[New Rule] File Made Executable via Chmod Inside A Container (#2757)

* [New Rule] File Made Executable via Chmod Inside A Container

new rule

* edit threat matrix urls

add final / to reference urls

* Apply suggestions from code review

removed unused fields, adjust from field for readability

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_file_made_executable_via_chmod_inside_a_container.toml

rule query change to remove exclusion and add more common chmod executable patterns, nit review comments, additional tactic, technique and subtechnique

* Update execution_file_made_executable_via_chmod_inside_a_container.toml

added Defense Evasion tag

* Update execution_file_made_executable_via_chmod_inside_a_container.toml

* Update execution_file_made_executable_via_chmod_inside_a_container.toml

adjusted tags

* Update execution_file_made_executable_via_chmod_inside_a_container.toml

changed rule type to file instead of process to eliminate false positive results from adding the number modification parts of the query

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml

@@ -0,0 +1,62 @@
+[metadata]
+creation_date = "2023/04/26"
+integration = ["cloud_defend"]
+maturity = "production"
+min_stack_comments = "New Integration: Cloud Defend"
+min_stack_version = "8.8.0"
+updated_date = "2023/05/12"
+
+[rule]
+author = ["Elastic"]
+description = "This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container."
+from = "now-6m"
+index = ["logs-cloud_defend*"]
+interval = "5m"
+language = "eql"
+license = "Elastic License v2"
+name = "File Made Executable via Chmod Inside A Container"
+risk_score = 47
+rule_id = "ec604672-bed9-43e1-8871-cf591c052550"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Defense Evasion", "Container"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = """
+file where container.id: "*" and event.type in ("change", "creation") and
+
+/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
+(process.name : "chmod" or process.args : "chmod") and 
+process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x"
+"""
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+  [rule.threat.tactic]
+  id = "TA0002"
+  reference = "https://attack.mitre.org/tactics/TA0002/"
+  name = "Execution"
+
+  [[rule.threat.technique]]
+  id = "T1059"
+  reference = "https://attack.mitre.org/techniques/T1059/"
+  name = "Command and Scripting Interpreter"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+  [rule.threat.tactic]
+  id = "TA0005"
+  reference = "https://attack.mitre.org/tactics/TA0005/"
+  name = "Defense Evasion"
+
+  [[rule.threat.technique]]
+  id = "T1222"
+  reference = "https://attack.mitre.org/techniques/T1222/"
+  name = "File and Directory Permissions Modification"
+
+    [[rule.threat.technique.subtechnique]]
+    id = "T1222.002"
+    reference = "https://attack.mitre.org/techniques/T1222/002/"
+    name = "Linux and Mac File and Directory Permissions Modification"
+