Populate rules/ directory.

Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com>
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com>
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>

rules/linux/credential_access_tcpdump_activity.toml

@@ -0,0 +1,59 @@
+[metadata]
+creation_date = "2020/02/18"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/02/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to
+capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a
+prelude to lateral movement or defense evasion.
+"""
+false_positives = [
+    """
+    Some normal use of this command may originate from server or network administrators engaged in network
+    troubleshooting.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Network Sniffing via Tcpdump"
+risk_score = 21
+rule_id = "7a137d76-ce3d-48e2-947d-2747796a78c0"
+severity = "low"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+process.name:tcpdump and event.action:executed
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1040"
+name = "Network Sniffing"
+reference = "https://attack.mitre.org/techniques/T1040/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1040"
+name = "Network Sniffing"
+reference = "https://attack.mitre.org/techniques/T1040/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+

rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml

@@ -0,0 +1,40 @@
+[metadata]
+creation_date = "2020/04/24"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to
+receive or send network traffic.
+"""
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Attempt to Disable IPTables or Firewall"
+risk_score = 47
+rule_id = "125417b8-d3df-479f-8418-12d7e034fee3"
+severity = "medium"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:(executed or process_started) and (process.name:service and process.args:stop or process.name:chkconfig and process.args:off) and process.args:(ip6tables or iptables) or process.name:systemctl and process.args:(firewalld and (disable or stop or kill))
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1089"
+name = "Disabling Security Tools"
+reference = "https://attack.mitre.org/techniques/T1089/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml

@@ -0,0 +1,40 @@
+[metadata]
+creation_date = "2020/04/27"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/27"
+
+[rule]
+author = ["Elastic"]
+description = """
+Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade
+detection by security controls.
+"""
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Attempt to Disable Syslog Service"
+risk_score = 47
+rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194"
+severity = "medium"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:(executed or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or "syslog-ng")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1089"
+name = "Disabling Security Tools"
+reference = "https://attack.mitre.org/techniques/T1089/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml

@@ -0,0 +1,55 @@
+[metadata]
+creation_date = "2020/04/17"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/17"
+
+[rule]
+author = ["Elastic"]
+description = "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls."
+false_positives = [
+    """
+    Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be
+    filtered by the process executable or username values.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Base16 or Base32 Encoding/Decoding Activity"
+risk_score = 21
+rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795"
+severity = "low"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:(executed or process_started) and process.name:(base16 or base32 or base32plain or base32hex)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1140"
+name = "Deobfuscate/Decode Files or Information"
+reference = "https://attack.mitre.org/techniques/T1140/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1027"
+name = "Obfuscated Files or Information"
+reference = "https://attack.mitre.org/techniques/T1027/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml

@@ -0,0 +1,55 @@
+[metadata]
+creation_date = "2020/04/17"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/17"
+
+[rule]
+author = ["Elastic"]
+description = "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls."
+false_positives = [
+    """
+    Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be
+    filtered by the process executable or username values.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Base64 Encoding/Decoding Activity"
+risk_score = 21
+rule_id = "97f22dab-84e8-409d-955e-dacd1d31670b"
+severity = "low"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:(executed or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1140"
+name = "Deobfuscate/Decode Files or Information"
+reference = "https://attack.mitre.org/techniques/T1140/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1027"
+name = "Obfuscated Files or Information"
+reference = "https://attack.mitre.org/techniques/T1027/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml

@@ -0,0 +1,40 @@
+[metadata]
+creation_date = "2020/05/04"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/06/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic
+investigations.
+"""
+index = ["auditbeat-*"]
+language = "lucene"
+license = "Elastic License"
+name = "Deletion of Bash Command Line History"
+risk_score = 47
+rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
+severity = "medium"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:executed AND process.name:rm AND process.args:/\/(home\/.{1,255}|root)\/\.bash_history/
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1146"
+name = "Clear Command History"
+reference = "https://attack.mitre.org/techniques/T1146/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/linux/defense_evasion_disable_selinux_attempt.toml

@@ -0,0 +1,41 @@
+[metadata]
+creation_date = "2020/04/22"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/22"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to
+support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and
+activities.
+"""
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Potential Disabling of SELinux"
+risk_score = 47
+rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e"
+severity = "medium"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:executed and process.name:setenforce and process.args:0
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1089"
+name = "Disabling Security Tools"
+reference = "https://attack.mitre.org/techniques/T1089/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/linux/defense_evasion_file_deletion_via_shred.toml

@@ -0,0 +1,41 @@
+[metadata]
+creation_date = "2020/04/27"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/27"
+
+[rule]
+author = ["Elastic"]
+description = """
+Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within
+a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or
+remove them at the end as part of the post-intrusion cleanup process.
+"""
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "File Deletion via Shred"
+risk_score = 21
+rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4"
+severity = "low"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:(executed or process_started) and process.name:shred and process.args:("-u" or "--remove" or "-z" or "--zero")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1107"
+name = "File Deletion"
+reference = "https://attack.mitre.org/techniques/T1107/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/linux/defense_evasion_file_mod_writable_dir.toml

@@ -0,0 +1,46 @@
+[metadata]
+creation_date = "2020/04/21"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files
+or payloads into a writable directory and change permissions prior to execution.
+"""
+false_positives = [
+    """
+    Certain programs or applications may modify files or change ownership in writable directories. These can be exempted
+    by username.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "File Permission Modification in Writable Directory"
+risk_score = 21
+rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4"
+severity = "low"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:executed and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1222"
+name = "File and Directory Permissions Modification"
+reference = "https://attack.mitre.org/techniques/T1222/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml

@@ -0,0 +1,55 @@
+[metadata]
+creation_date = "2020/04/17"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/17"
+
+[rule]
+author = ["Elastic"]
+description = "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls."
+false_positives = [
+    """
+    Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be
+    filtered by the process executable or username values.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Hex Encoding/Decoding Activity"
+risk_score = 21
+rule_id = "a9198571-b135-4a76-b055-e3e5a476fd83"
+severity = "low"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:(executed or process_started) and process.name:(hex or xxd)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1140"
+name = "Deobfuscate/Decode Files or Information"
+reference = "https://attack.mitre.org/techniques/T1140/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1027"
+name = "Obfuscated Files or Information"
+reference = "https://attack.mitre.org/techniques/T1027/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

rules/linux/defense_evasion_hidden_file_dir_tmp.toml

@@ -0,0 +1,60 @@
+[metadata]
+creation_date = "2020/04/29"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/29"
+
+[rule]
+author = ["Elastic"]
+description = """
+Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name.
+Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.
+This rule looks for hidden files or folders in common writable directories.
+"""
+false_positives = [
+    """
+    Certain tools may create hidden temporary files or directories upon installation or as part of their normal
+    behavior. These events can be filtered by the process arguments, username, or process name values.
+    """,
+]
+index = ["auditbeat-*"]
+language = "lucene"
+license = "Elastic License"
+max_signals = 33
+name = "Creation of Hidden Files and Directories"
+risk_score = 47
+rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae"
+severity = "medium"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:executed AND process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm") AND process.args:/\.[a-zA-Z0-9_\-][a-zA-Z0-9_\-\.]{1,254}/ AND NOT process.name:(cd or ls or find)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1158"
+name = "Hidden Files and Directories"
+reference = "https://attack.mitre.org/techniques/T1158/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1158"
+name = "Hidden Files and Directories"
+reference = "https://attack.mitre.org/techniques/T1158/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+

rules/linux/defense_evasion_kernel_module_removal.toml

@@ -0,0 +1,60 @@
+[metadata]
+creation_date = "2020/04/24"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the
+functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel
+module.
+"""
+false_positives = [
+    """
+    There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username.
+    Note that some Linux distributions are not built to support the removal of modules at all.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Kernel Module Removal"
+references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"]
+risk_score = 73
+rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef"
+severity = "high"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:executed and process.args:(rmmod and sudo or modprobe and sudo and ("--remove" or "-r"))
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1089"
+name = "Disabling Security Tools"
+reference = "https://attack.mitre.org/techniques/T1089/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1215"
+name = "Kernel Modules and Extensions"
+reference = "https://attack.mitre.org/techniques/T1215/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+

rules/linux/discovery_kernel_module_enumeration.toml

@@ -0,0 +1,47 @@
+[metadata]
+creation_date = "2020/04/23"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They
+extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate
+information about a kernel module.
+"""
+false_positives = [
+    """
+    Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs
+    by ordinary users is uncommon. These can be exempted by process name or username.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Enumeration of Kernel Modules"
+risk_score = 47
+rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504"
+severity = "medium"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:executed and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1082"
+name = "System Information Discovery"
+reference = "https://attack.mitre.org/techniques/T1082/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+

rules/linux/discovery_virtual_machine_fingerprinting.toml

@@ -0,0 +1,47 @@
+[metadata]
+creation_date = "2020/04/27"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/27"
+
+[rule]
+author = ["Elastic"]
+description = """
+An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies
+common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy
+RAT and other malware.
+"""
+false_positives = [
+    """
+    Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or
+    process arguments to eliminate potential noise.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Virtual Machine Fingerprinting"
+risk_score = 73
+rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba"
+severity = "high"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:executed and process.args:("/sys/class/dmi/id/bios_version" or "/sys/class/dmi/id/product_name" or "/sys/class/dmi/id/chassis_vendor" or "/proc/scsi/scsi" or "/proc/ide/hd0/model") and not user.name:root
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1082"
+name = "System Information Discovery"
+reference = "https://attack.mitre.org/techniques/T1082/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+

rules/linux/discovery_whoami_commmand.toml

@@ -0,0 +1,46 @@
+[metadata]
+creation_date = "2020/02/18"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/02/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for
+privileged access.
+"""
+false_positives = [
+    """
+    Security testing tools and frameworks may run this command. Some normal use of this command may originate from
+    automation tools and frameworks.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "User Discovery via Whoami"
+risk_score = 21
+rule_id = "120559c6-5e24-49f4-9e30-8ffe697df6b9"
+severity = "low"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+process.name:whoami and event.action:executed
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1033"
+name = "System Owner/User Discovery"
+reference = "https://attack.mitre.org/techniques/T1033/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+

rules/linux/execution_perl_tty_shell.toml

@@ -0,0 +1,40 @@
+[metadata]
+creation_date = "2020/04/16"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully
+interactive tty after obtaining initial access to a host.
+"""
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Interactive Terminal Spawned via Perl"
+risk_score = 73
+rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3"
+severity = "high"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:executed and process.name:perl and process.args:("exec \"/bin/sh\";" or "exec \"/bin/dash\";" or "exec \"/bin/bash\";")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command-Line Interface"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/linux/execution_python_tty_shell.toml

@@ -0,0 +1,40 @@
+[metadata]
+creation_date = "2020/04/15"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully
+interactive tty after obtaining initial access to a host.
+"""
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Interactive Terminal Spawned via Python"
+risk_score = 73
+rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f"
+severity = "high"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:executed and process.name:python and process.args:("import pty; pty.spawn(\"/bin/sh\")" or "import pty; pty.spawn(\"/bin/dash\")" or "import pty; pty.spawn(\"/bin/bash\")")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command-Line Interface"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/linux/lateral_movement_telnet_network_activity_external.toml

@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2020/04/23"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet
+network connections to publicly routable IP addresses.
+"""
+false_positives = [
+    """
+    Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions,
+    so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent
+    years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be
+    suspicious.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Connection to External Network via Telnet"
+risk_score = 47
+rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362"
+severity = "medium"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:("connected-to" or "network_flow") and process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10" or "::1/128")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+

rules/linux/lateral_movement_telnet_network_activity_internal.toml

@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2020/04/23"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet
+network connections to non-publicly routable IP addresses.
+"""
+false_positives = [
+    """
+    Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions,
+    so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent
+    years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be
+    suspicious.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Connection to Internal Network via Telnet"
+risk_score = 47
+rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973"
+severity = "medium"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:("connected-to" or "network_flow") and process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10") and not (127.0.0.0/8 or "::1/128"))
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+

rules/linux/linux_hping_activity.toml

@@ -0,0 +1,33 @@
+[metadata]
+creation_date = "2020/02/18"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/02/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets
+for a wide variety of network security testing applications, including scanning and firewall auditing.
+"""
+false_positives = [
+    """
+    Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very
+    uncommon.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Hping Process Activity"
+references = ["https://en.wikipedia.org/wiki/Hping"]
+risk_score = 73
+rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52"
+severity = "high"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+process.name:(hping or hping2 or hping3) and event.action:executed
+'''
+

rules/linux/linux_iodine_activity.toml

@@ -0,0 +1,33 @@
+[metadata]
+creation_date = "2020/02/18"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/02/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls,
+network security groups, and network access lists while evading detection.
+"""
+false_positives = [
+    """
+    Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very
+    uncommon.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Potential DNS Tunneling via Iodine"
+references = ["https://code.kryo.se/iodine/"]
+risk_score = 73
+rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2"
+severity = "high"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+process.name:(iodine or iodined) and event.action:executed
+'''
+

rules/linux/linux_mknod_activity.toml

@@ -0,0 +1,33 @@
+[metadata]
+creation_date = "2020/02/18"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/02/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits.
+It is used to export a command shell when the traditional version of netcat is not available to the payload.
+"""
+false_positives = [
+    """
+    Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from
+    scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Mknod Process Activity"
+references = ["https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem"]
+risk_score = 21
+rule_id = "61c31c14-507f-4627-8c31-072556b89a9c"
+severity = "low"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+process.name:mknod and event.action:executed
+'''
+

rules/linux/linux_netcat_network_connection.toml

@@ -0,0 +1,39 @@
+[metadata]
+creation_date = "2020/02/18"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/02/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by
+exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data
+exfiltration.
+"""
+false_positives = [
+    """
+    Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux
+    distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may
+    originate from scripts, automation tools, and frameworks.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Netcat Network Activity"
+references = [
+    "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+    "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf",
+    "https://en.wikipedia.org/wiki/Netcat",
+]
+risk_score = 47
+rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f"
+severity = "medium"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action:(bound-socket or connected-to or socket_opened)
+'''
+

rules/linux/linux_nmap_activity.toml

@@ -0,0 +1,35 @@
+[metadata]
+creation_date = "2020/02/18"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/02/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and
+discover networks, and identify listening services and operating systems. It is sometimes used to gather information in
+support of exploitation, execution or lateral movement.
+"""
+false_positives = [
+    """
+    Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this
+    command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is
+    uncommon.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Nmap Process Activity"
+references = ["https://en.wikipedia.org/wiki/Nmap"]
+risk_score = 21
+rule_id = "c87fca17-b3a9-4e83-b545-f30746c53920"
+severity = "low"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+process.name:nmap
+'''
+

rules/linux/linux_nping_activity.toml

@@ -0,0 +1,33 @@
+[metadata]
+creation_date = "2020/02/18"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/02/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide
+variety of security testing applications, including denial of service testing.
+"""
+false_positives = [
+    """
+    Some normal use of this command may originate from security engineers and network or server administrators, but this
+    is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Nping Process Activity"
+references = ["https://en.wikipedia.org/wiki/Nmap"]
+risk_score = 47
+rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77"
+severity = "medium"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+process.name:nping and event.action:executed
+'''
+

rules/linux/linux_process_started_in_temp_directory.toml

@@ -0,0 +1,29 @@
+[metadata]
+creation_date = "2020/02/18"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/02/18"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware."
+false_positives = [
+    """
+    Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by
+    username.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Unusual Process Execution - Temp"
+risk_score = 47
+rule_id = "df959768-b0c9-4d45-988c-5606a2be8e5a"
+severity = "medium"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+process.working_directory:/tmp and event.action:executed
+'''
+

rules/linux/linux_socat_activity.toml

@@ -0,0 +1,34 @@
+[metadata]
+creation_date = "2020/02/18"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/02/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell,
+or by serving a shell on a listening port. Socat is also sometimes used for lateral movement.
+"""
+false_positives = [
+    """
+    Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at
+    varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is
+    more likely to be suspicious.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Socat Process Activity"
+references = ["https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat"]
+risk_score = 47
+rule_id = "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126"
+severity = "medium"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+process.name:socat and not process.args:-V and event.action:executed
+'''
+

rules/linux/linux_strace_activity.toml

@@ -0,0 +1,33 @@
+[metadata]
+creation_date = "2020/02/18"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/02/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order
+to elevate privileges or move laterally.
+"""
+false_positives = [
+    """
+    Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may
+    originate from developers or SREs engaged in debugging or system call tracing.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Strace Process Activity"
+references = ["https://en.wikipedia.org/wiki/Strace"]
+risk_score = 21
+rule_id = "d6450d4e-81c6-46a3-bd94-079886318ed5"
+severity = "low"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+process.name:strace and event.action:executed
+'''
+

rules/linux/persistence_kernel_module_activity.toml

@@ -0,0 +1,46 @@
+[metadata]
+creation_date = "2020/02/18"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/02/18"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies loadable kernel module errors, which are often indicative of potential persistence attempts."
+false_positives = [
+    """
+    Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these
+    programs by ordinary users is uncommon.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Persistence via Kernel Module Modification"
+references = [
+    "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM",
+]
+risk_score = 21
+rule_id = "81cc58f5-8062-49a2-ba84-5cc4b4d31c40"
+severity = "low"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+process.name:(insmod or kmod or modprobe or rmod) and event.action:executed
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1215"
+name = "Kernel Modules and Extensions"
+reference = "https://attack.mitre.org/techniques/T1215/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+

rules/linux/persistence_shell_activity_by_web_server.toml

@@ -0,0 +1,44 @@
+[metadata]
+creation_date = "2020/02/18"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/02/18"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access."
+false_positives = [
+    """
+    Network monitoring or management products may have a web server component that runs shell commands as part of normal
+    behavior.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Potential Shell via Web Server"
+references = ["https://pentestlab.blog/tag/web-shell/"]
+risk_score = 47
+rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb"
+severity = "medium"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+process.name:(bash or dash) and user.name:(apache or nginx or www or "www-data") and event.action:executed
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1100"
+name = "Web Shell"
+reference = "https://attack.mitre.org/techniques/T1100/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+

rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml

@@ -0,0 +1,55 @@
+[metadata]
+creation_date = "2020/04/23"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning
+group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application
+with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism
+on their own malware to make sure they're able to execute in elevated contexts in the future.
+"""
+index = ["auditbeat-*"]
+language = "lucene"
+license = "Elastic License"
+max_signals = 33
+name = "Setgid Bit Set via chmod"
+risk_score = 21
+rule_id = "3a86e085-094c-412d-97ff-2439731e59cb"
+severity = "low"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:(executed OR process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1166"
+name = "Setuid and Setgid"
+reference = "https://attack.mitre.org/techniques/T1166/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1166"
+name = "Setuid and Setgid"
+reference = "https://attack.mitre.org/techniques/T1166/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+

rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml

@@ -0,0 +1,55 @@
+[metadata]
+creation_date = "2020/04/23"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning
+user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application
+with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism
+on their own malware to make sure they're able to execute in elevated contexts in the future.
+"""
+index = ["auditbeat-*"]
+language = "lucene"
+license = "Elastic License"
+max_signals = 33
+name = "Setuid Bit Set via chmod"
+risk_score = 21
+rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
+severity = "low"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.action:(executed OR process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1166"
+name = "Setuid and Setgid"
+reference = "https://attack.mitre.org/techniques/T1166/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1166"
+name = "Setuid and Setgid"
+reference = "https://attack.mitre.org/techniques/T1166/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+

rules/linux/privilege_escalation_sudoers_file_mod.toml

@@ -0,0 +1,40 @@
+[metadata]
+creation_date = "2020/04/13"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/04/13"
+
+[rule]
+author = ["Elastic"]
+description = """
+A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take
+advantage of these configurations to execute commands as other users or spawn processes with higher privileges.
+"""
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Sudoers File Modification"
+risk_score = 21
+rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
+severity = "low"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+event.module:file_integrity and event.action:updated and file.path:/etc/sudoers
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1169"
+name = "Sudo"
+reference = "https://attack.mitre.org/techniques/T1169/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+