From 4e6ff388fcd1043b6268aee525ecd54f48fdc9f9 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Thu, 11 Feb 2021 13:32:58 -0900 Subject: [PATCH] [Rule Tuning] Feedback from 7.12 Kibana PR (#942) --- ...xecution_suspicious_jar_child_process.toml | 4 ++-- ...ilege_escalation_sudo_buffer_overflow.toml | 4 ++-- ...deletion_of_bash_command_line_history.toml | 10 ++++---- ...ccess_to_browser_credentials_procargs.toml | 4 ++-- .../credential_access_systemkey_dumping.toml | 6 ++--- ...ense_evasion_install_root_certificate.toml | 4 ++-- ...rectory_services_plugins_modification.toml | 3 +-- ...fication_sublime_app_plugin_or_script.toml | 3 +-- ...ilege_escalation_root_crontab_filemod.toml | 4 ++-- ...credential_access_dump_registry_hives.toml | 5 ++-- .../windows/discovery_file_dir_discovery.toml | 23 +++++++++++++++---- 11 files changed, 40 insertions(+), 30 deletions(-) diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index cb48a3efd..4379df642 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/01/19" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ process where event.type in ("start", "process_started") and process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget") and process.args : "-jar" and process.args : "*.jar" and /* Add any FP's here */ - not process.executable : "/Users/*/.sdkman/*" and + not process.executable : ("/Users/*/.sdkman/*", "/Library/Java/JavaVirtualMachines/*") and not process.args : ("/usr/local/*", "/Users/*/github.com/*", "/Users/*/src/*") ''' diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index 82f3d680e..7232835e9 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/02/03" maturity = "production" -updated_date = "2021/02/04" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the attempted use of a heap-based buffer overflow vulnerability for t """ false_positives = [ """ - This rule could generate false positives if the process arguments leveraged by the expoit are shared by custom + This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive. """, diff --git a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml index d5b7e5222..7d7dfe288 100644 --- a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/04" maturity = "production" -updated_date = "2021/02/04" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -23,11 +23,11 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and ( - (process.name : ("rm", "echo") and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history")) or + (process.args : ("rm", "echo") and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history")) or (process.name : "history" and process.args : "-c") or - (process.name : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or - (process.name : "unset" and process.args : "HISTFILE") or - (process.name : "set" and process.args : "history" and process.args : "+o") + (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or + (process.args : "unset" and process.args : "HISTFILE") or + (process.args : "set" and process.args : "history" and process.args : "+o") ) ''' diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index 0b037fa64..361f6205c 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2020/01/04" +updated_date = "2020/02/11" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License" -name = "Browser Credential File Access" +name = "Access of Stored Browser Credentials" references = ["https://securelist.com/calisto-trojan-for-macos/86543/"] risk_score = 73 rule_id = "20457e4f-d1de-4b92-ae69-142e27a4342a" diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index 70c7a8d3e..4ea3683e4 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2020/01/07" +updated_date = "2020/02/11" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" -name = "SystemKey Access via Hexdump" +name = "SystemKey Access via Command Line" references = ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"] risk_score = 73 rule_id = "d75991f2-b989-419d-b797-ac1e54ec2d61" @@ -24,7 +24,7 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - process.name:hexdump and process.args:"/private/var/db/SystemKey" + process.args:"/private/var/db/SystemKey" ''' diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index c46510e05..9e6fe609d 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2021/01/13" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ and control servers. Root certificates are used in public key cryptography to id (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. """ -false_positives = ["Trusted Root Certificate Install"] +false_positives = ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index cbccc410b..55dfe8dc2 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2021/01/13" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -10,7 +10,6 @@ Identifies the creation or modification of a DirectoryService PlugIns (dsplug) f on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence. """ -false_positives = ["Trusted DirectoryService PlugIns"] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index 92b24aae2..e30154fec 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2020/12/23" +updated_date = "2020/02/11" [rule] author = ["Elastic"] @@ -9,7 +9,6 @@ description = """ Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started. """ -false_positives = ["Legitimate Sublime plugins or application updates"] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 7c9a7f878..4cfa1dde0 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/27" maturity = "production" -updated_date = "2021/01/27" +updated_date = "2021/02/11" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" -name = "Potential Privilege Escalation via Root Crontab File Modification" +name = "Privilege Escalation via Root Crontab File Modification" references = [ "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", "https://www.exploit-db.com/exploits/42146", diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 623af7a53..029478239 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2020/02/11" [rule] author = ["Elastic"] @@ -24,8 +24,7 @@ query = ''' process where event.type in ("start", "process_started") and process.pe.original_file_name == "reg.exe" and process.args : ("save", "export") and - process.args : ("hklm\\sam", "hklm\\security") and - not process.parent.executable : "C:\\Program Files*\\Rapid7\\Insight Agent\\components\\insight_agent\\*\\ir_agent.exe" + process.args : ("hklm\\sam", "hklm\\security") ''' diff --git a/rules/windows/discovery_file_dir_discovery.toml b/rules/windows/discovery_file_dir_discovery.toml index 79ccffa21..1942b3ba0 100644 --- a/rules/windows/discovery_file_dir_discovery.toml +++ b/rules/windows/discovery_file_dir_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2020/01/28" +updated_date = "2020/02/11" [rule] author = ["Elastic"] @@ -9,6 +9,13 @@ description = """ Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan follow-on activity. """ +false_positives = [ + """ + Enumeration of files and directories may not be inherently malicious and noise may come from scripts, automation + tools, or normal command line usage. It's important to baseline your environment to determine the amount of expected + noise and exclude any known FP's from the rule. + """, +] index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License" @@ -20,9 +27,16 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] type = "eql" query = ''' -process where event.type in ("start", "process_started") and - (process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and - process.args : ("dir", "tree") +sequence by agent.id, user.name with maxspan=1m +[process where event.type in ("start", "process_started") and + ((process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : "dir") or + process.name : "tree.com"] +[process where event.type in ("start", "process_started") and + ((process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : "dir") or + process.name : "tree.com"] +[process where event.type in ("start", "process_started") and + ((process.name : "cmd.exe" or process.pe.original_file_name == "Cmd.Exe") and process.args : "dir") or + process.name : "tree.com"] ''' @@ -38,4 +52,3 @@ reference = "https://attack.mitre.org/techniques/T1083/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -