security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Linux DR Tuning - Part 13 (#3465)

Browse Source 
* [Tuning] Linux DR Tuning - Part 13

* updated date bump

* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

* Update privilege_escalation_netcon_via_sudo_binary.toml

* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

* Update rules/linux/privilege_escalation_shadow_file_read.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2024-03-07 16:28:06 +01:00
committed by GitHub
parent 7a0967924c
commit 60fda8d756
5 changed files with 50 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
+3 -4
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/11/02"
updated_date = "2024/02/21"
[rule]
author = ["Elastic"]
@@ -71,10 +71,9 @@ tags = [
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:linux and event.category:file and event.action:(updated or renamed or rename) and
not event.type:deletion and file.path:/etc/ld.so.preload
host.os.type:linux and event.category:file and event.action:(updated or renamed or rename or file_rename_event) and
not event.type:deletion and file.path:/etc/ld.so.preload and not process.name:(wine or oneagentinstallaction)
'''
[[rule.threat]]
rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
+11 -4
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
updated_date = "2024/02/21"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ allowed UID size (INT_MAX). Some older Linux versions were affected by a bug whi
greater than INT_MAX to escalate privileges by spawning a shell through systemd-run.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privilege Escalation via UID INT_MAX Bug Detected"
@@ -51,11 +51,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
process.name == "systemd-run" and process.args == "-t" and process.args_count >= 3 and user.id >= "1000000000"
'''
rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
+16 -7
View File
@@ -3,8 +3,8 @@ creation_date = "2023/06/09"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
integration = ["endpoint"]
updated_date = "2024/02/21"
integration = ["endpoint", "auditd_manager"]
[rule]
author = ["Elastic"]
@@ -16,7 +16,7 @@ escalate privileges, establish persistence or hide their activities by loading a
tamper with the system's trusted state, allowing e.g. a VM Escape.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Kernel Load or Unload via Kexec Detected"
@@ -54,13 +54,22 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Tactic: Privilege Escalation",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and process.name == "kexec" and
process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u")
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
event.type == "start" and process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u")
'''
[[rule.threat]]
rules/linux/privilege_escalation_netcon_via_sudo_binary.toml
+6 -6
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/15"
updated_date = "2024/02/21"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ reverse shell shellcode is injected into a process run with elevated permissions
inject shellcode into processes running as root, to escalate privileges.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Network Connection via Sudo Binary"
@@ -52,13 +52,14 @@ tags = [
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Data Source: Elastic Defend"
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and
process.name == "sudo"
network where host.os.type == "linux" and event.action in ("connection_attempted", "ipv4_connection_attempt_event") and
event.type == "start" and process.name == "sudo"
'''
[[rule.threat]]
@@ -88,4 +89,3 @@ reference = "https://attack.mitre.org/techniques/T1548/003/"
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
rules/linux/privilege_escalation_shadow_file_read.toml
+14 -6
View File
@@ -2,9 +2,9 @@
creation_date = "2022/09/01"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4"
min_stack_version = "8.4.0"
updated_date = "2023/11/02"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2024/02/21"
[rule]
author = ["Elastic"]
@@ -48,7 +48,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Tactic: Credential Access",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
@@ -92,8 +100,8 @@ reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.new_terms]
field = "new_terms_fields"
value = ["process.command_line"]
value = ["process.command_line", "host.id", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
value = "now-10d"