[Tuning] Linux DR Tuning - Part 10 (#3462)
* [Tuning] Linux DR Tuning - Part 10
* updated_date bump
* Update persistence_kworker_file_creation.toml
* Update persistence_linux_backdoor_user_creation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
(cherry picked from commit a76a3755d9)
This commit is contained in:
Ruben Groenewoud
committed by
github-actions[bot]
github-actions[bot]
parent
6d7c604257
commit
5506f1bb26
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/01/11"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -200,19 +200,17 @@ tags = [
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.id == "0" and
|
||||
file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*",
|
||||
"/usr/lib/systemd/system/*") and not (
|
||||
(process.executable : (
|
||||
"*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd", "*/snapd",
|
||||
"*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system",
|
||||
"*/bin/dockerd", "*/sbin/dockerd", "/kaniko/executor", "/usr/sbin/rhn_check"
|
||||
(process.name : (
|
||||
"chef-client", "ruby", "pacman", "packagekitd", "python*", "platform-python", "dpkg", "yum", "apt", "dnf", "rpm",
|
||||
"systemd", "snapd", "dnf-automatic", "yum-cron", "elastic-agent", "dnfdaemon-system", "dockerd", "executor",
|
||||
"rhn_check"
|
||||
)
|
||||
) or
|
||||
(file.extension in ("swp", "swpx", "tmp")) or
|
||||
(process.name : ("chef-client", "ruby", "pacman", "packagekitd", "python*", "platform-python"))
|
||||
(file.extension in ("swp", "swpx", "tmp"))
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/12/13"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -192,7 +192,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["file.path", "process.name"]
|
||||
value = ["file.path", "process.name", "host.id"]
|
||||
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
|
||||
@@ -1,13 +1,12 @@
|
||||
[metadata]
|
||||
creation_date = "2022/07/11"
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/12/19"
|
||||
integration = ["endpoint"]
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[transform]
|
||||
|
||||
[[transform.osquery]]
|
||||
label = "Osquery - Retrieve all Kernel Modules"
|
||||
query = "SELECT * FROM kernel_modules"
|
||||
@@ -41,7 +40,7 @@ security products. Manually loading a kernel module in this manner should not be
|
||||
suspcious or malicious behavior.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Kernel Module Load via insmod"
|
||||
@@ -156,13 +155,13 @@ tags = [
|
||||
"Tactic: Persistence",
|
||||
"Threat: Rootkit",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend"
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko"
|
||||
and not process.parent.name in ("cisco-amp-helper", "ksplice-apply")
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
@@ -182,4 +181,3 @@ reference = "https://attack.mitre.org/techniques/T1547/006/"
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/12/19"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -176,8 +176,9 @@ tags = [
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
file where event.action == "creation" and process.name : "kworker*" and not (
|
||||
process.name : "kworker*kcryptd*" or file.path : ("/var/log/*", "/var/crash/*")
|
||||
file where event.action in ("creation", "file_create_event") and process.name : "kworker*" and not (
|
||||
(process.name : "kworker*kcryptd*") or
|
||||
(file.path : ("/var/log/*", "/var/crash/*", "/var/run/*", "/var/lib/systemd/coredump/*", "/var/spool/*"))
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2023/03/07"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -34,7 +34,7 @@ Identifies the attempt to create a new backdoor user by setting the user's UID t
|
||||
0 to establish persistence on a system.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Linux Backdoor User Account Creation"
|
||||
@@ -115,13 +115,21 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Persistence",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Resources: Investigation Guide",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and
|
||||
event.action in ("exec", "exec_event") and process.name == "usermod" and
|
||||
process.args : "-u" and process.args : "0" and process.args : "-o"
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
|
||||
event.type == "start" and process.name == "usermod" and process.args : "-u" and process.args : "0" and process.args : "-o"
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
Reference in New Issue
Block a user