[Rule Tuning] Linux Rules (#3092)
* [Rule Tuning] [WIP] Linux DR
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Fixed tag
* Added additional tuning
* unit test fix
* Additional tuning
* tuning
* added max signals
* Added max_signals=1 to brute force rules
* Cross-Platform Tuning
* Small fix
* new_terms conversion
* typo
* new_terms conversion
* Ransomware rule tuning
* performance tuning
* new_terms conversion for auditd_manager
* tune
* Need coffee
* kql/eql stuff
* formatting improvement
* new_terms sudo hijacking conversion
* exclusion
* Deprecations that were added last tuning
* Deprecations that were added last tuning
* Increased max timespan for brute force rules
* version bump
* added domain tag
* Two tunings
* More tuning
* Additional tuning
* updated_date bump
* query optimization
* Tuning
* Readded the exclusions for this one
* Changed int comparison
* Some tunings
* Update persistence_systemd_scheduled_timer_created.toml
* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"
This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.
* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml
* Update rules/linux/command_and_control_cat_network_activity.toml
* Update persistence_message_of_the_day_execution.toml
* Changed max_signals
* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"
This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.
* Revertable merge
* Update defense_evasion_ld_preload_env_variable_process_injection.toml
* File name change
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
(cherry picked from commit 020fff3aea)
This commit is contained in:
Ruben Groenewoud
committed by
github-actions[bot]
github-actions[bot]
parent
8e5464be56
commit
6c36d2afa3
@@ -3,7 +3,7 @@ creation_date = "2022/07/11"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/10/23"
|
||||
integration = ["endpoint"]
|
||||
|
||||
[rule]
|
||||
@@ -15,7 +15,7 @@ from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Kernel module load via insmod"
|
||||
name = "Kernel Module Load via insmod"
|
||||
references = [
|
||||
"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"
|
||||
]
|
||||
@@ -49,12 +49,21 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Persistence",
|
||||
"Threat: Rootkit",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko"
|
||||
and not process.parent.name in ("cisco-amp-helper", "ksplice-apply")
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
Reference in New Issue
Block a user