From 6e77f5176d087661765bf57dea423ef47aa6e136 Mon Sep 17 00:00:00 2001
From: Andrew Stucki <andrew.stucki@elastic.co>
Date: Wed, 10 Feb 2021 14:24:55 -0500
Subject: [PATCH] [New Rule] auditd login anomalies (#33)

* Add auditd login anomaly rules

* Flip logic to start with less-specific filters

* remove event.category from queries and update metadata

* surround event.action with quotes to account for dash

* update tags

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
---
 .../linux/initial_access_login_failures.toml  | 48 +++++++++++++++++++
 .../linux/initial_access_login_location.toml  | 48 +++++++++++++++++++
 .../linux/initial_access_login_sessions.toml  | 48 +++++++++++++++++++
 rules/linux/initial_access_login_time.toml    | 48 +++++++++++++++++++
 4 files changed, 192 insertions(+)
 create mode 100644 rules/linux/initial_access_login_failures.toml
 create mode 100644 rules/linux/initial_access_login_location.toml
 create mode 100644 rules/linux/initial_access_login_sessions.toml
 create mode 100644 rules/linux/initial_access_login_time.toml

diff --git a/rules/linux/initial_access_login_failures.toml b/rules/linux/initial_access_login_failures.toml
new file mode 100644
index 000000000..d2667e1f4
--- /dev/null
+++ b/rules/linux/initial_access_login_failures.toml
@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2020/07/08"
+maturity = "production"
+updated_date = "2020/07/08"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies that the maximum number of failed login attempts has been reached for a user."
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Auditd Max Failed Login Attempts"
+references = ["https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574"]
+risk_score = 47
+rule_id = "fb9937ce-7e21-46bf-831d-1ad96eac674d"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"]
+type = "query"
+
+query = '''
+event.module:auditd and event.action:"failed-log-in-too-many-times-to"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
diff --git a/rules/linux/initial_access_login_location.toml b/rules/linux/initial_access_login_location.toml
new file mode 100644
index 000000000..618844cec
--- /dev/null
+++ b/rules/linux/initial_access_login_location.toml
@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2020/07/08"
+maturity = "production"
+updated_date = "2020/07/08"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies that a login attempt has happened from a forbidden location."
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Auditd Login from Forbidden Location"
+references = ["https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412"]
+risk_score = 73
+rule_id = "cab4f01c-793f-4a54-a03e-e5d85b96d7af"
+severity = "high"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"]
+type = "query"
+
+query = '''
+event.module:auditd and event.action:"attempted-log-in-from-unusual-place-to"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
diff --git a/rules/linux/initial_access_login_sessions.toml b/rules/linux/initial_access_login_sessions.toml
new file mode 100644
index 000000000..c9df231e0
--- /dev/null
+++ b/rules/linux/initial_access_login_sessions.toml
@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2020/07/08"
+maturity = "production"
+updated_date = "2020/07/08"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies that the maximum number login sessions has been reached for a user."
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Auditd Max Login Sessions"
+references = ["https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007"]
+risk_score = 47
+rule_id = "20dc4620-3b68-4269-8124-ca5091e00ea8"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"]
+type = "query"
+
+query = '''
+event.module:auditd and event.action:"opened-too-many-sessions-to"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
diff --git a/rules/linux/initial_access_login_time.toml b/rules/linux/initial_access_login_time.toml
new file mode 100644
index 000000000..9439ee50a
--- /dev/null
+++ b/rules/linux/initial_access_login_time.toml
@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2020/07/08"
+maturity = "production"
+updated_date = "2020/07/08"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies that a login attempt occurred at a forbidden time."
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Auditd Login Attempt at Forbidden Time"
+references = ["https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666"]
+risk_score = 47
+rule_id = "90e28af7-1d96-4582-bf11-9a1eff21d0e5"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"]
+type = "query"
+
+query = '''
+event.module:auditd and event.action:"attempted-log-in-during-unusual-hour-to"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"