From 5fd155849ef2ba3e317ca28fbce94c0b661919d9 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Tue, 16 May 2023 15:15:49 -0400 Subject: [PATCH] [New Rule] File Made Executable via Chmod Inside A Container (#2757) * [New Rule] File Made Executable via Chmod Inside A Container new rule * edit threat matrix urls add final / to reference urls * Apply suggestions from code review removed unused fields, adjust from field for readability Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Update execution_file_made_executable_via_chmod_inside_a_container.toml rule query change to remove exclusion and add more common chmod executable patterns, nit review comments, additional tactic, technique and subtechnique * Update execution_file_made_executable_via_chmod_inside_a_container.toml added Defense Evasion tag * Update execution_file_made_executable_via_chmod_inside_a_container.toml * Update execution_file_made_executable_via_chmod_inside_a_container.toml adjusted tags * Update execution_file_made_executable_via_chmod_inside_a_container.toml changed rule type to file instead of process to eliminate false positive results from adding the number modification parts of the query --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> --- ...ecutable_via_chmod_inside_a_container.toml | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml diff --git a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml new file mode 100644 index 000000000..ae9595e42 --- /dev/null +++ b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2023/04/26" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/05/12" + +[rule] +author = ["Elastic"] +description = "This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container." +from = "now-6m" +index = ["logs-cloud_defend*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "File Made Executable via Chmod Inside A Container" +risk_score = 47 +rule_id = "ec604672-bed9-43e1-8871-cf591c052550" +severity = "medium" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Defense Evasion", "Container"] +timestamp_override = "event.ingested" +type = "eql" + +query = """ +file where container.id: "*" and event.type in ("change", "creation") and + +/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ +(process.name : "chmod" or process.args : "chmod") and +process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" +""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + name = "Execution" + + [[rule.threat.technique]] + id = "T1059" + reference = "https://attack.mitre.org/techniques/T1059/" + name = "Command and Scripting Interpreter" +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" + name = "Defense Evasion" + + [[rule.threat.technique]] + id = "T1222" + reference = "https://attack.mitre.org/techniques/T1222/" + name = "File and Directory Permissions Modification" + + [[rule.threat.technique.subtechnique]] + id = "T1222.002" + reference = "https://attack.mitre.org/techniques/T1222/002/" + name = "Linux and Mac File and Directory Permissions Modification" +