diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index 3db9313d4..42f466d83 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -140,7 +140,7 @@ tags = [ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "cat" and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and process.name == "cat" and not (destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch( diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index 35bd99251..5a6cb5f3e 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -148,7 +148,7 @@ tags = [ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.args == "client" and process.args : ("R*", "*:*", "*socks*", "*.*") and process.args_count >= 4 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and diff --git a/rules/linux/command_and_control_linux_chisel_server_activity.toml b/rules/linux/command_and_control_linux_chisel_server_activity.toml index a5eee3346..0f511f1f3 100644 --- a/rules/linux/command_and_control_linux_chisel_server_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_server_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -148,10 +148,10 @@ tags = [ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1m - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.args == "server" and process.args in ("--port", "-p", "--reverse", "--backend", "--socks5") and process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] - [network where host.os.type == "linux" and event.action == "connection_accepted" and event.type == "start" and + [network where host.os.type == "linux" and event.type == "start" and event.action == "connection_accepted" and destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and not process.name : ( "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", diff --git a/rules/linux/command_and_control_linux_proxychains_activity.toml b/rules/linux/command_and_control_linux_proxychains_activity.toml index 8c625c8e1..4fe527e74 100644 --- a/rules/linux/command_and_control_linux_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_proxychains_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -123,8 +123,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name == "proxychains" +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name == "proxychains" ''' [[rule.threat]] diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index 77b0be56d..063f31889 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -148,8 +148,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name == "proxychains" and process.args : ( +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name == "proxychains" and process.args : ( "ssh", "sshd", "sshuttle", "socat", "iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok", "gost", "pivotnacci", "chisel*", "nmap", "ping", "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", "ftp", "curl", "wget" diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index 07b6d3d90..fd120355b 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -149,8 +149,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and -event.type == "start" and ( +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( ( // gost & pivotnacci - spawned without process.parent.name (process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or ( diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index 71f8a6a80..e5b8dfc17 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "gdb" and process.args in ("--pid", "-p") and process.args == "1" ''' diff --git a/rules/linux/credential_access_gdb_process_hooking.toml b/rules/linux/credential_access_gdb_process_hooking.toml index 9f2f82292..1a72efb58 100644 --- a/rules/linux/credential_access_gdb_process_hooking.toml +++ b/rules/linux/credential_access_gdb_process_hooking.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -37,8 +37,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name == "gdb" and process.args in ("--pid", "-p") and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name == "gdb" and process.args in ("--pid", "-p") and /* Covered by d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f */ process.args != "1" ''' diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index ff16bb608..31c0b7f2d 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -72,8 +72,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name in ("base16", "base32", "base32plain", "base32hex") and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name in ("base16", "base32", "base32plain", "base32hex") and not process.args in ("--help", "--version") ''' diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index b544778af..ba14cbaf6 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -56,7 +56,7 @@ tags = [ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("cp", "mv") and process.args : ( // Shells "/bin/*sh", "/usr/bin/*sh", diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index fa8826164..6f37f146f 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -57,8 +57,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name == "dmesg" and process.args == "-c" +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name == "dmesg" and process.args == "-c" ''' [[rule.threat]] diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index 22ae8aef1..b871a387c 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -58,8 +58,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and ( +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and ( (process.name == "systemctl" and process.args == "disable" and process.args == "apparmor") or (process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args == "/etc/apparmor.d/disable/") ) diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 9563bca66..ef0ade341 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -70,8 +70,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name == "setenforce" and process.args == "0" +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name == "setenforce" and process.args == "0" ''' [[rule.threat]] diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index d87abc4fa..7751d734d 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -63,8 +63,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name == "touch" and process.args == "-r" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name == "touch" and process.args == "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") ''' diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index d4a846d10..b1efaa15b 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "rmmod" or (process.name == "modprobe" and process.args in ("--remove", "-r")) and process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index 536efb926..110b6c20f 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/01" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name : ("kworker*", "kthread*") and process.executable != null ''' diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index 79e8213a6..7d28a1ca3 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -65,8 +65,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name == "mount" and process.args == "/proc" and process.args == "-o" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name == "mount" and process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" ''' diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index bcdf77193..8acf5345e 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -67,7 +67,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and process.parent.name == "proot" +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process.parent.name == "proot" ''' [[rule.threat]] diff --git a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index 0ca8aba89..1a4cdb2de 100644 --- a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.parent.name in ("screen", "tmux") and process.name : ( "nmap", "nc", "ncat", "netcat", "socat", "nc.openbsd", "ngrok", "ping", "java", "python*", "php*", "perl", "ruby", "lua*", "openssl", "telnet", "awk", "wget", "curl", "id" diff --git a/rules/linux/discovery_dynamic_linker_via_od.toml b/rules/linux/discovery_dynamic_linker_via_od.toml index ecc3d3379..59488c955 100644 --- a/rules/linux/discovery_dynamic_linker_via_od.toml +++ b/rules/linux/discovery_dynamic_linker_via_od.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -61,8 +61,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name == "od" and process.args in ( +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name == "od" and process.args in ( "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2", "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2" ) diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index db29daf07..a19fca3f1 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2024/02/20" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -60,8 +60,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name == "find" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name == "find" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") ''' [[rule.threat]] diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index 0e90a61c9..961a5e07c 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2024/02/20" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -60,8 +60,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name in ("grep", "egrep", "pgrep") and process.args in ( +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name in ("grep", "egrep", "pgrep") and process.args in ( "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem" ) ''' diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index d6963ac33..d182bf299 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2024/02/20" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ tags = [ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.category:process and host.os.type:linux and event.action:(exec or exec_event) and event.type:start and ( +event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and ( (process.name:(lsmod or modinfo)) or (process.name:kmod and process.args:list) or (process.name:depmod and process.args:(--all or -a)) diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index c504f87c4..f59a8f2bd 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/20/02" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -76,8 +76,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name in ("hping", "hping2", "hping3") +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name in ("hping", "hping2", "hping3") ''' [[rule.threat]] diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index b02d6893d..f2c110c3e 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -76,8 +76,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name == "nping" +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name == "nping" ''' [[rule.threat]] diff --git a/rules/linux/discovery_proc_maps_read.toml b/rules/linux/discovery_proc_maps_read.toml index 74f5f25c1..56c21b5fd 100644 --- a/rules/linux/discovery_proc_maps_read.toml +++ b/rules/linux/discovery_proc_maps_read.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/29" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.entry_leader.name in ( "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish" ) diff --git a/rules/linux/discovery_suspicious_which_command_execution.toml b/rules/linux/discovery_suspicious_which_command_execution.toml index 3d1f84082..99dfe0b87 100644 --- a/rules/linux/discovery_suspicious_which_command_execution.toml +++ b/rules/linux/discovery_suspicious_which_command_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" and not process.args == "--tty-only" diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index f865c8b89..d36e05269 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -50,7 +50,7 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: type = "eql" query = ''' sequence by host.id, process.parent.entity_id with maxspan=1s - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "id" and process.args_count == 2 and not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20 ''' diff --git a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml index 7829501fc..ae5eff02e 100644 --- a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml +++ b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6." min_stack_version = "8.6.0" -updated_date = "2024/02/20" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "curl" +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "curl" and ( process.args : ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or process.env_vars: ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*") diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index d6a194999..a65032f83 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -54,7 +54,7 @@ sequence by host.id, user.id with maxspan=1m process.name in ("curl", "wget", "fetch", "ftp", "sftp", "scp", "rsync", "ld") and file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.name [file where host.os.type == "linux" and event.action == "deletion" and not process.name in ("rm", "ld") and file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", diff --git a/rules/linux/execution_interpreter_tty_upgrade.toml b/rules/linux/execution_interpreter_tty_upgrade.toml index 370280a85..d607c959f 100644 --- a/rules/linux/execution_interpreter_tty_upgrade.toml +++ b/rules/linux/execution_interpreter_tty_upgrade.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/20" integration = ["endpoint"] maturity = "production" -updated_date = "2023/11/02" +updated_date = "2024/03/08" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -56,7 +56,7 @@ tags = ["Domain: Endpoint", ] type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and ( +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( (process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or (process.name == "script" and process.args in ("-qc", "-c") and process.args == "/dev/null" and process.args_count == 4) diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index 222521af0..bda20e748 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ tags = ["Domain: Endpoint", timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "rlwrap" and process.args in ("nc", "ncat", "netcat", "nc.openbsd", "socat") and process.args : "*l*" and process.args_count >= 4 ''' diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index 6699df0c2..e1f236cfb 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/12/13" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -56,10 +56,10 @@ tags = [ type = "eql" query = ''' sequence by host.id with maxspan=1m - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("gcc", "g++", "cc")] by process.args [file where host.os.type == "linux" and event.action == "creation" and process.name == "ld"] by file.name - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start"] by process.name + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec"] by process.name [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.name ''' diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index bc0913d3e..7f496983a 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/02/20" +updated_date = "2024/03/08" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -59,8 +59,8 @@ tags = [ ] type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name in ( +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name in ( // exploitation frameworks "crackmapexec", "msfconsole", "msfvenom", "sliver-client", "sliver-server", "havoc", // network scanners (nmap left out to reduce noise) diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 258922a1a..e419b51a4 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/02/20" +updated_date = "2024/03/08" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -57,7 +57,7 @@ tags = [ type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( (process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.parent.args_count >= 3 and process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index a102905ca..f5db5c613 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -59,8 +59,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and -event.type == "start" and user.name == "postgres" and ( +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "fork", "fork_event") and +user.name == "postgres" and ( (process.parent.args : "*sh" and process.parent.args : "echo*") or (process.args : "*sh" and process.args : "echo*") ) and not process.parent.name : "puppet" diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 24586d552..430753720 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/20" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -56,7 +56,7 @@ tags = [ ] type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index 950f3dd98..47e3831d9 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ sequence by host.id, process.entity_id with maxspan=1s "/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*", "/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local" ) and destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] -[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] ''' diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index e08131a00..35ee9d990 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -4,13 +4,13 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/03/08" [rule] author = ["Elastic"] description = """ -Identifies service creation events of common mining services, possibly indicating the infection -of a system with a cryptominer. +Identifies service creation events of common mining services, possibly indicating the infection of a system with a +cryptominer. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -45,16 +45,21 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -file where host.os.type == "linux" and event.type == "creation" and -event.action : ("creation", "file_create_event") and +file where host.os.type == "linux" and event.type == "creation" and event.action : ("creation", "file_create_event") and file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.service", "pnsd.service", "apache4.service", "pastebin.service", "xvf.service") ''' - [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index d3c491280..c84fb4989 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -59,8 +59,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name in ("curl", "wget") and process.args : ( +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name in ("curl", "wget") and process.args : ( "https://thc.org/ssh-it/x", "http://nossl.segfault.net/ssh-it-deploy.sh", "https://gsocket.io/x", "https://thc.org/ssh-it/bs", "http://nossl.segfault.net/bs" ) diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 16962b3ee..97a17fe29 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -3,7 +3,7 @@ creation_date = "2024/02/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/01" +updated_date = "2024/03/08" integration = ["endpoint"] [rule] @@ -61,12 +61,12 @@ tags = [ type = "eql" query = ''' sequence by host.id with maxspan=5s - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "apt" and process.args == "-c" and process.name in ( "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish" ) ] by process.entity_id - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name : ( + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name : ( "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk" ) diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index 13d9d6bd3..696c037e1 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -3,7 +3,7 @@ creation_date = "2024/02/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/01" +updated_date = "2024/03/08" integration = ["endpoint"] [rule] @@ -61,7 +61,7 @@ tags = [ type = "eql" query = ''' sequence by host.id with maxspan=5s - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "apt" and process.args == "-c" and process.name in ( "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish" ) diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index 947d5fe8d..bb0e1ebe6 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -126,8 +126,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name == "usermod" and process.args : "-u" and process.args : "0" and process.args : "-o" +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name == "usermod" and process.args : "-u" and process.args : "0" and process.args : "-o" ''' [[rule.threat]] diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index a2a9e7793..2528e50c2 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -121,8 +121,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.args in ( +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.args in ( "root", "admin", "wheel", "staff", "sudo","disk", "video", "shadow", "lxc", "lxd" ) and ( diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index 55f91e2f2..c99e8b13e 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -143,7 +143,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "setcap" and process.args : "cap_set?id+ep" and not process.parent.name in ("jem", "vzctl") ''' diff --git a/rules/linux/persistence_systemd_netcon.toml b/rules/linux/persistence_systemd_netcon.toml index 7e63a1054..45d827261 100644 --- a/rules/linux/persistence_systemd_netcon.toml +++ b/rules/linux/persistence_systemd_netcon.toml @@ -3,7 +3,7 @@ creation_date = "2024/02/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/01" +updated_date = "2024/03/08" integration = ["endpoint"] [rule] @@ -61,7 +61,7 @@ tags = [ type = "eql" query = ''' sequence by host.id with maxspan=5s - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "systemd" and process.name in ( "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk" ) diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index bfacc7bb8..c631a2d3b 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -61,8 +61,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*" +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*" ''' [[rule.threat]] diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml index a3c1bbf7b..0084ab81f 100644 --- a/rules/linux/privilege_escalation_container_util_misconfiguration.toml +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.name == "runc" and process.args == "run") or (process.name == "ctr" and process.args == "run" and process.args in ("--privileged", "--mount")) ) and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" and diff --git a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml index 17677e5b5..dadfea901 100644 --- a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml +++ b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/15" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -70,10 +70,10 @@ tags = [ type = "eql" query = ''' sequence by host.id, process.parent.entity_id with maxspan=5m - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "mount" and process.args : "/dev/sd*" and process.args_count >= 3 and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "chroot"] ''' diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index 9c2bb9438..a7983629c 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -48,12 +48,20 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and -event.type == "start" and process.name == "ln" and process.args in ("-s", "-sf") and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process.name == "ln" and process.args in ("-s", "-sf") and ( /* suspicious files */ (process.args in ("/etc/shadow", "/etc/shadow-", "/etc/shadow~", "/etc/gshadow", "/etc/gshadow-") or diff --git a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml index 7469dbb2f..26f8283c9 100644 --- a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml +++ b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "systemd-run" and process.args == "-t" and process.args_count >= 3 and user.id >= "1000000000" ''' diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index b0b88ac0d..c45f02676 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -3,7 +3,7 @@ creation_date = "2023/06/09" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/03/08" integration = ["endpoint", "auditd_manager"] [rule] @@ -67,8 +67,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") ''' [[rule.threat]] diff --git a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml index adf13b4f7..30b4f2fcd 100644 --- a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml +++ b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6." min_stack_version = "8.6.0" -updated_date = "2023/11/02" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ tags = [ type = "eql" query = ''' sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.env_vars : "*GLIBC_TUNABLES=glibc.*=glibc.*=*"] with runs=5 ''' diff --git a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml index 9dcd3eb4b..b9d7cdcdf 100644 --- a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml +++ b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -58,8 +58,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -network where host.os.type == "linux" and event.action in ("connection_attempted", "ipv4_connection_attempt_event") and -event.type == "start" and process.name == "sudo" +network where host.os.type == "linux" and event.type == "start" and +event.action in ("connection_attempted", "ipv4_connection_attempt_event") and process.name == "sudo" ''' [[rule.threat]] diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index 4d3ba053c..8c5e04a75 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -53,7 +53,7 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: type = "eql" query = ''' sequence by process.parent.entity_id, host.id with maxspan=5s - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" and user.id != "0"] [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and user.id == "0"] diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index bd8fba540..8353f4f69 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -52,11 +52,11 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: type = "eql" query = ''' sequence by host.id with maxspan=1s - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.name == "tar" and process.args : "--checkpoint=*" and process.args : "--checkpoint-action=*") or (process.name == "rsync" and process.args : "-e*") or (process.name == "zip" and process.args == "--unzip-command") )] by process.entity_id - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name : ("tar", "rsync", "zip") and process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id ''' diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index b4903b3f1..7a36055d1 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -53,7 +53,7 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "debugfs" and process.args : "/dev/sd*" and not process.args == "-R" and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" ''' diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index 488762834..a5a59552e 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/21" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -61,8 +61,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and process.name == "sudo" and process.args == "-u#-1" +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name == "sudo" and process.args == "-u#-1" ''' [[rule.threat]] diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index 5afea58d3..e748504ac 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -53,7 +53,7 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: type = "eql" query = ''' sequence by host.id, process.session_leader.entity_id with maxspan=15s -[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "gdb" and process.user.id != "0" and process.group.id != "0" ] [ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and process.name == "sudo" and process.user.id == "0" and process.group.id == "0" ] diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml index 981ed2527..5e32f77ff 100644 --- a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -53,7 +53,7 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.args : "import os;os.set?id(0);os.system(*)" and process.args : "*python*" and user.id != "0"] [process where host.os.type == "linux" and event.action in ("uid_change", "gid_change") and event.type == "change" and (user.id == "0" or group.id == "0")] diff --git a/rules/linux/privilege_escalation_uid_change_post_compilation.toml b/rules/linux/privilege_escalation_uid_change_post_compilation.toml index dea4450ad..9f8d47e5a 100644 --- a/rules/linux/privilege_escalation_uid_change_post_compilation.toml +++ b/rules/linux/privilege_escalation_uid_change_post_compilation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -50,11 +50,11 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: type = "eql" query = ''' sequence by host.id with maxspan=1m - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("gcc", "g++", "cc") and user.id != "0"] by process.args [file where host.os.type == "linux" and event.action == "creation" and event.type == "creation" and process.name == "ld" and user.id != "0"] by file.name - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.id != "0"] by process.name [process where host.os.type == "linux" and event.action in ("uid_change", "guid_change") and event.type == "change" and user.id == "0"] by process.name diff --git a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml index c19f21e59..d48ae3695 100644 --- a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml +++ b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" building_block_type = "default" query = ''' event.category:process and host.os.type:"linux" and -event.action:("exec" or "exec_event" or "executed" or "process_started") and event.type:"start" and +event.type:"start" and event.action:("exec" or "exec_event" or "executed" or "process_started") and process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq") ''' diff --git a/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml index 0d22a5bcc..1caa23c11 100644 --- a/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml +++ b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [transform] [[transform.osquery]] @@ -121,7 +121,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("ssh", "sshd") and process.args in ("-X", "-Y") and process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' diff --git a/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml index 044aefe67..e0133519d 100644 --- a/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml +++ b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and +process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name : "* " ''' diff --git a/rules_building_block/discovery_linux_system_information_discovery.toml b/rules_building_block/discovery_linux_system_information_discovery.toml index 17d68c119..af04ae90d 100644 --- a/rules_building_block/discovery_linux_system_information_discovery.toml +++ b/rules_building_block/discovery_linux_system_information_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and ( +process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( process.name: "uname" or ( process.name: ("cat", "more", "less") and process.args: ("*issue*", "*version*", "*profile*", "*services*", "*cpuinfo*") ) diff --git a/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml index 3e55ae1c9..eb07c9ed3 100644 --- a/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml +++ b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and ( +process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( (process.name in ("groups", "id")) or (process.name == "dscl" and process.args : ("/Active Directory/*", "/Users*", "/Groups*")) or (process.name == "dscacheutil" and process.args in ("user", "group")) or diff --git a/rules_building_block/discovery_of_domain_groups.toml b/rules_building_block/discovery_of_domain_groups.toml index 2af745be2..fc2e465b2 100644 --- a/rules_building_block/discovery_of_domain_groups.toml +++ b/rules_building_block/discovery_of_domain_groups.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -35,8 +35,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and ( +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and ( process.name in ("ldapsearch", "dscacheutil") or (process.name == "dscl" and process.args : "*-list*") ) ''' diff --git a/rules_building_block/discovery_potential_memory_seeking_activity.toml b/rules_building_block/discovery_potential_memory_seeking_activity.toml index 9d0e0f643..d6dc62b89 100644 --- a/rules_building_block/discovery_potential_memory_seeking_activity.toml +++ b/rules_building_block/discovery_potential_memory_seeking_activity.toml @@ -5,7 +5,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/01" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and ( +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( (process.name == "tail" and process.args == "-c") or (process.name == "cmp" and process.args == "-i") or (process.name in ("hexdump", "xxd") and process.args == "-s") or diff --git a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml index 1bfb0bcd8..8b3047008 100644 --- a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml +++ b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.action in ("exec", "exec_event") and event.type == "start" and process.name in ( +process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( "ps", "pstree", "htop", "pgrep" ) and not process.parent.name in ("amazon-ssm-agent", "snap") diff --git a/rules_building_block/discovery_suspicious_memory_grep_activity.toml b/rules_building_block/discovery_suspicious_memory_grep_activity.toml index 47daaf4de..238e3a740 100644 --- a/rules_building_block/discovery_suspicious_memory_grep_activity.toml +++ b/rules_building_block/discovery_suspicious_memory_grep_activity.toml @@ -5,7 +5,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/05" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("grep", "egrep", "fgrep", "rgrep") and process.args in ("[stack]", "[vdso]", "[heap]") ''' diff --git a/rules_building_block/discovery_system_network_connections.toml b/rules_building_block/discovery_system_network_connections.toml index 282da2949..8445acfed 100644 --- a/rules_building_block/discovery_system_network_connections.toml +++ b/rules_building_block/discovery_system_network_connections.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and +process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name in ("netstat", "lsof", "who", "w") ''' diff --git a/rules_building_block/execution_unix_socket_communication.toml b/rules_building_block/execution_unix_socket_communication.toml index 8cf153c53..26e055dbe 100644 --- a/rules_building_block/execution_unix_socket_communication.toml +++ b/rules_building_block/execution_unix_socket_communication.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" bypass_bbr_timing = true [rule] @@ -37,8 +37,8 @@ timestamp_override = "event.ingested" building_block_type = "default" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and -event.type == "start" and ( +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and ( (process.name in ("nc", "ncat", "netcat", "nc.openbsd") and process.args == "-U" and process.args : ("/usr/local/*", "/run/*", "/var/run/*")) or (process.name == "socat" and diff --git a/rules_building_block/privilege_escalation_trap_execution.toml b/rules_building_block/privilege_escalation_trap_execution.toml index 0247335bd..f077ca029 100644 --- a/rules_building_block/privilege_escalation_trap_execution.toml +++ b/rules_building_block/privilege_escalation_trap_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/22" +updated_date = "2024/03/08" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and +process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and process.name == "trap" and process.args : "SIG*" '''