[New Rules] cap_setuid/cap_setgid privesc (#3075)

* [New Rules] cap_setuid/cap_setgid privesc

* Update persistence_setuid_setgid_capability_set.toml

* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml

* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml

* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

rules/linux/persistence_setuid_setgid_capability_set.toml

@@ -0,0 +1,58 @@
+[metadata]
+creation_date = "2023/09/05"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/09/05"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID)
+and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the
+file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries,
+allowing them to maintain control over a compromised system with elevated permissions.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Setcap setuid/setgid Capability Set"
+risk_score = 47
+rule_id = "f5c005d3-4e17-48b0-9cd7-444d48857f97"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+process.name == "setcap" and process.args : "cap_set?id+ep"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1548.001"
+name = "Setuid and Setgid"
+reference = "https://attack.mitre.org/techniques/T1548/001/"
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+

rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml

@@ -0,0 +1,58 @@
+[metadata]
+creation_date = "2023/09/05"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/09/05"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, 
+followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation.
+Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated 
+privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the 
+privileges that are set on the binary that is being executed. 
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Privilege Escalation via Python cap_setuid"
+risk_score = 47
+rule_id = "a0ddb77b-0318-41f0-91e4-8c1b5528834f"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
+type = "eql"
+query = '''
+sequence by host.id, process.entity_id with maxspan=1s
+  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+   process.args : "import os;os.set?id(0);os.system(*)" and process.args : "*python*" and user.id != "0"]
+  [process where host.os.type == "linux" and event.action in ("uid_change", "gid_change") and event.type == "change" and 
+   (user.id == "0" or group.id == "0")]
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1068"
+name = "Exploitation for Privilege Escalation"
+reference = "https://attack.mitre.org/techniques/T1068/"
+
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1548.001"
+name = "Setuid and Setgid"
+reference = "https://attack.mitre.org/techniques/T1548/001/"
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+