diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index 96bdfd943..6020128b9 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [transform] [[transform.osquery]] @@ -174,7 +174,8 @@ file where host.os.type == "linux" and event.action in ("creation", "file_create (file.path : ( "/var/log/*", "/var/crash/*", "/var/run/*", "/var/lib/systemd/coredump/*", "/var/spool/*", "/var/lib/nfs/nfsdcltrack/main.sqlite-journal", "/proc/*/cwd/core.*", "/var/run/apport.lock", - "/var/spool/abrt/ccpp-*" + "/var/spool/abrt/ccpp-*", "/var/lib/dynatrace/oneagent/*", "/var/lib/nfs*", "/run/user/*/.bubblewrap/*", + "/etc/localtime/*", "/proc/*/cwd/core.*" ) ) ) diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index a2d5969ed..de9e8eb32 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2025/01/24" [transform] [[transform.osquery]] @@ -166,6 +166,7 @@ file.path : "/etc/update-motd.d/*" and not ( "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*" ) or process.executable == null or + process.name in ("executor", "dockerd", "crio") or (process.name == "sed" and file.name : "sed*") or (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) diff --git a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml index dfe70909f..02f1b624b 100644 --- a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml +++ b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/22" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -85,7 +85,10 @@ process.args : ( ) and ( (process.name == "chmod" and process.args : ("+x*", "1*", "3*", "5*", "7*")) or (process.name == "install" and process.args : "-m*" and process.args : ("7*", "5*", "3*", "1*")) -) and not process.parent.executable : "/var/lib/dpkg/*" +) and not ( + process.parent.executable : "/var/lib/dpkg/*" or + process.command_line in ("chmod 777 /etc/update-motd.d/", "chmod 755 /etc/update-motd.d/") +) ''' note = """## Triage and analysis diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index b1e95625e..eb943a6b2 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2025/01/24" [transform] [[transform.osquery]] @@ -162,6 +162,7 @@ file.path in ("/etc/rc.local", "/etc/rc.common") and not ( "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*" ) or process.executable == null or + process.name in ("ssm-agent-worker", "convert2rhel", "platform-python*") or (process.name == "sed" and file.name : "sed*") or (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) diff --git a/rules/linux/persistence_shadow_file_modification.toml b/rules/linux/persistence_shadow_file_modification.toml index 035dc8117..b58e64049 100644 --- a/rules/linux/persistence_shadow_file_modification.toml +++ b/rules/linux/persistence_shadow_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ from = "now-9m" index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" -name = "Shadow File Modification" +name = "Shadow File Modification by Unusual Process" references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "cdf1a39b-1ca5-4e2a-9739-17fc4d026029" @@ -59,14 +59,17 @@ timestamp_override = "event.ingested" type = "eql" query = ''' file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and -file.path == "/etc/shadow" and file.Ext.original.path != null +file.path == "/etc/shadow" and file.Ext.original.path != null and +not process.name in ( + "usermod", "useradd", "passwd", "chage", "systemd-sysusers", "chpasswd", "userdel", "adduser", "update-passwd", "perl" +) ''' note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Shadow File Modification +### Investigating Shadow File Modification by Unusual Process The Linux shadow file is crucial for storing hashed user passwords, ensuring system security. Adversaries may exploit this by altering the file to add users or change passwords, thus gaining unauthorized access or maintaining persistence. The detection rule identifies suspicious modifications by monitoring changes and renames of the shadow file, flagging potential unauthorized access attempts for further investigation. diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index 26a840bbd..14371b6d0 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [transform] [[transform.osquery]] @@ -168,7 +168,7 @@ file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* an "dockerd" or "dpkg" or "rpm" or "snapd" or "yum" or "vmis-launcher" or "pacman" or "apt-get" or "dnf" or "podman" or platform-python* or "dnf-automatic" or "unattended-upgrade" or "apk" or "snap-update-ns" or "install" or "exe" or "systemd" or "root" or "sshd" or "pip" or "jlink" or python* or "update-alternatives" or pip* or - "installer.bin.inst" or "uninstall-bin" or "linux_agent.inst" + "installer.bin.inst" or "uninstall-bin" or "linux_agent.inst" or crio or ssm-agent-worker or packagekitd ) or (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*) or process.executable : (/dev/fd/* or "/" or "/kaniko/executor" or "/usr/bin/buildah") diff --git a/rules/linux/persistence_shell_configuration_modification.toml b/rules/linux/persistence_shell_configuration_modification.toml index ada194ba2..57ea2a003 100644 --- a/rules/linux/persistence_shell_configuration_modification.toml +++ b/rules/linux/persistence_shell_configuration_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -94,7 +94,7 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an "/usr/libexec/platform-python*" ) or process.executable == null or - process.name in ("adclient", "mkhomedir_helper", "teleport", "mkhomedir", "adduser", "desktopDaemon") or + process.name in ("adclient", "mkhomedir_helper", "teleport", "mkhomedir", "adduser", "desktopDaemon", "executor", "crio") or (process.name == "sed" and file.name : "sed*") or (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) diff --git a/rules/linux/persistence_simple_web_server_creation.toml b/rules/linux/persistence_simple_web_server_creation.toml index 9106ffae4..8628309fc 100644 --- a/rules/linux/persistence_simple_web_server_creation.toml +++ b/rules/linux/persistence_simple_web_server_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -67,7 +67,8 @@ process where host.os.type == "linux" and event.type == "start" and ( (process.name regex~ """php?[0-9]?\.?[0-9]{0,2}""" and process.args == "-S") or (process.name like "python*" and process.args in ("--cgi", "CGIHTTPServer")) - ) + ) and +not process.parent.name in ("check_kmp_wrapper", "naemon") ''' note = """## Triage and analysis diff --git a/rules/linux/persistence_systemd_generator_creation.toml b/rules/linux/persistence_systemd_generator_creation.toml index 299563112..aaa834906 100644 --- a/rules/linux/persistence_systemd_generator_creation.toml +++ b/rules/linux/persistence_systemd_generator_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -79,6 +79,7 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/libexec/platform-python" ) or + process.name like~ ("ssm-agent-worker", "crio", "docker-init", "systemd", "pacman", "python*", "platform-python*") or file.extension in ("swp", "swpx", "swx", "dpkg-remove") or file.Ext.original.extension == "dpkg-new" or process.executable == null diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index f215537ac..62431dee8 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/10/17" +updated_date = "2025/01/24" [transform] [[transform.osquery]] @@ -172,11 +172,11 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/bin/crio", "/usr/sbin/crond", "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/kaniko/kaniko-executor", - "/usr/local/bin/dockerd", "/usr/bin/podman", "/bin/install", "/proc/self/exe" + "/usr/local/bin/dockerd", "/usr/bin/podman", "/bin/install", "/proc/self/exe", "/kaniko/executor" ) or process.name like ( "python*", "crio", "apt-get", "install", "snapd", "cloudflared", "sshd", "convert-usrmerge", "docker-init", - "google_metadata_script_runner" + "google_metadata_script_runner", "ssm-agent-worker", "pacman", "convert2rhel", "platform-python" ) or file.extension in ("swp", "swpx", "swx", "dpkg-remove") or file.Ext.original.extension == "dpkg-new" or diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index 84b753d78..74853b66a 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [transform] [[transform.osquery]] @@ -197,8 +197,8 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", - "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", - "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", + "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/usr/bin/apt", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/bin/crio", "/usr/sbin/crond", @@ -216,7 +216,8 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an process.name like ( "ssm-agent-worker", "python*", "platform-python*", "dnf_install", "cloudflared", "lxc-pve-prestart-hook", "convert-usrmerge", "elastic-agent", "google_metadata_script_runner", "update-alternatives", "gitlab-runner", - "install", "crio", "apt-get", "package-cleanup", "dcservice", "dcregister", "jumpcloud-agent", "executor" + "install", "crio", "apt-get", "package-cleanup", "dcservice", "dcregister", "jumpcloud-agent", "executor", + "pacman", "convert2rhel", "packagekitd" ) or (process.name == "sed" and file.name : "sed*") or (process.name == "perl" and file.name : "e2scrub_all.tmp*") diff --git a/rules/linux/persistence_udev_rule_creation.toml b/rules/linux/persistence_udev_rule_creation.toml index c055885cd..9df21b1ad 100644 --- a/rules/linux/persistence_udev_rule_creation.toml +++ b/rules/linux/persistence_udev_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -79,7 +79,9 @@ file.path : ( process.executable : ( "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/*", "/usr/libexec/*" ) or - process.name in ("systemd", "netplan", "apt-get", "vmware-config-tools.pl", "systemd-hwdb") or + process.name in ( + "systemd", "netplan", "apt-get", "vmware-config-tools.pl", "systemd-hwdb", "ssm-agent-worker", "crio", "cloud-init", "convert2rhel" + ) or (process.name == "sed" and file.name : "sed*") or (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) diff --git a/rules/linux/persistence_unusual_sshd_child_process.toml b/rules/linux/persistence_unusual_sshd_child_process.toml index 6e6dafb4d..cb4a17f7b 100644 --- a/rules/linux/persistence_unusual_sshd_child_process.toml +++ b/rules/linux/persistence_unusual_sshd_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -33,7 +33,10 @@ type = "new_terms" query = ''' event.category:process and host.os.type:linux and event.type:start and event.action:exec and process.parent.name:(ssh or sshd) and process.args_count:2 and -not process.command_line:(-bash or -zsh or -sh) +not ( + process.command_line:(-bash or -zsh or -sh) or + process.name:(ractrans or exectask or tty or tput or ferny-askpass or id or ip) +) ''' note = """## Triage and analysis diff --git a/rules/linux/persistence_user_or_group_creation_or_modification.toml b/rules/linux/persistence_user_or_group_creation_or_modification.toml index b34dfd365..04b9c7910 100644 --- a/rules/linux/persistence_user_or_group_creation_or_modification.toml +++ b/rules/linux/persistence_user_or_group_creation_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/20" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ type = "eql" query = ''' iam where host.os.type == "linux" and event.type in ("creation", "change") and auditd.result == "success" and -event.action in ("changed-password", "added-user-account", "added-group-account-to") +event.action in ("changed-password", "added-user-account", "added-group-account-to") and process.name != null ''' note = """## Triage and analysis diff --git a/rules/linux/persistence_xdg_autostart_netcon.toml b/rules/linux/persistence_xdg_autostart_netcon.toml index a68745b39..6abecb878 100644 --- a/rules/linux/persistence_xdg_autostart_netcon.toml +++ b/rules/linux/persistence_xdg_autostart_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -92,8 +92,9 @@ sequence by host.id, process.entity_id with maxspan=1s "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8", "172.31.0.0/16" ) or - process.executable in ( - "/usr/lib64/firefox/firefox", "/usr/lib/firefox/firefox", "/opt/forticlient/fortitraylauncher" + process.name in ( + "telegram-desktop", "firefox", "gnome-calculator", "remmina", "spotify", "librewolf", "fortitraylauncher", + "flameshot", "thunderbird", "update-manager", "warp-terminal", "obs", "transmission-gtk" ) ) ] diff --git a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml index 44b91716c..98524889c 100644 --- a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ file.path : ("/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*") and not ( "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/libexec/netplan/generate" ) or - process.name == "yumBackend.py" or + process.name in ("yumBackend.py", "crio") or file.extension in ("swp", "swpx", "swx") or file.Ext.original.name like ".ansible*" or file.name like ".ansible_tmp*" or