From 4e6625ae4053677c9e8deecffcf28a99a9a104fe Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Fri, 24 Jan 2025 17:23:32 +0000 Subject: [PATCH] [Tuning] Unusual Instance Metadata Service (IMDS) API Request (#4418) * Update credential_access_unusual_instance_metadata_service_api_request.toml * Update credential_access_unusual_instance_metadata_service_api_request.toml * Update credential_access_unusual_instance_metadata_service_api_request.toml * Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- ...instance_metadata_service_api_request.toml | 36 +++++++++++-------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml index f2bea56c4..cdb9ef2e4 100644 --- a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml +++ b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/22" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -34,34 +34,42 @@ type = "eql" query = ''' sequence by host.id, process.parent.entity_id with maxspan=1s -[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name : ( +[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and + process.parent.executable != null and + ( + process.name : ( "curl", "wget", "python*", "perl*", "php*", "ruby*", "lua*", "telnet", "pwsh", "openssl", "nc", "ncat", "netcat", "awk", "gawk", "mawk", "nawk", "socat", "node" - ) or process.executable : ( + ) or + process.executable : ( "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", "/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local" ) or - process.command_line: "*169.254.169.254*" and - not (process.working_directory: ( + process.command_line: "*169.254.169.254*" + ) + and not process.working_directory: ( "/opt/rapid7*", "/opt/nessus*", "/snap/amazon-ssm-agent*", "/var/snap/amazon-ssm-agent/*", "/var/log/amazon/ssm/*", "/srv/snp/docker/overlay2*", - "/opt/nessus_agent/var/nessus/*") or - process.executable: ( + "/opt/nessus_agent/var/nessus/*") + and not process.executable: ( "/opt/rumble/bin/rumble-agent*", - "/opt/aws/inspector/bin/inspectorssmplugin") or - process.parent.executable: ( + "/opt/aws/inspector/bin/inspectorssmplugin", + "/snap/oracle-cloud-agent/*", + "/lusr/libexec/oracle-cloud-agent/*") + and not process.parent.executable: ( "/usr/bin/setup-policy-routes", "/usr/share/ec2-instance-connect/*", - "/var/lib/amazon/ssm/*") - ) + "/var/lib/amazon/ssm/*", + "/etc/update-motd.d/30-banner", + "/usr/sbin/dhclient-script", + "/usr/local/bin/uwsgi", + "/usr/lib/skylight/al-extras") ] -[network where host.os.type == "linux" - and event.action == "connection_attempted" - and destination.ip == "169.254.169.254"] +[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip == "169.254.169.254"] ''' note = """## Triage and analysis