diff --git a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml index bc15dc494..c07ff4d97 100644 --- a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml +++ b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -76,7 +76,10 @@ not ( "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", "/opt/dynatrace/oneagent/*" ) or process.executable == null or - process.name == "java" or + process.name in ( + "java", "executor", "ssm-agent-worker", "packagekitd", "crio", "dockerd-entrypoint.sh", + "docker-init", "BootTimeChecker" + ) or (process.name == "sed" and file.name : "sed*") or (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index f87b1240f..54c8ee0c3 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -75,7 +75,9 @@ type = "new_terms" query = ''' host.os.type:linux and event.category:process and event.type:start and process.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and -not process.parent.name:(apt-key or update-motd-updates-available or apt-get) +not process.parent.name:( + apt-key or update-motd-updates-available or apt-get or java or pilot or PassengerAgent or nginx +) ''' note = """## Triage and analysis diff --git a/rules/linux/defense_evasion_hidden_directory_creation.toml b/rules/linux/defense_evasion_hidden_directory_creation.toml index ed15f89ca..929e64c94 100644 --- a/rules/linux/defense_evasion_hidden_directory_creation.toml +++ b/rules/linux/defense_evasion_hidden_directory_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -72,8 +72,9 @@ process.name == "mkdir" and process.parent.executable like ( ) and process.args like (".*", "/*/.*") and process.args_count <= 3 and not ( process.parent.executable like ("/tmp/newroot/*", "/run/containerd/*") or process.command_line like ("mkdir -p .", "mkdir ./*") or + process.args == "/root/.ssh" or process.parent.executable like ( - "/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img" + "/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img", "/tmp/snap.rootfs_*" ) ) ''' diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 83eff47b8..b6e8178ba 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and not process.name in ( "ls", "find", "grep", "git", "jq", "basename", "check_snmp", "snmpget", "snmpwalk", "cc1plus", "snap", - "command-not-found" + "command-not-found", "sqlite", "apk", "fgrep", "locate", "objdump" ) ''' note = """## Triage and analysis diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 1879c8fd9..972126958 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ type = "eql" query = ''' file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and -not process.name == "dockerd" +not process.name in ("dockerd", "azcopy", "podman") ''' note = """## Triage and analysis diff --git a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml index 1bb3cccd8..8e0bd45db 100644 --- a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml +++ b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -67,6 +67,8 @@ event.category:process and host.os.type:linux and event.type:start and event.act ) or process.args:(/etc/apt/trusted.gpg.d/* or /tmp/apt-key-gpg*) or process.name:(awk or apt-config or dpkg or grep or gpgv or sed) or + (user.name:_apt and process.name:(sqv or apt-key or gpgconf or sort or mktemp or find or cmp or gpg-connect-agent)) or + (user.name:man and process.name:mandb) or (user.name:daemon and process.name:at) ) ''' diff --git a/rules/linux/defense_evasion_root_certificate_installation.toml b/rules/linux/defense_evasion_root_certificate_installation.toml index e29ffb290..cb8237b8e 100644 --- a/rules/linux/defense_evasion_root_certificate_installation.toml +++ b/rules/linux/defense_evasion_root_certificate_installation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action process.name in ("update-ca-trust", "update-ca-certificates") and not ( process.parent.name like ( "ca-certificates.postinst", "ca-certificates-*.trigger", "pacman", "pamac-daemon", "autofirma.postinst", - "ipa-client-install", "su", "platform-python", "python*", "kesl", "execd" + "ipa-client-install", "su", "platform-python", "python*", "kesl", "execd", "systemd", "flock" ) or process.parent.args like "/var/tmp/rpm*" or (process.parent.name in ("sh", "bash", "zsh") and process.args == "-e") diff --git a/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml b/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml index 185877f56..c4f67be58 100644 --- a/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml +++ b/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.16.2 for the SentinelOne Integration." min_stack_version = "8.16.2" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") -and file.path : "/etc/selinux/config" +and file.path : "/etc/selinux/config" and not process.name in ("dockerd", "platform-python") ''' note = """## Triage and analysis diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 69eac0b8c..64a7eeaf5 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -72,8 +72,9 @@ not ( process.parent.name:( mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools or readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or weak-modules or zfs or - systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install - ) + systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install or newrelic-infra + ) or + process.parent.executable:/var/lib/dpkg/info/linux-modules*-generic.post* ) ''' note = """## Triage and analysis diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml index 4f7d00fa3..932c0dbe2 100644 --- a/rules/linux/discovery_pam_version_discovery.toml +++ b/rules/linux/discovery_pam_version_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -66,11 +66,12 @@ timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2") and + event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.parent.name != null and ( (process.name in ("dpkg", "dpkg-query") and process.args == "libpam-modules") or (process.name == "rpm" and process.args == "pam") - ) + ) and +not process.parent.name in ("dcservice", "inspectorssmplugin") ''' note = """## Triage and analysis diff --git a/rules/linux/discovery_pspy_process_monitoring_detected.toml b/rules/linux/discovery_pspy_process_monitoring_detected.toml index a20064a1f..b03f97dae 100644 --- a/rules/linux/discovery_pspy_process_monitoring_detected.toml +++ b/rules/linux/discovery_pspy_process_monitoring_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/20" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ query = ''' sequence by process.pid, host.id with maxspan=5s [file where host.os.type == "linux" and auditd.data.syscall == "openat" and file.path == "/proc" and auditd.data.a0 : ("ffffffffffffff9c", "ffffff9c") and auditd.data.a2 : ("80000", "88000") and - not process.name == "agentbeat" + not process.name in ("agentbeat", "packetbeat") ] with runs=10 ''' note = """## Triage and analysis diff --git a/rules/linux/discovery_security_file_access_via_common_utility.toml b/rules/linux/discovery_security_file_access_via_common_utility.toml index 3d11cf452..77e8b3832 100644 --- a/rules/linux/discovery_security_file_access_via_common_utility.toml +++ b/rules/linux/discovery_security_file_access_via_common_utility.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -68,7 +68,8 @@ process where host.os.type == "linux" and event.type == "start" and "/home/*/.aws/credentials", "/home/*/.aws/config", "/home/*/.config/gcloud/*credentials.json", "/home/*/.config/gcloud/configurations/config_default", "/home/*/.azure/accessTokens.json", "/home/*/.azure/azureProfile.json" - ) + ) and +not process.parent.name in ("wazuh-modulesd", "lynis") ''' note = """## Triage and analysis diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index cead49103..ad351fb67 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -58,7 +58,10 @@ query = ''' sequence by host.id, process.parent.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "id" and process.args_count == 2 and - not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20 + not ( + process.parent.name in ("rpm", "snarftmp", "quota_copy", "java") or + process.parent.args : "/var/tmp/rpm-tmp*" + )] with runs=20 ''' note = """## Triage and analysis