diff --git a/rules_building_block/discovery_capnetraw_capability.toml b/rules_building_block/discovery_capnetraw_capability.toml index b22ed918d..34242a8da 100644 --- a/rules_building_block/discovery_capnetraw_capability.toml +++ b/rules_building_block/discovery_capnetraw_capability.toml @@ -5,7 +5,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0" min_stack_version = "8.11.0" -updated_date = "2024/09/01" +updated_date = "2024/10/18" [rule] author = ["Elastic"] @@ -27,7 +27,6 @@ risk_score = 21 rule_id = "e28b8093-833b-4eda-b877-0873d134cf3c" setup = """## Setup - This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup @@ -52,7 +51,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Rule Type: BBR" +] timestamp_override = "event.ingested" type = "new_terms" query = ''' @@ -76,7 +82,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "user.id", "process.executable"] +value = ["process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index 00a0f082b..e6ea70452 100644 --- a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/12" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/18" [rule] author = ["Elastic"] @@ -54,21 +54,19 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and file.path:"/proc/modules" and -not process.name:(grep or python* or chef-client) +not process.name:(python* or chef-client) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -76,9 +74,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.executable"] +value = ["process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" - - +value = "now-14d" diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index 05b04fa4b..1a41af5ad 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/18" [rule] author = ["Elastic"] @@ -57,20 +57,19 @@ type = "new_terms" query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) and not process.name:( - cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or grep or borg or auditbeat or lspci or + cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or borg or auditbeat or lspci or aide or modprobe or python* ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -78,9 +77,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.executable"] +value = ["process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index f01834a99..4da131364 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/18" [rule] author = ["Elastic"] @@ -57,19 +57,18 @@ type = "new_terms" query = ''' host.os.type:linux and event.category:file and event.action:("opened-file" or "read-file" or "wrote-to-file") and file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and not process.name:( - dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or grep or pool* + dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or pool* ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -77,9 +76,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.executable"] +value = ["process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/discovery_potential_memory_seeking_activity.toml b/rules_building_block/discovery_potential_memory_seeking_activity.toml index 8b6be1ce1..5da12a7bb 100644 --- a/rules_building_block/discovery_potential_memory_seeking_activity.toml +++ b/rules_building_block/discovery_potential_memory_seeking_activity.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/18" [rule] author = ["Elastic"] @@ -32,27 +32,33 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( - (process.name == "tail" and process.args == "-c") or + (process.name == "tail" and process.args in ("-c", "--bytes")) or (process.name == "cmp" and process.args == "-i") or (process.name in ("hexdump", "xxd") and process.args == "-s") or (process.name == "dd" and process.args : ("skip*", "seek*")) +) and not ( + process.parent.args like ("/opt/error_monitor/error_monitor.sh", "printf*") or + process.parent.name in ("acme.sh", "dracut", "leapp") or + process.parent.executable like ( + "/bin/cagefs_enter", "/opt/nessus_agent/sbin/nessus-service", "/usr/libexec/platform-python*", + "/usr/libexec/vdsm/vdsmd", "/usr/local/bin/docker-entrypoint.sh", "/usr/lib/module-init-tools/lsinitrd-quick" + ) or + process.parent.command_line like "sh*acme.sh*" or + process.args like "/var/tmp/dracut*" ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -