awk", "curl", "wget", + "ftp", "scp", "rsync", "sftp", "tar", "unzip", "gunzip", "7z", "bzip2", "xz", "python*", "php*", "perl*", + "ruby*", "node*", "java", "printf", "echo", "cat", ".*" ) ''' note = """## Triage and analysis diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 5bcb15995..2dbabdf80 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/20" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -106,28 +106,26 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and -not process.name in ("dockerd", "azcopy", "podman") +file where host.os.type == "linux" and event.type == "creation" and +(file.extension == "so" or file.name like "*.so.*") and file.name : ".*.so" and +not process.name in ("dockerd", "azcopy", "podman", "opencode") and not file.name like "._*" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml index 8e0bd45db..46ad1a215 100644 --- a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml +++ b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -15,7 +15,8 @@ index = ["logs-endpoint.events.process*"] language = "kuery" license = "Elastic License v2" name = "Unusual Interactive Shell Launched from System User" -risk_score = 21 +references = ["https://www.elastic.co/security-labs/continuation-on-persistence-mechanisms"] +risk_score = 47 rule_id = "9c5b2382-19d2-4b5d-8f14-9e1631a3acdb" setup = """## Setup @@ -44,7 +45,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -52,7 +53,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Resources: Investigation Guide" - ] +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -65,11 +66,22 @@ event.category:process and host.os.type:linux and event.type:start and event.act process.parent.name:( apt-key or apt-config or gpgv or gpgconf or man-db.postinst or sendmail or rpm or nullmailer-inject ) or - process.args:(/etc/apt/trusted.gpg.d/* or /tmp/apt-key-gpg*) or + process.args:(/etc/apt/trusted.gpg.d/* or /tmp/apt-key-gpg* or "/usr/bin/dnf") or process.name:(awk or apt-config or dpkg or grep or gpgv or sed) or (user.name:_apt and process.name:(sqv or apt-key or gpgconf or sort or mktemp or find or cmp or gpg-connect-agent)) or (user.name:man and process.name:mandb) or - (user.name:daemon and process.name:at) + (user.name:daemon and process.name:at) or + process.parent.args:("/usr/bin/apt-key" or "/var/lib/dpkg/info/man-db.postinst") or + process.parent.executable:( + "/usr/lib/polkit-1/polkitd" or "./runc" or "/usr/bin/apt-get" or "/opt/gitlab/embedded/bin/bundle" or "/run/podman-init" or + /tmp/newroot/* or /var/lib/docker/overlay2/* or /usr/libexec/platform-python* + ) or + process.parent.command_line:"runc init" or + process.executable:( + "/opt/gitlab/embedded/bin/bundle" or "/usr/bin/env" or "/usr/bin/readlink" or "/usr/bin/date" or "/usr/bin/dircolors" or + "/usr/sbin/sendmail" or "/usr/bin/atrm" or "/usr/bin/atq" or "/run/podman-init" or "/usr/bin/basename" or "/usr/bin/locale" or + "/usr/bin/tr" + ) ) ''' note = """## Triage and analysis @@ -108,6 +120,7 @@ In Linux environments, system users are typically non-interactive and serve spec - Implement stricter access controls and monitoring for system user accounts to prevent unauthorized interactive shell launches in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Update detection mechanisms and rules to enhance monitoring for similar threats, ensuring that any future attempts are quickly identified and addressed.""" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -132,4 +145,4 @@ value = ["process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-5d" diff --git a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml index b71dd1ee3..711f24af8 100644 --- a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml +++ b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -52,7 +52,7 @@ Base64 encoding is a method to encode binary data into ASCII text, often used fo - Implement enhanced monitoring and logging for base64 decoding activities and interpreter executions to detect similar threats in the future. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if broader organizational impacts exist. """ -risk_score = 47 +risk_score = 73 rule_id = "5bdad1d5-5001-4a13-ae99-fa8619500f1a" setup = """## Setup @@ -79,7 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -106,9 +106,18 @@ sequence by host.id, process.parent.entity_id with maxspan=3s )] [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.name like~ ( "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl*", "ruby*", "lua*", "php*" - )] + ) and + not ( + ?process.parent.command_line in ("bash ./run_tests.sh unit-integration", "/bin/sh /var/lib/dpkg/info/nmap-common.postinst configure") or + process.command_line == "/usr/bin/perl /usr/bin/shasum -a 256" or + ?process.working_directory like ( + "/usr/local/zeek", "/opt/zeek", "/var/lib/docker/overlay2/*/opt/zeek", "/usr/local/zeek_old_install", + "/var/lib/docker/overlay2/*/usr/local/zeek", "/proc/self/fd/*/usr/local/zeek" + ) or + (?process.parent.name == "zsh" and ?process.parent.command_line like "*extendedglob*") or + (process.name like "python*" and ?process.parent.name == "python*") + )] ''' - [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/defense_evasion_journalctl_clear_logs.toml b/rules/linux/defense_evasion_journalctl_clear_logs.toml index 9d565e544..093b7354d 100644 --- a/rules/linux/defense_evasion_journalctl_clear_logs.toml +++ b/rules/linux/defense_evasion_journalctl_clear_logs.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/01" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/10/06" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -55,7 +55,7 @@ This detection flags attempts to purge systemd journal logs by invoking journalc - Preserve evidence by archiving remaining /var/log/journal entries, journald.conf and its mtime, modified unit files under /etc/systemd/system, and shell/auth logs, and capture a disk snapshot before making further changes. - Escalate to incident response if root executed "journalctl --vacuum-time/size/files" outside a documented maintenance window, if Storage=volatile was set or retention reduced below policy, or if the same actor performed vacuums on multiple hosts within 24 hours. """ -risk_score = 21 +risk_score = 47 rule_id = "09073bf4-a8ea-4bce-9fd5-2bb56b4d31f4" setup = """## Setup @@ -82,7 +82,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -100,7 +100,8 @@ type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and -process.name == "journalctl" and process.args like ("--vacuum-time=*", "--vacuum-size=*", "--vacuum-files=*") +process.name == "journalctl" and process.args like ("--vacuum-time=*", "--vacuum-size=*", "--vacuum-files=*") and +not process.parent.args == "/etc/cron.daily/clean-journal-logs" ''' [[rule.threat]] diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 2e6368d9f..b2f955b40 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/24" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ Kernel modules dynamically extend a Linux kernel's capabilities without rebootin - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign. - Implement enhanced monitoring and alerting for similar activities across the network to detect and respond to future attempts promptly.""" references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"] -risk_score = 47 +risk_score = 21 rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef" setup = """## Setup @@ -90,7 +90,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "low" tags = [ "Domain: Endpoint", "OS: Linux", @@ -104,50 +104,52 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2") and - ( - process.name == "rmmod" or - (process.name == "modprobe" and process.args in ("--remove", "-r")) - ) and - process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") +event.action in ("exec", "exec_event", "start", "ProcessRollup2") and +( + process.name == "rmmod" or + (process.name == "modprobe" and process.args in ("--remove", "-r")) +) and +process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and +not ( + ?process.parent.args like "/var/tmp/rpm-tmp*" or + ?process.working_directory like~ ("/tmp/makeself*NVIDIA-Linux*", "/tmp/self*NVIDIA-Linux*") +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/defense_evasion_kill_command_executed.toml b/rules/linux/defense_evasion_kill_command_executed.toml index 3715847d7..68a5e17a6 100644 --- a/rules/linux/defense_evasion_kill_command_executed.toml +++ b/rules/linux/defense_evasion_kill_command_executed.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/29" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -92,10 +92,14 @@ query = ''' event.category:process and host.os.type:linux and event.type:start and event.action:exec and process.name:(kill or pkill or killall) and not ( process.args:("-HUP" or "-SIGUSR1" or "-USR2" or "-WINCH" or "-USR1") or - process.parent.command_line:"runc init" + process.parent.command_line:"runc init" or + process.parent.executable:( + "/usr/lib/systemd/systemd" or "/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent" or "/bin/xargs" or + "/usr/bin/xargs" or "/usr/bin/sudo" or "/usr/sbin/safe_asterisk" or "/usr/local/manageengine/uems_agent/bin/dcservice" or + "/lib/systemd/systemd" or "/opt/nessus_agent/sbin/nessuscli" or "/etc/rubrik/start_stop_bootstrap.sh" or + "/usr/local/manageengine/uems_agent/bin/dcpatchscan") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -148,4 +152,4 @@ value = ["host.id", "process.parent.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-5d" diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index 6d36e1fdc..847734d39 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -56,7 +56,7 @@ In Linux environments, kernel processes like `kthreadd` and `kworker` typically - Update and patch the system to close any vulnerabilities that may have been exploited by the attacker, ensuring all software and security tools are up to date. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" references = ["https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/"] -risk_score = 21 +risk_score = 73 rule_id = "202829f6-0271-4e88-b882-11a655c590d4" setup = """## Setup @@ -84,7 +84,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -98,33 +98,30 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.name : ("kworker*", "kthread*") and process.executable != null ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.004" name = "Masquerade Task or Service" reference = "https://attack.mitre.org/techniques/T1036/004/" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_ld_preload_cmdline.toml b/rules/linux/defense_evasion_ld_preload_cmdline.toml index 770cbee44..3ac927044 100644 --- a/rules/linux/defense_evasion_ld_preload_cmdline.toml +++ b/rules/linux/defense_evasion_ld_preload_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -51,7 +51,7 @@ LD_PRELOAD and LD_LIBRARY_PATH are environment variables in Linux that influence - Implement stricter access controls and monitoring on the affected system to prevent unauthorized changes to environment variables. - Update and enhance detection rules to include additional indicators of compromise related to LD_PRELOAD and LD_LIBRARY_PATH misuse, ensuring future attempts are identified promptly. """ -risk_score = 21 +risk_score = 73 rule_id = "65613f5e-0d48-4b55-ad61-2fb9567cb1ad" setup = """## Setup @@ -78,7 +78,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -98,9 +98,16 @@ process.parent.name:(* and not ( nxrunner or nxserver or perl or rear or sapcontrol or setsid or spoold or sshd or steam or su or sudo or titanagent or vls_agent or zabbix_agentd )) and +not process.parent.executable:( + /tmp/CVU_19_resource*/exectask or /u01/app/oracle/*oracle/CVU_19_oracle*/exectask or "/opt/ds_agent/ds_agent" or + "/opt/McAfee/agent/scripts/ma" or "/usr/local/bin/AppProtection/BootTimeChecker" or "/usr/bin/gmake" or "./runc" or + "/usr/openv/db/bin/nbdb_unload" +) and +not process.parent.args:"/opt/McAfee/agent/scripts/ma" and process.name:(bash or csh or dash or fish or ksh or sh or tcsh or zsh) and process.args:-c and process.command_line:(*LD_LIBRARY_PATH=* or *LD_PRELOAD=*) ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -161,4 +168,4 @@ value = ["process.parent.name", "process.command_line", "host.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-5d" diff --git a/rules/linux/defense_evasion_ld_so_creation.toml b/rules/linux/defense_evasion_ld_so_creation.toml index 53494415e..8559b7e01 100644 --- a/rules/linux/defense_evasion_ld_so_creation.toml +++ b/rules/linux/defense_evasion_ld_so_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/29" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -97,7 +97,8 @@ type = "eql" query = ''' file where host.os.type == "linux" and event.type == "creation" and process.executable != null and file.path like~ ("/lib/ld-linux*.so*", "/lib64/ld-linux*.so*", "/usr/lib/ld-linux*.so*", "/usr/lib64/ld-linux*.so*") and -not process.executable in ( +not ( + process.executable in ( "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", @@ -107,10 +108,14 @@ not process.executable in ( "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/libexec/platform-python", "/usr/lib/snapd/snap-update-ns", "./usr/bin/podman", "/usr/bin/crio", "/usr/bin/buildah", "/bin/dnf5", - "/usr/bin/dnf5", "/usr/bin/pamac" + "/usr/bin/dnf5", "/usr/bin/pamac", "/dev/fd/3" + ) or + process.executable like ( + "/snap/docker/*/bin/dockerd", "/usr/bin/python*", "/nix/store/*/docker/dockerd", "/var/lib/docker/overlay2/*/dockerd", + "/rpool/data/*usr/bin/dockerd" + ) ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index af7b10504..f0e1caa08 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -109,43 +109,31 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -file where host.os.type == "linux" and event.type == "deletion" and - file.path : - ( - "/var/run/utmp", - "/var/log/wtmp", - "/var/log/btmp", - "/var/log/lastlog", - "/var/log/faillog", - "/var/log/syslog", - "/var/log/messages", - "/var/log/secure", - "/var/log/auth.log", - "/var/log/boot.log", - "/var/log/kern.log", - "/var/log/dmesg" - ) and - not process.name in ("gzip", "executor", "dockerd") +file where host.os.type == "linux" and event.type == "deletion" and file.path in ( + "/var/run/utmp", "/var/log/wtmp", "/var/log/btmp", "/var/log/lastlog", "/var/log/faillog", + "/var/log/syslog", "/var/log/messages", "/var/log/secure", "/var/log/auth.log", "/var/log/boot.log", + "/var/log/kern.log", "/var/log/dmesg" +) and not ( + process.name in ("gzip", "executor", "dockerd") or + (process.executable in ("/usr/bin/podman", "/dev/fd/3") and file.name == "lastlog") +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index e410da79c..debb67bae 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ The 'hidepid' mount option in Linux allows users to restrict visibility of proce - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and alerting for future attempts to use the 'hidepid' option, ensuring rapid detection and response.""" references = ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"] -risk_score = 47 +risk_score = 73 rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204" setup = """## Setup @@ -89,7 +89,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -103,25 +103,22 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "executed", "process_started") and - process.name == "mount" and process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" and - not process.parent.command_line like "/opt/cloudlinux/*" +event.action in ("exec", "exec_event", "start", "executed", "process_started") and +process.name == "mount" and process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" and +not process.parent.command_line like "/opt/cloudlinux/*" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml b/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml index 8dfe7464b..14c9ecdfc 100644 --- a/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml +++ b/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/24" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -57,7 +57,7 @@ Base64 encoding is a common method to encode binary data into ASCII text, often - Review and update access controls and permissions for the directories involved to prevent unauthorized access and execution of potentially harmful scripts or binaries. """ -risk_score = 21 +risk_score = 47 rule_id = "03d856c2-7f74-4540-a530-e20af5e39789" setup = """## Setup @@ -84,7 +84,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -109,7 +109,8 @@ sequence by process.parent.entity_id with maxspan=3s ) or process.working_directory like ( "/opt/microsoft/omsagent/plugin", "/opt/rapid7/ir_agent/*", "/tmp/newroot/*" - ) + ) or + (process.parent.name == "zsh" and process.parent.command_line like "*extendedglob*") )] [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.executable != null and process.name in ("base64", "base64plain", "base64url", "base64mime", "base64pem", "base32", "base16") and @@ -160,4 +161,4 @@ framework = "MITRE ATT&CK" [[rule.threat.technique.subtechnique]] name = "Malicious File" id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" \ No newline at end of file + reference = "https://attack.mitre.org/techniques/T1204/002/" diff --git a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml index 2777a1f29..5d6ba4ecf 100644 --- a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml +++ b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/19" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/07/21" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -60,7 +60,7 @@ Kubectl is a command-line tool for interacting with Kubernetes clusters, allowin - Escalate the incident to the security operations team for a comprehensive review and to determine if additional security measures or incident response actions are required. - Implement additional logging and monitoring for kubectl commands and Kubernetes API interactions to enhance detection capabilities for similar threats in the future. """ -risk_score = 21 +risk_score = 47 rule_id = "3c6685eb-9eaa-43a4-be1b-a7f9f1f5e63d" setup = """## Setup @@ -87,7 +87,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "Domain: Container", @@ -113,7 +113,8 @@ process.name == "kubectl" and ( process.parent.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/home/*") or process.parent.name like (".*", "*.sh") ) -) and process.args like~ ("--kubeconfig*", "--token*", "--as*", "--as-group*", "--as-uid*") +) and process.args like~ ("--kubeconfig*", "--token*", "--as*", "--as-group*", "--as-uid*") and +not process.parent.args like ("/snap/microk8s/*/apiservice-kicker", "/snap/microk8s/*/microk8s-start.wrapper") ''' [[rule.threat]] diff --git a/rules/linux/defense_evasion_potential_kubectl_masquerading.toml b/rules/linux/defense_evasion_potential_kubectl_masquerading.toml index 46eebff5b..811f56269 100644 --- a/rules/linux/defense_evasion_potential_kubectl_masquerading.toml +++ b/rules/linux/defense_evasion_potential_kubectl_masquerading.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/19" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -60,7 +60,7 @@ Kubectl is a command-line tool for interacting with Kubernetes clusters, crucial - Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been affected. """ references = ["https://kubernetes.io/docs/reference/kubectl/"] -risk_score = 21 +risk_score = 47 rule_id = "2388c687-cb2c-4b7b-be8f-6864a2385048" setup = """## Setup @@ -87,7 +87,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "Domain: Container", @@ -107,7 +107,7 @@ query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "executed", "process_started") and ( - process.executable like~ ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/var/www/*", "./kubectl", "/home/*/kubectl") or + process.executable like~ ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", "/var/www/*", "./kubectl") or process.name like ".*" ) and process.command_line like~ ( diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index 81f8afa2c..1761b6363 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ PRoot is a versatile tool that emulates a chroot-like environment, allowing user - Implement enhanced monitoring for PRoot activity across the environment to detect any future unauthorized use. This includes setting up alerts for any process executions with PRoot as the parent process. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" references = ["https://proot-me.github.io/"] -risk_score = 47 +risk_score = 73 rule_id = "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0" setup = """## Setup @@ -88,7 +88,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -102,23 +102,20 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.parent.name == "proot" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1211" name = "Exploitation for Defense Evasion" reference = "https://attack.mitre.org/techniques/T1211/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_prctl_process_name_tampering.toml b/rules/linux/defense_evasion_prctl_process_name_tampering.toml index 78132ea66..12d0ba4e5 100644 --- a/rules/linux/defense_evasion_prctl_process_name_tampering.toml +++ b/rules/linux/defense_evasion_prctl_process_name_tampering.toml @@ -2,15 +2,16 @@ creation_date = "2025/01/09" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2025/12/18" [rule] author = ["Elastic"] description = """ -This rule leverages Auditd data to detect the use of the `prctl` syscall to potentially hide a process -by changing its name. The `prctl` syscall is used to control various process attributes. Attackers can use -this syscall to change the name of a process to a hidden directory or file, making it harder to detect. The query -looks for the `prctl` syscall with the `PR_SET_NAME` argument set to `f` (PR_SET_NAME is used to set the name of a process). +This rule leverages Auditd data to detect the use of the "prctl" syscall to potentially hide a process +by changing its name. The "prctl" syscall is used to control various process attributes. Attackers can use +this syscall to change the name of a process to a hidden directory or file, making it harder to detect. The +query looks for the "prctl" syscall with the "PR_SET_NAME" argument set to "f" (PR_SET_NAME is used to set +the name of a process). """ from = "now-9m" index = ["logs-auditd_manager.auditd-*", "auditbeat-*"] @@ -22,7 +23,7 @@ references = [ "https://haxrob.net/hiding-in-plain-sight-part-2/", "https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd", ] -risk_score = 47 +risk_score = 73 rule_id = "fef62ecf-0260-4b71-848b-a8624b304828" setup = """## Setup @@ -48,7 +49,7 @@ However, if more advanced configuration is required to detect specific behavior, - For this detection rule the following additional audit rules are required to be added to the integration: -- "-a exit,always -F arch=b64 -S prctl -k prctl_detection" """ -severity = "medium" +severity = "high" tags = [ "Data Source: Auditd Manager", "Domain: Endpoint", @@ -64,7 +65,8 @@ process where host.os.type == "linux" and auditd.data.syscall == "prctl" and aud process.executable like ( "/boot/*", "/dev/shm/*", "/etc/cron.*/*", "/etc/init.d/*", "/var/run/*", "/etc/update-motd.d/*", "/tmp/*", "/var/log/*", "/var/tmp/*", "/home/*", "/run/shm/*", "/run/*", "./*" -) +) and +not process.executable like ("/home/*/.vscode-server/*", "/tmp/VeeamAgent*", "/home/*/.xmonad/xmonad*linux*") ''' note = """## Triage and analysis diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index 1df9ba7d1..42658fe2b 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -57,11 +57,18 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -file where host.os.type == "linux" and event.action == "rename" and -file.Ext.original.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem") -and not file.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem") +file where host.os.type == "linux" and event.action == "rename" and ( + file.Ext.original.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem") or + (file.name == "index.html" and file.Ext.original.path like "/usr/lib/vmware/*") +) +and not ( + file.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem") or + process.executable like ( + "/usr/sbin/gdm", "/usr/share/dotnet/dotnet", "/usr/bin/dotnet", "/usr/sbin/apache2", + "/var/lib/docker/overlay2/*/usr/bin/dotnet", "/usr/lib/3cxpbx/3cxSystemService" + ) +) ''' note = """## Triage and analysis @@ -99,22 +106,20 @@ VMware ESXi files are critical for virtual machine operations, storing configura - Implement additional monitoring on the affected system and similar environments to detect any further attempts at file masquerading or other suspicious activities. - Review and update access controls and permissions for VMware ESXi files to ensure only authorized users have the ability to rename or modify these files.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_rename_esxi_index_file.toml b/rules/linux/defense_evasion_rename_esxi_index_file.toml index e4bccb44a..a69198686 100644 --- a/rules/linux/defense_evasion_rename_esxi_index_file.toml +++ b/rules/linux/defense_evasion_rename_esxi_index_file.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ from = "now-9m" index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" -name = "Suspicious Renaming of ESXI index.html File" +name = "Deprecated - Suspicious Renaming of ESXI index.html File" references = [ "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", ] @@ -57,7 +57,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and file.Ext.original.path : "/usr/lib/vmware/*" @@ -67,7 +66,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Suspicious Renaming of ESXI index.html File +### Investigating Deprecated - Suspicious Renaming of ESXI index.html File VMware ESXi hosts use the index.html file within their web interface for management tasks. Adversaries may rename this file to evade detection or to replace it with a malicious version, facilitating unauthorized access or data exfiltration. The detection rule monitors Linux systems for renaming actions targeting this file in the VMware directory, flagging potential defense evasion attempts by correlating file path and event actions. @@ -98,22 +97,20 @@ VMware ESXi hosts use the index.html file within their web interface for managem - Implement additional monitoring on the affected host and similar systems to detect any further attempts to rename or modify critical files. - Review and update access controls and permissions on the VMware ESXi host to ensure that only authorized personnel have the ability to modify critical system files.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_root_certificate_installation.toml b/rules/linux/defense_evasion_root_certificate_installation.toml index 4b24678e1..a74521cfc 100644 --- a/rules/linux/defense_evasion_root_certificate_installation.toml +++ b/rules/linux/defense_evasion_root_certificate_installation.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -96,7 +96,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and process.name in ("update-ca-trust", "update-ca-certificates") and not ( @@ -105,26 +104,31 @@ process.name in ("update-ca-trust", "update-ca-certificates") and not ( "ipa-client-install", "su", "platform-python", "python*", "kesl", "execd", "systemd", "flock" ) or process.parent.args like "/var/tmp/rpm*" or - (process.parent.name in ("sh", "bash", "zsh") and process.args == "-e") + (process.parent.name in ("sh", "bash", "zsh") and process.args == "-e") or + process.parent.executable in ( + "/app/update-cert-trust.sh", "/opt/puppetlabs/puppet/bin/puppet", "/opt/puppetlabs/puppet/bin/ruby", + "/start-haproxy", "/usr/bin/entrypoint.sh", "/usr/bin/crun" + ) or + process.parent.args like ( + "/entrypoint.sh", "/entrypoint", "./bootstrap-RHEL*", "lib/apk/exec/ca-certificates-*trigger" + ) or + ?process.working_directory == "/var/lib/rancher" ) ''' - - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" reference = "https://attack.mitre.org/techniques/T1553/" + [[rule.threat.technique.subtechnique]] id = "T1553.004" name = "Install Root Certificate" reference = "https://attack.mitre.org/techniques/T1553/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml b/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml index c22640094..6d4b69020 100644 --- a/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml +++ b/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -93,28 +93,31 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") -and file.path : "/etc/selinux/config" and not process.name in ("dockerd", "platform-python") +and file.path : "/etc/selinux/config" and not ( + process.name in ("dockerd", "platform-python") or + process.executable like ( + "/usr/libexec/platform-python*", "/dev/fd/3", "/usr/bin/podman", "/usr/local/cpanel/3rdparty/perl/*/bin/perl", + "/kaniko/executor", "/usr/lib/systemd/systemd", "/usr/bin/insights-client", "/bin/podman" + ) +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_ssl_certificate_deletion.toml b/rules/linux/defense_evasion_ssl_certificate_deletion.toml index 22da99582..d5ec0c2be 100644 --- a/rules/linux/defense_evasion_ssl_certificate_deletion.toml +++ b/rules/linux/defense_evasion_ssl_certificate_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -90,45 +90,50 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -file where host.os.type == "linux" and event.type == "deletion" and file.path : "/etc/ssl/certs/*" and -file.extension in ("pem", "crt") and not process.name in ("dockerd", "pacman") +file where host.os.type == "linux" and event.type == "deletion" and process.executable != null and +file.path : "/etc/ssl/certs/*" and file.extension in ("pem", "crt") and +not ( + process.name in ("dockerd", "pacman") or + process.executable in ( + "/kaniko/executor", "/usr/sbin/update-ca-certificates", "/usr/bin/gnurm", "/usr/bin/podman", + "/usr/local/bin/executor", "/opt/kaniko/executor", "/.envbuilder/bin/envbuilder", "/opt/kaspersky/kesl/libexec/kesl" + ) +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" - [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" reference = "https://attack.mitre.org/techniques/T1553/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index 906fb6741..215cc1c7e 100644 --- a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -55,9 +55,9 @@ Tmux and screen are terminal multiplexers that allow users to manage multiple te - Escalate the incident to the security operations team for further investigation and to determine if additional systems are compromised. - Implement network monitoring to detect any unusual outbound connections or data exfiltration attempts from the affected host. - Update and enhance detection rules to include additional suspicious command patterns or behaviors observed during the investigation.""" -risk_score = 21 +risk_score = 47 rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89" -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -71,7 +71,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and @@ -81,17 +80,15 @@ process where host.os.type == "linux" and event.type == "start" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_suspicious_path_mounted.toml b/rules/linux/defense_evasion_suspicious_path_mounted.toml index 0fd897bdb..33accceab 100644 --- a/rules/linux/defense_evasion_suspicious_path_mounted.toml +++ b/rules/linux/defense_evasion_suspicious_path_mounted.toml @@ -3,7 +3,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -52,7 +52,7 @@ In Linux environments, the mount command integrates filesystems, enabling access - Escalate the incident to the security operations team for further investigation and to assess the scope of the threat, including potential lateral movement or additional compromised systems. - Enhance monitoring and detection capabilities by configuring alerts for unusual mount activities and integrating threat intelligence feeds to identify similar tactics used by adversaries. """ -risk_score = 21 +risk_score = 47 rule_id = "68e90a9b-0eab-425e-be3b-902b0cd1fe9c" setup = """## Setup @@ -79,7 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -94,11 +94,18 @@ query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "mount" and process.args like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*", "/root/*", "/mount") and process.parent.executable != null and not ( - process.parent.executable like ("/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/sbin/*", "/usr/sbin/*", "/usr/local/sbin/*", "/usr/libexec/*") or + process.parent.executable like ( + "/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/sbin/*", "/usr/sbin/*", "/usr/local/sbin/*", "/usr/libexec/*", + "/usr/local/nutanix/ngt/*/python" + ) or + process.parent.executable in ( + "/usr/lib/uptrack/ksplice-apply", "/usr/lib/Acronis/BackupAndRecovery/mms", + "/usr/lib/Acronis/BackupAndRecovery/service_process-bin", "/usr/lib/systemd/systemd", "/etc/grub.d/10_linux_zfs", + "./tools/image-summary", "/nfsplugin", "/usr/share/ksplice/ksplice-apply", "/lib/systemd/systemd" + ) or process.parent.name == "snapd" ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml b/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml index ab72a2fd5..98789f0c8 100644 --- a/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml +++ b/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -70,7 +70,8 @@ tags = [ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.parent.executable:* and +host.os.type:linux and event.category:process and event.type:start and event.action:exec and +process.parent.executable:(* and not (/bin/make or /sbin/weak-modules or /usr/bin/make or /usr/sbin/weak-modules)) and (process.name:ln or process.name:busybox and process.args:ln or process.name:cp and process.args:--symbolic-link) and process.args:( ( @@ -79,10 +80,13 @@ process.args:( ) and ( /*/.* or /dev/shm/* or /home/* or /root/* or /tmp/* or /var/tmp/* ) and - not (/usr/bin/coreutils or /tmp/mkinitcpio* or /var/tmp/dracut* or /var/tmp/mkinitramfs*) -) + not ( + /usr/bin/coreutils or /tmp/mkinitcpio* or /var/tmp/dracut* or /var/tmp/mkinitramfs* or /var/tmp/pamac-build* or + /var/tmp/portage/* or usr/lib/python3/dist-packages/* + ) +) and not +process.parent.args:(/usr/bin/qemu-aarch64-static or /usr/sbin/weak-modules or /usr/share/initramfs-tools/hooks/ntfs_3g or /var/tmp/rpm-tmp*) ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -108,8 +112,8 @@ framework = "MITRE ATT&CK" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.parent.name"] +value = ["agent.id", "process.parent.name"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-10d" +value = "now-5d" diff --git a/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml b/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml index 78abee0c7..b1e0758e1 100644 --- a/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml +++ b/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -56,9 +56,9 @@ Kernel features in Linux systems are critical for maintaining security and stabi - Escalate the incident to the security operations center (SOC) or relevant security team for further investigation and correlation with other potential threats across the network. - Review and update security policies and configurations to prevent unauthorized kernel modifications, including enforcing stricter access controls and auditing procedures. """ -risk_score = 21 +risk_score = 47 rule_id = "3aff6ab1-18bd-427e-9d4c-c5732110c261" -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -89,9 +89,19 @@ process.command_line : ( (process.name == "grep" and process.args_count == 3 and not process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")) or (process.name == "sysctl" and process.args like ("*-w*", "*--write*", "*=*")) or (process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and process.args : "*echo *") +) and +not ( + process.parent.executable in ( + "/opt/novell/groupwise/agents/bin/gwia", "/opt/novell/groupwise/agents/bin/gwmta", "/opt/novell/groupwise/agents/bin/gwpoa", + "/opt/illumio_ven/system/etc/init.d/illumio-firewall", "/usr/bin/oracle-database-preinstall-19c-verify", "/usr/bin/make", + "/usr/local/qualys/cloud-agent/bin/qualys-scan-util" + ) or + process.parent.executable like "/tmp/CVU_19_resource*/checkmemlock.sh" or + process.parent.args == "/usr/share/mysql/mysql-systemd-start" or + process.parent.command_line like "*ansible*" or + (process.parent.name in ("crond", "cron") and process.command_line like "*drop_caches*") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/defense_evasion_unsual_kill_signal.toml b/rules/linux/defense_evasion_unsual_kill_signal.toml index 2e5e79756..ea47d3195 100644 --- a/rules/linux/defense_evasion_unsual_kill_signal.toml +++ b/rules/linux/defense_evasion_unsual_kill_signal.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/16" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/07/21" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -55,7 +55,7 @@ references = [ "https://github.com/m0nad/Diamorphine/blob/master/diamorphine.c#L302", "https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd", ] -risk_score = 47 +risk_score = 73 rule_id = "cf307a5a-d503-44a4-8158-db196d99c9df" setup = """## Setup @@ -74,7 +74,7 @@ For this detection rule to trigger, the following additional audit rules are req ``` Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", diff --git a/rules/linux/defense_evasion_unusual_preload_env_vars.toml b/rules/linux/defense_evasion_unusual_preload_env_vars.toml index 8896b4c5f..fb5343a26 100644 --- a/rules/linux/defense_evasion_unusual_preload_env_vars.toml +++ b/rules/linux/defense_evasion_unusual_preload_env_vars.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -69,7 +69,11 @@ tags = [ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.category:process and host.os.type:linux and event.type:start and event.action:exec and process.env_vars:* +event.category:process and host.os.type:linux and event.type:start and event.action:exec and process.env_vars:* and +not ( + process.parent.executable:(/snap/* or "/opt/infraonagent/infraonwindowsagent" or "/worker/Capa/capa") or + process.parent.name:"cmk-update-agent" +) ''' note = """## Triage and analysis @@ -149,4 +153,4 @@ value = ["process.env_vars"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-5d" diff --git a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml index c3b9b7108..533fff59b 100644 --- a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml +++ b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/11" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2025/12/18" [rule] author = ["Elastic"] @@ -51,7 +51,7 @@ In Linux environments, the `/var/log` directory is crucial for storing system lo - Escalate the incident to the security operations team for further analysis and to determine if additional systems are compromised. - Update and enhance monitoring rules to detect similar suspicious activities in the future, focusing on process execution from insecure locations and unauthorized file creation in critical directories. """ -risk_score = 21 +risk_score = 47 rule_id = "ddf26e25-3e30-42b2-92db-bde8eb82ad67" setup = """## Setup @@ -78,7 +78,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -93,48 +93,49 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' event.category:file and host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and (process.executable:(/tmp/* or /var/tmp/* or /dev/shm/* or ./* or /boot/*) or process.name:.*) and -file.path:/var/log/* and not file.extension:* +file.path:/var/log/* and not file.extension:* and +not process.executable:("./usr/bin/podman" or "./install" or /tmp/vmis.*/install/vmware-installer/vmis-launcher or /tmp/ubuntu-release-upgrader-*) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -146,8 +147,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-10d" - - +value = "now-5d"