From 6d7c6042570fe35deb3b60c98d2cda64dc40926d Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 7 Mar 2024 11:33:28 +0100 Subject: [PATCH] [Tuning] Linux DR Tuning - Part 9 (#3461) * [Tuning] Linux DR Tuning - Part 9 * Update persistence_credential_access_modify_ssh_binaries.toml * Update lateral_movement_ssh_it_worm_download.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit fd845732123b8a6e7653c60df6d3562c147d2bf4) --- ...lateral_movement_ssh_it_worm_download.toml | 19 +++++------ ...ment_telnet_network_activity_external.toml | 32 +++++++++++-------- ...ment_telnet_network_activity_internal.toml | 32 +++++++++++-------- ...credential_access_modify_ssh_binaries.toml | 8 ++--- .../linux/persistence_cron_job_creation.toml | 8 ++--- 5 files changed, 53 insertions(+), 46 deletions(-) diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index e29caebd5..d2a2d3627 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/09/21" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies processes that are capable of downloading files with command line arg autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential SSH-IT SSH Worm Downloaded" @@ -48,18 +48,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", +tags = [ + "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", - "Data Source: Elastic Endgame"] + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and -process.name in ("curl", "wget") and process.args : ( +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and process.name in ("curl", "wget") and process.args : ( "https://thc.org/ssh-it/x", "http://nossl.segfault.net/ssh-it-deploy.sh", "https://gsocket.io/x", "https://thc.org/ssh-it/bs", "http://nossl.segfault.net/bs" ) @@ -92,4 +94,3 @@ reference = "https://attack.mitre.org/techniques/T1563/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 01daa4c3c..b4e30fcb1 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Connection to External Network via Telnet" @@ -67,32 +67,36 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by process.entity_id [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] - [network where host.os.type == "linux" and process.name == "telnet" and - not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", - "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", - "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", - "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", - "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", - "FE80::/10", "FF00::/8")] + [network where host.os.type == "linux" and process.name == "telnet" and not cidrmatch( + destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", + "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", + "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", + "FF00::/8" + ) + ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index 3cb0849c3..2ddb28ceb 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/21" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Connection to Internal Network via Telnet" @@ -67,32 +67,36 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ] type = "eql" - query = ''' sequence by process.entity_id [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] - [network where host.os.type == "linux" and process.name == "telnet" and - cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", - "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", - "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", - "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", - "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", - "FE80::/10", "FF00::/8")] + [network where host.os.type == "linux" and process.name == "telnet" and cidrmatch( + destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", + "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", + "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", + "FF00::/8" + ) + ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index f76873c6f..d04d4b2fa 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/12/19" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -41,7 +41,7 @@ false_positives = [ "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes.", ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Modification of OpenSSH Binaries" @@ -159,10 +159,9 @@ tags = [ ] timestamp_override = "event.ingested" type = "query" - query = ''' event.category:file and host.os.type:linux and event.type:change and - process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron)) and + process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and (file.path:(/usr/bin/scp or /usr/bin/sftp or /usr/bin/ssh or @@ -224,4 +223,3 @@ reference = "https://attack.mitre.org/techniques/T1563/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index b85596ce4..5c6bf2ad4 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" -updated_date = "2023/12/13" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -203,17 +203,17 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or /etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) and not ( (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "podman" or - "dnf-automatic")) or + "dnf-automatic" or puppet or autossl_check )) or (file.extension : ("swp" or "swpx")) or (process.name : "sed" and file.name : sed*) or - (process.name : "perl" and file.name : e2scrub_all.tmp*) + (process.name : "perl" and file.name : e2scrub_all.tmp*) or + (process.executable : /var/lib/dpkg*) ) '''