From 5bc834bfc6ac2e55be6b56cf75e403d818073df9 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 19 Dec 2025 14:32:31 +0100 Subject: [PATCH] =?UTF-8?q?[Rule=20Tuning]=20Shared=20Object=20Created=20o?= =?UTF-8?q?r=20Changed=20by=20Previously=20Unknown=20=E2=80=A6=20(#5469)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [Rule Tuning] Shared Object Created or Changed by Previously Unknown Process * Update rules/linux/persistence_shared_object_creation.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- rules/linux/persistence_shared_object_creation.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index b61d07400..da62371ab 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/11" +updated_date = "2025/12/16" [transform] [[transform.osquery]] @@ -54,7 +54,7 @@ malware to persist on the system, evade detection, and potentially compromise th affected system and its data. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.file*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Shared Object Created or Changed by Previously Unknown Process" @@ -161,7 +161,7 @@ tags = [ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:"linux" and event.action:("creation" or "file_create_event" or "file_rename_event" or "rename" or "file_write_event") and +event.category:file and host.os.type:"linux" and event.action:("creation" or "file_create_event" or "file_rename_event" or "rename") and (file.extension:"so" or file.name:*.so.*) and file.path:( /dev/shm/* or /usr/lib/* or /usr/lib64/* or /usr/local/lib/* or /usr/local/lib64/* or /lib/x86_64-linux-gnu/* or @@ -202,4 +202,4 @@ value = ["file.path", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-10d" +value = "now-5d"