From 60fda8d75610deadfe67ef9ac498a5fe51cd2de8 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 7 Mar 2024 16:28:06 +0100 Subject: [PATCH] [Tuning] Linux DR Tuning - Part 13 (#3465) * [Tuning] Linux DR Tuning - Part 13 * updated date bump * Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml * Update privilege_escalation_netcon_via_sudo_binary.toml * Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml * Update rules/linux/privilege_escalation_shadow_file_read.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- ...lation_ld_preload_shared_object_modif.toml | 7 +++--- ...lege_escalation_linux_uid_int_max_bug.toml | 15 ++++++++---- ...n_load_and_unload_of_kernel_via_kexec.toml | 23 +++++++++++++------ ...ege_escalation_netcon_via_sudo_binary.toml | 12 +++++----- ...privilege_escalation_shadow_file_read.toml | 20 +++++++++++----- 5 files changed, 50 insertions(+), 27 deletions(-) diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 3ef2f2dcc..a3ac9f18d 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/11/02" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -71,10 +71,9 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' -host.os.type:linux and event.category:file and event.action:(updated or renamed or rename) and -not event.type:deletion and file.path:/etc/ld.so.preload +host.os.type:linux and event.category:file and event.action:(updated or renamed or rename or file_rename_event) and +not event.type:deletion and file.path:/etc/ld.so.preload and not process.name:(wine or oneagentinstallaction) ''' [[rule.threat]] diff --git a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml index c920a0932..3c872a384 100644 --- a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml +++ b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ allowed UID size (INT_MAX). Some older Linux versions were affected by a bug whi greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via UID INT_MAX Bug Detected" @@ -51,11 +51,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and process.name == "systemd-run" and process.args == "-t" and process.args_count >= 3 and user.id >= "1000000000" ''' diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index 7938e16f3..fc24d787f 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -3,8 +3,8 @@ creation_date = "2023/06/09" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" -integration = ["endpoint"] +updated_date = "2024/02/21" +integration = ["endpoint", "auditd_manager"] [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ escalate privileges, establish persistence or hide their activities by loading a tamper with the system's trusted state, allowing e.g. a VM Escape. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Kernel Load or Unload via Kexec Detected" @@ -54,13 +54,22 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type == "linux" and event.action == "exec" and process.name == "kexec" and -process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") ''' [[rule.threat]] diff --git a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml index e24dfa065..a17a47896 100644 --- a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml +++ b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/15" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ reverse shell shellcode is injected into a process run with elevated permissions inject shellcode into processes running as root, to escalate privileges. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Network Connection via Sudo Binary" @@ -52,13 +52,14 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" query = ''' -network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and -process.name == "sudo" +network where host.os.type == "linux" and event.action in ("connection_attempted", "ipv4_connection_attempt_event") and +event.type == "start" and process.name == "sudo" ''' [[rule.threat]] @@ -88,4 +89,3 @@ reference = "https://attack.mitre.org/techniques/T1548/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index e76b0d458..844ce64fd 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -2,9 +2,9 @@ creation_date = "2022/09/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2023/11/02" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -48,7 +48,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -92,8 +100,8 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" -value = ["process.command_line"] +value = ["process.command_line", "host.id", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-10d"