From 5506f1bb265f29eac96d9d6ef289cd195bee651e Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 7 Mar 2024 11:45:17 +0100 Subject: [PATCH] [Tuning] Linux DR Tuning - Part 10 (#3462) * [Tuning] Linux DR Tuning - Part 10 * updated_date bump * Update persistence_kworker_file_creation.toml * Update persistence_linux_backdoor_user_creation.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit a76a3755d96b481212afc110a53a6654d05c09c5) --- .../linux/persistence_etc_file_creation.toml | 14 +++++------- .../persistence_init_d_file_creation.toml | 4 ++-- ...persistence_insmod_kernel_module_load.toml | 12 +++++----- .../persistence_kworker_file_creation.toml | 7 +++--- ...sistence_linux_backdoor_user_creation.toml | 22 +++++++++++++------ 5 files changed, 32 insertions(+), 27 deletions(-) diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index ad779245f..ff8fe0723 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/11" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -200,19 +200,17 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.id == "0" and file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*", "/usr/lib/systemd/system/*") and not ( - (process.executable : ( - "*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd", "*/snapd", - "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", - "*/bin/dockerd", "*/sbin/dockerd", "/kaniko/executor", "/usr/sbin/rhn_check" + (process.name : ( + "chef-client", "ruby", "pacman", "packagekitd", "python*", "platform-python", "dpkg", "yum", "apt", "dnf", "rpm", + "systemd", "snapd", "dnf-automatic", "yum-cron", "elastic-agent", "dnfdaemon-system", "dockerd", "executor", + "rhn_check" ) ) or - (file.extension in ("swp", "swpx", "tmp")) or - (process.name : ("chef-client", "ruby", "pacman", "packagekitd", "python*", "platform-python")) + (file.extension in ("swp", "swpx", "tmp")) ) ''' diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index 384be9161..3581b682f 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/12/13" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -192,7 +192,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" -value = ["file.path", "process.name"] +value = ["file.path", "process.name", "host.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index 66aa27900..edb055b36 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -1,13 +1,12 @@ [metadata] creation_date = "2022/07/11" +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/12/19" -integration = ["endpoint"] +updated_date = "2024/02/21" [transform] - [[transform.osquery]] label = "Osquery - Retrieve all Kernel Modules" query = "SELECT * FROM kernel_modules" @@ -41,7 +40,7 @@ security products. Manually loading a kernel module in this manner should not be suspcious or malicious behavior. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Kernel Module Load via insmod" @@ -156,13 +155,13 @@ tags = [ "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" -and not process.parent.name in ("cisco-amp-helper", "ksplice-apply") ''' [[rule.threat]] @@ -182,4 +181,3 @@ reference = "https://attack.mitre.org/techniques/T1547/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index daf5fb10d..460636deb 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/12/19" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -176,8 +176,9 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.action == "creation" and process.name : "kworker*" and not ( - process.name : "kworker*kcryptd*" or file.path : ("/var/log/*", "/var/crash/*") +file where event.action in ("creation", "file_create_event") and process.name : "kworker*" and not ( + (process.name : "kworker*kcryptd*") or + (file.path : ("/var/log/*", "/var/crash/*", "/var/run/*", "/var/lib/systemd/coredump/*", "/var/spool/*")) ) ''' diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index aa6ef2339..2feafb7f7 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/03/07" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -34,7 +34,7 @@ Identifies the attempt to create a new backdoor user by setting the user's UID t 0 to establish persistence on a system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Backdoor User Account Creation" @@ -115,13 +115,21 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and -event.action in ("exec", "exec_event") and process.name == "usermod" and -process.args : "-u" and process.args : "0" and process.args : "-o" +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and process.name == "usermod" and process.args : "-u" and process.args : "0" and process.args : "-o" ''' [[rule.threat]]