[Rule Tuning] Linux DR Tuning - Part 3 (#3322)

* [Rule Tuning] Linux DR Tuning - Part 3

* small fix

* typo

* coffee

* Update persistence_cron_job_creation.toml

* Update persistence_shared_object_creation.toml

rules/linux/persistence_chkconfig_service_add.toml

@@ -3,7 +3,7 @@ creation_date = "2022/07/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/22"
+updated_date = "2023/12/13"
 integration = ["endpoint"]
 
 [transform]
@@ -191,7 +191,9 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event")
 ( 
   (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or
   (process.args : "*chkconfig" and process.args : "--add")
-)
+) and 
+not process.parent.name in ("rpm", "qualys-scan-util", "qualys-cloud-agent", "update-alternatives") and
+not process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*")
 '''
 
 [[rule.threat]]

rules/linux/persistence_cron_job_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
 min_stack_version = "8.6.0"
-updated_date = "2023/11/22"
+updated_date = "2023/12/13"
 
 [transform]
 [[transform.osquery]]
@@ -208,8 +208,13 @@ query = '''
 host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and 
 file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or 
 /etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) 
-and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "5") or 
-file.extension : ("swp" or "swpx"))
+and not (
+  (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "podman" or 
+  "dnf-automatic")) or 
+  (file.extension : ("swp" or "swpx")) or 
+  (process.name : "sed" and file.name : sed*) or 
+  (process.name : "perl" and file.name : e2scrub_all.tmp*)
+)
 '''
 
 [[rule.threat]]

rules/linux/persistence_etc_file_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/22"
+updated_date = "2023/12/13"
 
 [transform]
 [[transform.osquery]]
@@ -204,9 +204,16 @@ type = "eql"
 query = '''
 file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.name == "root" and
 file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*",
-"/usr/lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd",
-"*/snapd", "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd",
-"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension in ("swp", "swpx", "tmp")
+"/usr/lib/systemd/system/*") and not (
+  (process.executable : (
+    "*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd", "*/snapd",
+    "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system",
+    "*/bin/dockerd", "*/sbin/dockerd", "/kaniko/executor", "/usr/sbin/rhn_check"
+    )
+  ) or 
+  (file.extension in ("swp", "swpx", "tmp")) or
+  (process.name : ("chef-client", "ruby", "pacman", "packagekitd", "python*", "platform-python"))
+)
 '''
 
 [[rule.threat]]

rules/linux/persistence_init_d_file_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/11/02"
+updated_date = "2023/12/13"
 
 [transform]
 [[transform.osquery]]
@@ -154,13 +154,27 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 
 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Persistence",
+        "Data Source: Elastic Endgame",
+        "Resources: Investigation Guide",
+        "Data Source: Elastic Defend"
+        ]
 timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
 host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and 
-file.path : /etc/init.d/* and not process.name : ("dpkg" or "dockerd" or "rpm" or "dnf" or "chef-client" or "apk" or "yum" or 
-"rpm" or "vmis-launcher" or "exe") and not file.extension : ("swp" or "swx")
+file.path : /etc/init.d/* and not (
+  (process.name : ("dpkg" or "dockerd" or "rpm" or "dnf" or "chef-client" or "apk" or "yum" or "rpm" or
+  "vmis-launcher" or "exe" or "platform-python" or "executor" or "podman")) or
+  (file.extension : ("swp" or "swpx")) or
+  (process.name:mv and file.name:*.dpkg-remove) or
+  (process.name:sed and file.name:sed*) or
+  (process.name:systemd and file.name:*.dpkg-new)
+)
 '''
 
 [[rule.threat]]

rules/linux/persistence_kde_autostart_modification.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2023/12/13"
 
 [rule]
 author = ["Elastic"]
@@ -66,7 +66,14 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i
 
 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Persistence",
+        "Data Source: Elastic Endgame",
+        "Data Source: Elastic Defend"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 
@@ -85,7 +92,7 @@ file where host.os.type == "linux" and event.type != "deletion" and
       "/etc/xdg/autostart/*", "/usr/share/autostart/*"
     ) and
     not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd", 
-    "rpm")
+    "rpm", "pacman", "podman", "nautilus", "remmina", "cinnamon-settings.py")
 '''
 
 

rules/linux/persistence_message_of_the_day_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/11/02"
+updated_date = "2023/12/13"
 
 [transform]
 [[transform.osquery]]
@@ -161,7 +161,7 @@ type = "new_terms"
 query = '''
 host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and 
 file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : (
-  dpkg or dockerd or rpm or executor or dnf
+  dpkg or dockerd or rpm or executor or dnf or podman or ln
 ) and not file.extension : ("swp" or "swpx")
 '''
 

rules/linux/persistence_shared_object_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
 min_stack_version = "8.6.0"
-updated_date = "2023/11/02"
+updated_date = "2023/12/13"
 
 [rule]
 author = ["Elastic"]
@@ -66,7 +66,7 @@ query = '''
 host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and 
 file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and 
 process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher"
-  or "pacman" or "apt-get" or "dnf"))
+  or "pacman" or "apt-get" or "dnf" or "podman" or "platform-python"))
 '''
 
 [[rule.threat]]

rules/linux/persistence_systemd_scheduled_timer_created.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/11/02"
+updated_date = "2023/12/13"
 
 [transform]
 [[transform.osquery]]
@@ -176,8 +176,12 @@ type = "new_terms"
 query = '''
 host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and
 file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or 
-/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : (
-  "docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor" or "cloudflared"
+/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not (
+  (process.name : (
+    "docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor" or "cloudflared" or "pacman" or "podman" or 
+    "pamac-daemon"
+  ))
+  or (file.name:apt-*.timer)
 )
 '''
 

rules/linux/persistence_systemd_service_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
 min_stack_version = "8.6.0"
-updated_date = "2023/11/22"
+updated_date = "2023/12/13"
 
 [transform]
 [[transform.osquery]]
@@ -213,7 +213,8 @@ host.os.type:linux and event.category:file and event.action:("creation" or "file
 not (
   process.name:(
     "dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "dnf-automatic" or python* or "puppetd" or
-    "elastic-agent" or "cinc-client" or "chef-client" or "pacman" or "puppet" or "cloudflared"
+    "elastic-agent" or "cinc-client" or "chef-client" or "pacman" or "puppet" or "cloudflared" or "packagekitd" or
+    "podman"
   ) or 
   file.extension:("swp" or "swpx")
 )