From 7254c582c55eac2ee3ce7dfcc6a61dd888ca546f Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Mon, 23 Oct 2023 19:28:18 +0530 Subject: [PATCH] Move Setup information into setup filed (#3206) --- detection_rules/rule.py | 2 +- ...mand_and_control_cat_network_activity.toml | 8 +-- ..._control_linux_chisel_client_activity.toml | 16 ++--- ..._control_linux_chisel_server_activity.toml | 16 ++--- ...linux_suspicious_proxychains_activity.toml | 10 +-- ...l_linux_tunneling_and_port_forwarding.toml | 16 ++--- ...d_and_control_tunneling_via_earthworm.toml | 16 ++--- ...ial_access_collection_sensitive_files.toml | 14 ++--- .../credential_access_credential_dumping.toml | 14 ++--- ...redential_access_gdb_init_memory_dump.toml | 16 ++--- ...ential_linux_local_account_bruteforce.toml | 8 +-- ...ntial_successful_linux_ftp_bruteforce.toml | 8 +-- ...ntial_successful_linux_rdp_bruteforce.toml | 8 +-- ...ential_access_proc_credential_dumping.toml | 16 ++--- .../credential_access_ssh_backdoor_log.toml | 16 ++--- ...tempt_to_disable_iptables_or_firewall.toml | 6 +- ...ion_attempt_to_disable_syslog_service.toml | 6 +- ..._base32_encoding_or_decoding_activity.toml | 6 +- ...binary_copied_to_suspicious_directory.toml | 6 +- ...defense_evasion_chattr_immutable_file.toml | 6 +- ...ense_evasion_disable_apparmor_attempt.toml | 6 +- ...fense_evasion_disable_selinux_attempt.toml | 6 +- ...asion_esxi_suspicious_timestomp_touch.toml | 12 ++-- ...fense_evasion_file_deletion_via_shred.toml | 6 +- ...defense_evasion_file_mod_writable_dir.toml | 6 +- .../defense_evasion_hidden_file_dir_tmp.toml | 6 +- .../defense_evasion_hidden_shared_object.toml | 6 +- ...defense_evasion_kernel_module_removal.toml | 8 +-- .../defense_evasion_log_files_deleted.toml | 12 ++-- .../defense_evasion_mount_execution.toml | 12 ++-- ...ense_evasion_potential_proot_exploits.toml | 12 ++-- .../defense_evasion_rename_esxi_files.toml | 12 ++-- ...efense_evasion_rename_esxi_index_file.toml | 12 ++-- .../discovery_esxi_software_via_find.toml | 12 ++-- .../discovery_esxi_software_via_grep.toml | 12 ++-- .../discovery_kernel_module_enumeration.toml | 6 +- .../linux/discovery_linux_hping_activity.toml | 8 +-- .../linux/discovery_linux_nping_activity.toml | 8 +-- ...very_pspy_process_monitoring_detected.toml | 8 +-- ...very_sudo_allowed_command_enumeration.toml | 6 +- .../discovery_suid_sguid_enumeration.toml | 6 +- ...overy_unusual_user_enumeration_via_id.toml | 6 +- ...covery_virtual_machine_fingerprinting.toml | 6 +- ...tion_abnormal_process_id_file_created.toml | 19 +++--- ...ion_curl_cve_2023_38545_heap_overflow.toml | 16 ++--- ...n_file_execution_followed_by_deletion.toml | 6 +- ...er_or_listener_established_via_netcat.toml | 23 +++---- ...cution_network_event_post_compilation.toml | 6 +- rules/linux/execution_perl_tty_shell.toml | 6 +- ..._process_started_from_process_id_file.toml | 19 +++--- ...ss_started_in_shared_memory_directory.toml | 16 ++--- rules/linux/execution_python_tty_shell.toml | 6 +- ..._remote_code_execution_via_postgresql.toml | 6 +- .../execution_shell_evasion_linux_binary.toml | 61 ++++++++++--------- ...uspicious_parent_child_revshell_linux.toml | 12 ++-- ...xecution_shell_via_background_process.toml | 6 +- ...ecution_shell_via_java_revshell_linux.toml | 12 ++-- ...on_shell_via_lolbin_interpreter_linux.toml | 12 ++-- ...execution_shell_via_meterpreter_linux.toml | 7 +-- ...execution_shell_via_suspicious_binary.toml | 12 ++-- ...ution_shell_via_tcp_cli_utility_linux.toml | 12 ++-- ...ution_shell_via_udp_cli_utility_linux.toml | 12 ++-- ...traction_or_decrompression_via_funzip.toml | 12 ++-- ...us_executable_running_system_commands.toml | 6 +- ...icious_mining_process_creation_events.toml | 6 +- rules/linux/execution_tc_bpf_filter.toml | 14 ++--- .../impact_data_encrypted_via_openssl.toml | 14 ++--- rules/linux/impact_esxi_process_kill.toml | 12 ++-- ...tial_linux_ransomware_file_encryption.toml | 6 +- ...ential_linux_ransomware_note_detected.toml | 6 +- .../linux/impact_process_kill_threshold.toml | 7 ++- ...ment_telnet_network_activity_external.toml | 8 +-- ...ment_telnet_network_activity_internal.toml | 8 +-- .../persistence_chkconfig_service_add.toml | 12 ++-- ...credential_access_modify_ssh_binaries.toml | 8 +-- .../linux/persistence_cron_job_creation.toml | 12 ++-- .../persistence_dynamic_linker_backup.toml | 12 ++-- .../linux/persistence_etc_file_creation.toml | 14 ++--- .../persistence_init_d_file_creation.toml | 19 +++--- ...persistence_insmod_kernel_module_load.toml | 12 ++-- ...ersistence_kde_autostart_modification.toml | 16 ++--- ...sistence_linux_backdoor_user_creation.toml | 7 ++- ...e_linux_shell_activity_via_web_server.toml | 15 ++--- ..._linux_user_added_to_privileged_group.toml | 7 ++- ...rsistence_message_of_the_day_creation.toml | 13 ++-- ...sistence_message_of_the_day_execution.toml | 13 ++-- .../linux/persistence_rc_script_creation.toml | 19 +++--- .../persistence_shared_object_creation.toml | 8 +-- ...tence_systemd_scheduled_timer_created.toml | 15 ++--- .../persistence_systemd_service_creation.toml | 14 ++--- ...on_chown_chmod_unauthorized_file_read.toml | 8 +-- ...ation_container_util_misconfiguration.toml | 14 ++--- ...lation_ld_preload_shared_object_modif.toml | 12 ++-- ...lation_linux_suspicious_symbolic_link.toml | 6 +- ...lege_escalation_linux_uid_int_max_bug.toml | 14 ++--- ...n_load_and_unload_of_kernel_via_kexec.toml | 16 ++--- ...alation_looney_tunables_cve_2023_4911.toml | 8 +-- ...ge_escalation_overlayfs_local_privesc.toml | 12 ++-- ...vilege_escalation_pkexec_envar_hijack.toml | 8 +-- ...lation_potential_wildcard_shell_spawn.toml | 8 +-- ...ge_escalation_sda_disk_mount_non_root.toml | 8 +-- ...privilege_escalation_shadow_file_read.toml | 8 +-- ...vilege_escalation_sudo_cve_2019_14287.toml | 8 +-- .../privilege_escalation_sudo_hijacking.toml | 8 +-- ...tion_sudo_token_via_process_injection.toml | 8 +-- ...scalation_uid_change_post_compilation.toml | 6 +- ...lation_unshare_namespace_manipulation.toml | 14 ++--- ...ege_escalation_writable_docker_socket.toml | 8 +-- 108 files changed, 589 insertions(+), 577 deletions(-) diff --git a/detection_rules/rule.py b/detection_rules/rule.py index a24945d12..6a8beae0d 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -273,7 +273,7 @@ class BaseRuleData(MarshmallowDataclassMixin, StackCompatMixin): risk_score_mapping: Optional[List[RiskScoreMapping]] rule_id: definitions.UUIDString rule_name_override: Optional[str] - setup: Optional[str] = field(metadata=dict(metadata=dict(min_compat="8.3"))) + setup: Optional[definitions.Markdown] = field(metadata=dict(metadata=dict(min_compat="8.3"))) severity_mapping: Optional[List[SeverityMapping]] severity: definitions.Severity tags: Optional[List[str]] diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index 2946f3415..7e05fe4d8 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Network Activity Detected via cat" -note = """## Setup +risk_score = 47 +rule_id = "afd04601-12fc-4149-9b78-9c3f8fe45d39" +setup = """ This rule requires data coming in from Elastic Defend. @@ -46,8 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 47 -rule_id = "afd04601-12fc-4149-9b78-9c3f8fe45d39" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index 53218eab2..504dcfd26 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -20,7 +20,13 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via Chisel Client" -note = """## Setup +references = [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ] +risk_score = 47 +rule_id = "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd" +setup = """ This rule requires data coming in from Elastic Defend. @@ -47,12 +53,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", - "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" - ] -risk_score = 47 -rule_id = "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/command_and_control_linux_chisel_server_activity.toml b/rules/linux/command_and_control_linux_chisel_server_activity.toml index 9b992c98d..4f35798d8 100644 --- a/rules/linux/command_and_control_linux_chisel_server_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_server_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -20,7 +20,13 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via Chisel Server" -note = """## Setup +references = [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ] +risk_score = 47 +rule_id = "ac8805f6-1e08-406c-962e-3937057fa86f" +setup = """ This rule requires data coming in from Elastic Defend. @@ -47,12 +53,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", - "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" - ] -risk_score = 47 -rule_id = "ac8805f6-1e08-406c-962e-3937057fa86f" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index 2d9e257c8..f7686c53c 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -19,7 +19,10 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Utility Launched via ProxyChains" -note = """## Setup +references = ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"] +risk_score = 21 +rule_id = "6ace94ba-f02c-4d55-9f53-87d99b6f9af4" +setup = """ This rule requires data coming in from Elastic Defend. @@ -46,9 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"] -risk_score = 21 -rule_id = "6ace94ba-f02c-4d55-9f53-87d99b6f9af4" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index 631ded63f..eedd58e85 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -18,7 +18,13 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Tunneling and/or Port Forwarding" -note = """## Setup +references = [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ] +risk_score = 47 +rule_id = "6ee947e9-de7e-4281-a55d-09289bdf947e" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,12 +51,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", - "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" - ] -risk_score = 47 -rule_id = "6ee947e9-de7e-4281-a55d-09289bdf947e" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index 27a4f4f8e..5d905a853 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/12" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -18,7 +18,13 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via EarthWorm" -note = """## Setup +references = [ + "http://rootkiter.com/EarthWorm/", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", +] +risk_score = 47 +rule_id = "9f1c4ca3-44b5-481d-ba42-32dc215a2769" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -58,12 +64,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). """ -references = [ - "http://rootkiter.com/EarthWorm/", - "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", -] -risk_score = 47 -rule_id = "9f1c4ca3-44b5-481d-ba42-32dc215a2769" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 1f19abe17..1f242cfb8 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -17,7 +17,12 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Sensitive Files Compression" -note = """## Setup +references = [ + "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", +] +risk_score = 47 +rule_id = "6b84d470-9036-4cc0-a27c-6d90bbfe81ab" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -54,11 +59,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -references = [ - "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", -] -risk_score = 47 -rule_id = "6b84d470-9036-4cc0-a27c-6d90bbfe81ab" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index 8a71f7297..074fac608 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -21,7 +21,12 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Credential Dumping via Unshadow" -note = """## Setup +references = [ + "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/", +] +risk_score = 47 +rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c" +setup = """ This rule requires data coming in from Elastic Defend. @@ -48,11 +53,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/", -] -risk_score = 47 -rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c" severity = "medium" tags = ["Data Source: Elastic Endgame", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/credential_access_gdb_init_memory_dump.toml b/rules/linux/credential_access_gdb_init_memory_dump.toml index d7c8f8555..b912d96d8 100644 --- a/rules/linux/credential_access_gdb_init_memory_dump.toml +++ b/rules/linux/credential_access_gdb_init_memory_dump.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -18,7 +18,13 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Linux init (PID 1) Secret Dump via GDB" -note = """## Setup +references = [ + "https://github.com/controlplaneio/truffleproc", + "https://github.com/hajzer/bash-memory-dump" +] +risk_score = 47 +rule_id = "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,12 +51,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://github.com/controlplaneio/truffleproc", - "https://github.com/hajzer/bash-memory-dump" -] -risk_score = 47 -rule_id = "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index ce1771e1a..1c5d941ef 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -18,7 +18,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Local Account Brute Force Detected" -note = """## Setup +risk_score = 47 +rule_id = "835c0622-114e-40b5-a346-f843ea5d01f1" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,8 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 47 -rule_id = "835c0622-114e-40b5-a346-f843ea5d01f1" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml index 60dccf0ca..c9593d0bd 100644 --- a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/12" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Successful Linux FTP Brute Force Attack Detected" -note = """## Setup +risk_score = 47 +rule_id = "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d" +setup = """ This rule requires data coming in either from Auditbeat integration, or Auditd Manager integration. @@ -55,8 +57,6 @@ However, if more advanced configuration is required to detect specific behavior, - For this detection rule no additional audit rules are required to be added to the integration. """ -risk_score = 47 -rule_id = "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" diff --git a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml index 9e21f2815..7b22d29c1 100644 --- a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/12" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Successful Linux RDP Brute Force Attack Detected" -note = """## Setup +risk_score = 47 +rule_id = "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0" +setup = """ This rule requires data coming in either from Auditbeat integration, or Auditd Manager integration. @@ -55,8 +57,6 @@ However, if more advanced configuration is required to detect specific behavior, - For this detection rule no additional audit rules are required to be added to the integration. """ -risk_score = 47 -rule_id = "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index e5884bc18..33c1f08b7 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -19,7 +19,13 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Credential Dumping via Proc Filesystem" -note = """## Setup +references = [ + "https://github.com/huntergregal/mimipenguin", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781" +] +risk_score = 47 +rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311" +setup = """ This rule requires data coming in from Elastic Defend. @@ -46,12 +52,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://github.com/huntergregal/mimipenguin", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781" -] -risk_score = 47 -rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 1bbb00593..c54c4dadc 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/12" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -19,7 +19,13 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential OpenSSH Backdoor Logging Activity" -note = """## Setup +references = [ + "https://github.com/eset/malware-ioc/tree/master/sshdoor", + "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", +] +risk_score = 73 +rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -59,12 +65,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). """ -references = [ - "https://github.com/eset/malware-ioc/tree/master/sshdoor", - "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", -] -risk_score = 73 -rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index e224747dc..a12712aae 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -17,7 +17,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Attempt to Disable IPTables or Firewall" -note = """## Setup +risk_score = 21 +rule_id = "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f" +setup = """ This rule requires data coming in from Elastic Defend. @@ -44,8 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 21 -rule_id = "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index d28cfd3b7..5e04ea59b 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -17,7 +17,9 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Attempt to Disable Syslog Service" -note = """## Setup +risk_score = 47 +rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -54,8 +56,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -risk_score = 47 -rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 951e72697..36665e37c 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -20,7 +20,9 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Base16 or Base32 Encoding/Decoding Activity" -note = """## Setup +risk_score = 21 +rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -57,8 +59,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -risk_score = 21 -rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index 6bb693d13..3d6d9fa3a 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -18,7 +18,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "System Binary Copied and/or Moved to Suspicious Directory" -note = """## Setup +risk_score = 21 +rule_id = "fda1d332-5e08-4f27-8a9b-8c802e3292a6" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,8 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 21 -rule_id = "fda1d332-5e08-4f27-8a9b-8c802e3292a6" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index f8e439d7f..566cd4acc 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -20,7 +20,9 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "File made Immutable by Chattr" -note = """## Setup +risk_score = 47 +rule_id = "968ccab9-da51-4a87-9ce2-d3c9782fd759" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -60,8 +62,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). """ -risk_score = 47 -rule_id = "968ccab9-da51-4a87-9ce2-d3c9782fd759" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index bf2d524e5..6b060383b 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -18,7 +18,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Disabling of AppArmor" -note = """## Setup +risk_score = 21 +rule_id = "fac52c69-2646-4e79-89c0-fd7653461010" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,8 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 21 -rule_id = "fac52c69-2646-4e79-89c0-fd7653461010" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 40837200a..841ca4f4a 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -18,7 +18,9 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Potential Disabling of SELinux" -note = """## Setup +risk_score = 47 +rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -55,8 +57,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -risk_score = 47 -rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index df389e59c..f155f0983 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -20,7 +20,12 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "ESXI Timestomping using Touch Command" -note = """## Setup +references = [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", +] +risk_score = 47 +rule_id = "30bfddd7-2954-4c9d-bbc6-19a99ca47e23" +setup = """ This rule requires data coming in from Elastic Defend. @@ -47,11 +52,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", -] -risk_score = 47 -rule_id = "30bfddd7-2954-4c9d-bbc6-19a99ca47e23" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index a1ff0b905..828fc9709 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -18,7 +18,9 @@ index = ["logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" name = "File Deletion via Shred" -note = """## Setup +risk_score = 21 +rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,8 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 21 -rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index da7b76f20..db94ce007 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -23,7 +23,9 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "File Permission Modification in Writable Directory" -note = """## Setup +risk_score = 21 +rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -60,8 +62,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -risk_score = 21 -rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 2299892f5..4bc87d73a 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -25,7 +25,9 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Creation of Hidden Files and Directories via CommandLine" -note = """## Setup +risk_score = 47 +rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -65,8 +67,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). """ -risk_score = 47 -rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 4a650968b..9f0fdc4ce 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -19,7 +19,9 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Creation of Hidden Shared Object File" -note = """## Setup +risk_score = 47 +rule_id = "766d3f91-3f12-448c-b65f-20123e9e9e8c" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -59,8 +61,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). """ -risk_score = 47 -rule_id = "766d3f91-3f12-448c-b65f-20123e9e9e8c" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index cf28e0f4d..249580820 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -24,7 +24,10 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Kernel Module Removal" -note = """## Setup +references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"] +risk_score = 47 +rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef" +setup = """ This rule requires data coming in from Elastic Defend. @@ -51,9 +54,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"] -risk_score = 47 -rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 2dc632a5e..f4a3a4375 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -17,7 +17,12 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "System Log File Deletion" -note = """## Setup +references = [ + "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", +] +risk_score = 47 +rule_id = "aa895aea-b69c-4411-b110-8d7599634b30" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -57,11 +62,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). """ -references = [ - "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", -] -risk_score = 47 -rule_id = "aa895aea-b69c-4411-b110-8d7599634b30" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index 5f9dc8eba..31af2971b 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -22,7 +22,12 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Hidden Process via Mount Hidepid" -note = """## Setup +references = [ + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", +] +risk_score = 47 +rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204" +setup = """ This rule requires data coming in from Elastic Defend. @@ -49,11 +54,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", -] -risk_score = 47 -rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index 650131797..a9f3c1055 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -25,7 +25,12 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via PRoot" -note = """## Setup +references = [ + "https://proot-me.github.io/", +] +risk_score = 47 +rule_id = "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0" +setup = """ This rule requires data coming in from Elastic Defend. @@ -52,11 +57,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://proot-me.github.io/", -] -risk_score = 47 -rule_id = "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index eb5d40724..4929de649 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -18,7 +18,12 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Renaming of ESXI Files" -note = """## Setup +references = [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", +] +risk_score = 47 +rule_id = "97db8b42-69d8-4bf3-9fd4-c69a1d895d68" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,11 +50,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", -] -risk_score = 47 -rule_id = "97db8b42-69d8-4bf3-9fd4-c69a1d895d68" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_rename_esxi_index_file.toml b/rules/linux/defense_evasion_rename_esxi_index_file.toml index cb4c0ac9b..a010bad46 100644 --- a/rules/linux/defense_evasion_rename_esxi_index_file.toml +++ b/rules/linux/defense_evasion_rename_esxi_index_file.toml @@ -18,7 +18,12 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Renaming of ESXI index.html File" -note = """## Setup +references = [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", +] +risk_score = 47 +rule_id = "c125e48f-6783-41f0-b100-c3bf1b114d16" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,11 +50,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", -] -risk_score = 47 -rule_id = "c125e48f-6783-41f0-b100-c3bf1b114d16" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index f33e3aaee..8e1676fe5 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -20,7 +20,12 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Find" -note = """## Setup +references = [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", +] +risk_score = 47 +rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f" +setup = """ This rule requires data coming in from Elastic Defend. @@ -47,11 +52,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", -] -risk_score = 47 -rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index 494b5eb31..3cbc07a56 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -19,7 +19,12 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Grep" -note = """## Setup +references = [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", +] +risk_score = 47 +rule_id = "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4" +setup = """ This rule requires data coming in from Elastic Defend. @@ -46,11 +51,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", -] -risk_score = 47 -rule_id = "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 2418d442b..8788f5d17 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -24,7 +24,9 @@ index = ["logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" name = "Enumeration of Kernel Modules" -note = """## Setup +risk_score = 47 +rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504" +setup = """ This rule requires data coming in from Elastic Defend. @@ -51,8 +53,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 47 -rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 632a78e93..fa4fa6f15 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -23,7 +23,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Hping Process Activity" -note = """## Setup +references = ["https://en.wikipedia.org/wiki/Hping"] +risk_score = 47 +rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -60,9 +63,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -references = ["https://en.wikipedia.org/wiki/Hping"] -risk_score = 47 -rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 774cf5de7..b006ad4ee 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -23,7 +23,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Nping Process Activity" -note = """## Setup +references = ["https://en.wikipedia.org/wiki/Nmap"] +risk_score = 47 +rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -60,9 +63,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -references = ["https://en.wikipedia.org/wiki/Nmap"] -risk_score = 47 -rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/discovery_pspy_process_monitoring_detected.toml b/rules/linux/discovery_pspy_process_monitoring_detected.toml index 81fe33eb3..834343f22 100644 --- a/rules/linux/discovery_pspy_process_monitoring_detected.toml +++ b/rules/linux/discovery_pspy_process_monitoring_detected.toml @@ -19,7 +19,10 @@ index = ["logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Pspy Process Monitoring Detected" -note = """## Setup +references = ["https://github.com/DominicBreuker/pspy"] +risk_score = 21 +rule_id = "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc" +setup = """ This rule requires data coming in from Auditd Manager integration. @@ -44,9 +47,6 @@ However, if more advanced configuration is required to detect specific behavior, -- "-w /proc/ -p r -k audit_proc" """ -references = ["https://github.com/DominicBreuker/pspy"] -risk_score = 21 -rule_id = "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] type = "eql" diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index 7bfb7ed0c..54946d26d 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -18,7 +18,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Sudo Command Enumeration Detected" -note = """## Setup +risk_score = 21 +rule_id = "28d39238-0c01-420a-b77a-24e5a7378663" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,8 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 21 -rule_id = "28d39238-0c01-420a-b77a-24e5a7378663" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index 2c61a6d78..17df0d288 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -20,7 +20,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "SUID/SGUID Enumeration Detected" -note = """## Setup +risk_score = 21 +rule_id = "5b06a27f-ad72-4499-91db-0c69667bffa5" +setup = """ This rule requires data coming in from Elastic Defend. @@ -47,8 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 21 -rule_id = "5b06a27f-ad72-4499-91db-0c69667bffa5" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index d7be298e9..2b41f1238 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -18,7 +18,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Unusual User Privilege Enumeration via id" -note = """## Setup +risk_score = 21 +rule_id = "afa135c0-a365-43ab-aa35-fd86df314a47" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,8 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 21 -rule_id = "afa135c0-a365-43ab-aa35-fd86df314a47" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 9ddf29a70..eb0b20e16 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -24,7 +24,9 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Virtual Machine Fingerprinting" -note = """## Setup +risk_score = 73 +rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -61,8 +63,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -risk_score = 73 -rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 03d163914..d8f7e5f4c 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -65,7 +65,16 @@ This rule identifies the creation of PID, lock, or reboot files in the /var/run/ - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", +] +risk_score = 47 +rule_id = "cac91072-d165-11ec-a764-f661ea17fbce" +setup = """ This rule requires data coming in from Elastic Defend. @@ -92,14 +101,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", - "https://twitter.com/GossiTheDog/status/1522964028284411907", - "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", -] -risk_score = 47 -rule_id = "cac91072-d165-11ec-a764-f661ea17fbce" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml index c3141de18..ad1f06075 100644 --- a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml +++ b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml @@ -21,7 +21,14 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential curl CVE-2023-38545 Exploitation" -note = """## Setup +references = [ + "https://curl.se/docs/CVE-2023-38545.html", + "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", + "https://twitter.com/_JohnHammond/status/1711986412554531015" +] +risk_score = 47 +rule_id = "f41296b4-9975-44d6-9486-514c6f635b2d" +setup = """ This rule requires data coming in from Elastic Defend. @@ -62,13 +69,6 @@ the rule will function properly. For more information on capturing environment variables refer the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). """ -references = [ - "https://curl.se/docs/CVE-2023-38545.html", - "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", - "https://twitter.com/_JohnHammond/status/1711986412554531015" -] -risk_score = 47 -rule_id = "f41296b4-9975-44d6-9486-514c6f635b2d" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index 69a60e738..ecec2d920 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -18,7 +18,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "File Creation, Execution and Self-Deletion in Suspicious Directory" -note = """## Setup +risk_score = 47 +rule_id = "09bc6c90-7501-494d-b015-5d988dc3f233" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,8 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 47 -rule_id = "09bc6c90-7501-494d-b015-5d988dc3f233" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 7ca4d1300..c91af8b5a 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -63,7 +63,18 @@ This rule identifies potential reverse shell or bind shell activity using Netcat - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", + "https://en.wikipedia.org/wiki/Netcat", + "https://www.hackers-arise.com/hacking-fundamentals", + "https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/", + "https://levelup.gitconnected.com/ethical-hacking-part-15-netcat-nc-and-netcat-f6a8f7df43fd", +] +risk_score = 47 +rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -100,16 +111,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -references = [ - "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", - "https://en.wikipedia.org/wiki/Netcat", - "https://www.hackers-arise.com/hacking-fundamentals", - "https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/", - "https://levelup.gitconnected.com/ethical-hacking-part-15-netcat-nc-and-netcat-f6a8f7df43fd", -] -risk_score = 47 -rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index 682715c08..748785e0a 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -18,7 +18,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Recently Compiled Executable" -note = """## Setup +risk_score = 47 +rule_id = "64cfca9e-0f6f-4048-8251-9ec56a055e9e" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,8 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 47 -rule_id = "64cfca9e-0f6f-4048-8251-9ec56a055e9e" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 44fc9377a..a091c5a58 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -17,7 +17,9 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Interactive Terminal Spawned via Perl" -note = """## Setup +risk_score = 73 +rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -54,8 +56,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -risk_score = 73 -rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index c3bb4ef24..fde6c8d2a 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -33,7 +33,16 @@ Detection alerts from this rule indicate a process spawned from an executable ma - Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: "SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';" - Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation. -## Setup +""" +references = [ + "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", +] +risk_score = 73 +rule_id = "3688577a-d196-11ec-90b0-f661ea17fbce" +setup = """ This rule requires data coming in from Elastic Defend. @@ -60,14 +69,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", - "https://twitter.com/GossiTheDog/status/1522964028284411907", - "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", -] -risk_score = 73 -rule_id = "3688577a-d196-11ec-90b0-f661ea17fbce" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index e5cf38c38..cd552764c 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -25,7 +25,14 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Binary Executed from Shared Memory Directory" -note = """## Setup +references = [ + "https://linuxsecurity.com/features/fileless-malware-on-linux", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", +] +risk_score = 73 +rule_id = "3f3f9fe2-d095-11ec-95dc-f661ea17fbce" +setup = """ This rule requires data coming in from Elastic Defend. @@ -52,13 +59,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://linuxsecurity.com/features/fileless-malware-on-linux", - "https://twitter.com/GossiTheDog/status/1522964028284411907", - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", -] -risk_score = 73 -rule_id = "3f3f9fe2-d095-11ec-95dc-f661ea17fbce" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index d07a62e87..97d813820 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -17,7 +17,9 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Interactive Terminal Spawned via Python" -note = """## Setup +risk_score = 73 +rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f" +setup = """ This rule requires data coming in from Elastic Defend. @@ -44,8 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 73 -rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f" severity = "high" timestamp_override = "event.ingested" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index 797349051..6f6c86241 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -20,7 +20,9 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Code Execution via Postgresql" -note = """## Setup +risk_score = 47 +rule_id = "2a692072-d78d-42f3-a48a-775677d79c4e" +setup = """ This rule requires data coming in from Elastic Defend. @@ -47,8 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 47 -rule_id = "2a692072-d78d-42f3-a48a-775677d79c4e" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 09e519242..451fd92b1 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -63,7 +63,37 @@ Initiate the incident response process based on the outcome of the triage. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", + "https://gtfobins.github.io/gtfobins/nawk/", + "https://gtfobins.github.io/gtfobins/mawk/", + "https://gtfobins.github.io/gtfobins/awk/", + "https://gtfobins.github.io/gtfobins/gawk/", + "https://gtfobins.github.io/gtfobins/busybox/", + "https://gtfobins.github.io/gtfobins/c89/", + "https://gtfobins.github.io/gtfobins/c99/", + "https://gtfobins.github.io/gtfobins/cpulimit/", + "https://gtfobins.github.io/gtfobins/crash/", + "https://gtfobins.github.io/gtfobins/env/", + "https://gtfobins.github.io/gtfobins/expect/", + "https://gtfobins.github.io/gtfobins/find/", + "https://gtfobins.github.io/gtfobins/flock/", + "https://gtfobins.github.io/gtfobins/gcc/", + "https://gtfobins.github.io/gtfobins/mysql/", + "https://gtfobins.github.io/gtfobins/nice/", + "https://gtfobins.github.io/gtfobins/ssh/", + "https://gtfobins.github.io/gtfobins/vi/", + "https://gtfobins.github.io/gtfobins/vim/", + "https://gtfobins.github.io/gtfobins/capsh/", + "https://gtfobins.github.io/gtfobins/byebug/", + "https://gtfobins.github.io/gtfobins/git/", + "https://gtfobins.github.io/gtfobins/ftp/", +] +risk_score = 47 +rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0" +setup = """ This rule requires data coming in from Elastic Defend. @@ -100,35 +130,6 @@ For more information about the additional fields collected when this setting is the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). """ -references = [ - "https://gtfobins.github.io/gtfobins/apt/", - "https://gtfobins.github.io/gtfobins/apt-get/", - "https://gtfobins.github.io/gtfobins/nawk/", - "https://gtfobins.github.io/gtfobins/mawk/", - "https://gtfobins.github.io/gtfobins/awk/", - "https://gtfobins.github.io/gtfobins/gawk/", - "https://gtfobins.github.io/gtfobins/busybox/", - "https://gtfobins.github.io/gtfobins/c89/", - "https://gtfobins.github.io/gtfobins/c99/", - "https://gtfobins.github.io/gtfobins/cpulimit/", - "https://gtfobins.github.io/gtfobins/crash/", - "https://gtfobins.github.io/gtfobins/env/", - "https://gtfobins.github.io/gtfobins/expect/", - "https://gtfobins.github.io/gtfobins/find/", - "https://gtfobins.github.io/gtfobins/flock/", - "https://gtfobins.github.io/gtfobins/gcc/", - "https://gtfobins.github.io/gtfobins/mysql/", - "https://gtfobins.github.io/gtfobins/nice/", - "https://gtfobins.github.io/gtfobins/ssh/", - "https://gtfobins.github.io/gtfobins/vi/", - "https://gtfobins.github.io/gtfobins/vim/", - "https://gtfobins.github.io/gtfobins/capsh/", - "https://gtfobins.github.io/gtfobins/byebug/", - "https://gtfobins.github.io/gtfobins/git/", - "https://gtfobins.github.io/gtfobins/ftp/", -] -risk_score = 47 -rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml b/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml index 56ba42a8d..44cc4040c 100644 --- a/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml +++ b/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml @@ -18,7 +18,12 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Parent Process" -note = """## Setup +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "4b1a807a-4e7b-414e-8cea-24bf580f6fc5" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,11 +50,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" -] -risk_score = 47 -rule_id = "4b1a807a-4e7b-414e-8cea-24bf580f6fc5" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index d07cc37b0..7730650b5 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -17,7 +17,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Background Process" -note = """## Setup +risk_score = 47 +rule_id = "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39" +setup = """ This rule requires data coming in from Elastic Defend. @@ -44,8 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 47 -rule_id = "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39" severity = "medium" timestamp_override = "event.ingested" tags = ["Domain: Endpoint", diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml index 592cd40df..36a76f1f2 100644 --- a/rules/linux/execution_shell_via_java_revshell_linux.toml +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -17,7 +17,12 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Java" -note = """## Setup +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd" +setup = """ This rule requires data coming in from Elastic Defend. @@ -44,11 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" -] -risk_score = 47 -rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index d87055208..443509f2f 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -18,7 +18,12 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Child Process" -note = """## Setup +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "76e4d92b-61c1-4a95-ab61-5fd94179a1ee" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,11 +50,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" -] -risk_score = 47 -rule_id = "76e4d92b-61c1-4a95-ab61-5fd94179a1ee" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index d9b08d448..6e2491a2d 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -18,8 +18,9 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Meterpreter Reverse Shell" -note = """## Setup -## Setup +risk_score = 47 +rule_id = "5c895b4f-9133-4e68-9e23-59902175355c" +setup = """ This rule requires data coming in either from Auditbeat integration, or Auditd Manager integration. @@ -56,8 +57,6 @@ However, if more advanced configuration is required to detect specific behavior, -w /etc/passwd -p wa -k passwd """ -risk_score = 47 -rule_id = "5c895b4f-9133-4e68-9e23-59902175355c" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index 6e7a7ea43..2b7101c6c 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -19,7 +19,12 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Binary" -note = """## Setup +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "fa3a59dc-33c3-43bf-80a9-e8437a922c7f" +setup = """ This rule requires data coming in from Elastic Defend. @@ -46,11 +51,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" -] -risk_score = 47 -rule_id = "fa3a59dc-33c3-43bf-80a9-e8437a922c7f" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index 6ec8c3330..a743d7bfe 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -18,7 +18,12 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell" -note = """## Setup +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "48b3d2e3-f4e8-41e6-95e6-9b2091228db3" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,11 +50,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" -] -risk_score = 47 -rule_id = "48b3d2e3-f4e8-41e6-95e6-9b2091228db3" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 103a84f7e..49c9fbd28 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -19,7 +19,12 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via UDP" -note = """## Setup +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "a5eb21b7-13cc-4b94-9fe2-29bb2914e037" +setup = """ This rule requires data coming in either from Auditbeat integration, or Auditd Manager integration. @@ -53,11 +58,6 @@ However, if more advanced configuration is required to detect specific behavior, - For this detection rule no additional audit rules are required to be added to the integration. """ -references = [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" -] -risk_score = 47 -rule_id = "a5eb21b7-13cc-4b94-9fe2-29bb2914e037" severity = "medium" tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index 7e07c79a9..3cef618ea 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -19,7 +19,12 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Content Extracted or Decompressed via Funzip" -note = """## Setup +references = [ + "https://attack.mitre.org/software/S0482/" +] +risk_score = 47 +rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66" +setup = """ This rule requires data coming in from Elastic Defend. @@ -46,11 +51,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://attack.mitre.org/software/S0482/" -] -risk_score = 47 -rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index c922a56ba..0b079f747 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -20,7 +20,9 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Suspicious System Commands Executed by Previously Unknown Executable" -note = """## Setup +risk_score = 21 +rule_id = "e9001ee6-2d00-4d2f-849e-b8b1fb05234c" +setup = """ This rule requires data coming in from Elastic Defend. @@ -47,8 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 21 -rule_id = "e9001ee6-2d00-4d2f-849e-b8b1fb05234c" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index ac82791ee..e0f79506e 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -17,7 +17,9 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Mining Process Creation Event" -note = """## Setup +risk_score = 47 +rule_id = "e2258f48-ba75-4248-951b-7c885edf18c2" +setup = """ This rule requires data coming in from Elastic Defend. @@ -44,8 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 47 -rule_id = "e2258f48-ba75-4248-951b-7c885edf18c2" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index cc89f4b77..56d562e00 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -16,7 +16,13 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "BPF filter applied using TC" -note = """## Setup +references = [ + "https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh", + "https://man7.org/linux/man-pages/man8/tc.8.html", +] +risk_score = 73 +rule_id = "ef04a476-07ec-48fc-8f3d-5e1742de76d3" +setup = """ This rule requires data coming in from Elastic Defend. @@ -43,12 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh", - "https://man7.org/linux/man-pages/man8/tc.8.html", -] -risk_score = 73 -rule_id = "ef04a476-07ec-48fc-8f3d-5e1742de76d3" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: TripleCross", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/impact_data_encrypted_via_openssl.toml b/rules/linux/impact_data_encrypted_via_openssl.toml index 2d4036dbe..03a5a410e 100644 --- a/rules/linux/impact_data_encrypted_via_openssl.toml +++ b/rules/linux/impact_data_encrypted_via_openssl.toml @@ -18,7 +18,13 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Data Encryption via OpenSSL Utility" -note = """## Setup +references = [ + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html", +] +risk_score = 47 +rule_id = "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,12 +51,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", - "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html", -] -risk_score = 47 -rule_id = "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/impact_esxi_process_kill.toml b/rules/linux/impact_esxi_process_kill.toml index 63ae7a1b3..97212297a 100644 --- a/rules/linux/impact_esxi_process_kill.toml +++ b/rules/linux/impact_esxi_process_kill.toml @@ -19,7 +19,12 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Termination of ESXI Process" -note = """## Setup +references = [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", +] +risk_score = 47 +rule_id = "6641a5af-fb7e-487a-adc4-9e6503365318" +setup = """ This rule requires data coming in from Elastic Defend. @@ -46,11 +51,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", -] -risk_score = 47 -rule_id = "6641a5af-fb7e-487a-adc4-9e6503365318" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index 93fe0e47f..65b44554c 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -19,7 +19,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious File Changes Activity Detected" -note = """## Setup +risk_score = 47 +rule_id = "28738f9f-7427-4d23-bc69-756708b5f624" +setup = """ This rule requires data coming in from Elastic Defend. @@ -46,8 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 47 -rule_id = "28738f9f-7427-4d23-bc69-756708b5f624" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index 73c2bd27f..97e871911 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -20,7 +20,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Ransomware Note Creation Detected" -note = """## Setup +risk_score = 47 +rule_id = "c8935a8b-634a-4449-98f7-bb24d3b2c0af" +setup = """ This rule requires data coming in from Elastic Defend. @@ -47,8 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 47 -rule_id = "c8935a8b-634a-4449-98f7-bb24d3b2c0af" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index 837e48844..d89857749 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -47,7 +47,10 @@ This rule identifies a high number (10) of process terminations via pkill from t - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +risk_score = 47 +rule_id = "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b" +setup = """ This rule requires data coming in from Elastic Defend. @@ -74,8 +77,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 47 -rule_id = "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "threshold" diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index a76ae89b6..e48026c94 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -25,7 +25,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Connection to External Network via Telnet" -note = """## Setup +references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"] +risk_score = 47 +rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -62,9 +65,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"] -risk_score = 47 -rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index a63763a96..3e7f21eff 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -25,7 +25,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Connection to Internal Network via Telnet" -note = """## Setup +references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"] +risk_score = 47 +rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -62,9 +65,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"] -risk_score = 47 -rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 053e792f6..2f05217ce 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -19,7 +19,12 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Chkconfig Service Add" -note = """## Setup +references = [ + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" +] +risk_score = 47 +rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6" +setup = """ This rule requires data coming in from Elastic Defend. @@ -46,11 +51,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" -] -risk_score = 47 -rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index be7fb39ac..81f127c75 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -20,7 +20,10 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Modification of OpenSSH Binaries" -note = """## Setup +references = ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"] +risk_score = 47 +rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -57,9 +60,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -references = ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"] -risk_score = 47 -rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 3432dade7..2d87b99bf 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -18,7 +18,12 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Cron Job Created or Changed by Previously Unknown Process" -note = """## Setup +references = [ + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" +] +risk_score = 47 +rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,11 +50,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" -] -risk_score = 47 -rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index 97ba64992..c1face66f 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -16,7 +16,12 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Dynamic Linker Copy" -note = """## Setup +references = [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" +] +risk_score = 73 +rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0" +setup = """ This rule requires data coming in from Elastic Defend. @@ -43,11 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" -] -risk_score = 73 -rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index a9626a5dd..3c6a89a9e 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -18,7 +18,13 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious File Creation in /etc for Persistence" -note = """## Setup +references = [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" +] +risk_score = 47 +rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,12 +51,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", - "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" -] -risk_score = 47 -rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index cb4afdaf8..18ae474cd 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -118,7 +118,16 @@ This rule looks for the creation of new files within the `/etc/init.d/` director - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" + +] +risk_score = 47 +rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b" +setup = """ This rule requires data coming in from Elastic Defend. @@ -145,14 +154,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", - "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" - -] -risk_score = 47 -rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index 9287a2a02..a69b50ca5 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -16,7 +16,12 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Kernel module load via insmod" -note = """## Setup +references = [ + "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" +] +risk_score = 47 +rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f" +setup = """ This rule requires data coming in from Elastic Defend. @@ -43,11 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" -] -risk_score = 47 -rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 41c72b639..4e40e7a1f 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -17,7 +17,14 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Persistence via KDE AutoStart Script or Desktop File Modification" -note = """## Setup +references = [ + "https://userbase.kde.org/System_Settings/Autostart", + "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", +] +risk_score = 47 +rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -57,13 +64,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). """ -references = [ - "https://userbase.kde.org/System_Settings/Autostart", - "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", - "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", -] -risk_score = 47 -rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index 5a0083f81..cbe874f66 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -85,7 +85,10 @@ This rule identifies the usage of the `usermod` command to set a user's UID to 0 - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +risk_score = 47 +rule_id = "494ebba4-ecb7-4be4-8c6f-654c686549ad" +setup = """ This rule requires data coming in from Elastic Defend. @@ -112,8 +115,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 47 -rule_id = "494ebba4-ecb7-4be4-8c6f-654c686549ad" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index 3b46623a7..043072fe1 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -98,7 +98,14 @@ This rule detects a web server process spawning script and command line interfac - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://pentestlab.blog/tag/web-shell/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", +] +risk_score = 73 +rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb" +setup = """ This rule requires data coming in from Elastic Defend. @@ -125,12 +132,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://pentestlab.blog/tag/web-shell/", - "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", -] -risk_score = 73 -rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index af3fa56e8..ad80c897f 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -80,7 +80,10 @@ This rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +risk_score = 47 +rule_id = "43d6ec12-2b1c-47b5-8f35-e9de65551d3b" +setup = """ This rule requires data coming in from Elastic Defend. @@ -107,8 +110,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 47 -rule_id = "43d6ec12-2b1c-47b5-8f35-e9de65551d3b" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 137030323..170d7f94e 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -115,7 +115,13 @@ This rule identifies the creation of new files within the `/etc/update-motd.d/` - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" +] +risk_score = 47 +rule_id = "96d11d31-9a79-480f-8401-da28b194608f" +setup = """ This rule requires data coming in from Elastic Defend. @@ -142,11 +148,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" -] -risk_score = 47 -rule_id = "96d11d31-9a79-480f-8401-da28b194608f" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "new_terms" diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index da45d8cad..7f2672014 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -114,7 +114,13 @@ This rule identifies the execution of potentially malicious processes from a MOT - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" +] +risk_score = 73 +rule_id = "4ec47004-b34a-42e6-8003-376a123ea447" +setup = """ This rule requires data coming in from Elastic Defend. @@ -141,11 +147,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" -] -risk_score = 73 -rule_id = "4ec47004-b34a-42e6-8003-376a123ea447" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index 254409cfc..7ce4e1616 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -97,7 +97,16 @@ Detection alerts from this rule indicate the creation of a new `/etc/rc.local` f - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" + +] +risk_score = 47 +rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f" +setup = """ This rule requires data coming in from Elastic Defend. @@ -124,14 +133,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", - "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" - -] -risk_score = 47 -rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "new_terms" diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index 7b744dc5a..1f05b3741 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -21,7 +21,10 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Shared Object Created or Changed by Previously Unknown Process" -note = """## Setup +references = ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"] +risk_score = 47 +rule_id = "aebaa51f-2a91-4f6a-850b-b601db2293f4" +setup = """ This rule requires data coming in from Elastic Defend. @@ -48,9 +51,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"] -risk_score = 47 -rule_id = "aebaa51f-2a91-4f6a-850b-b601db2293f4" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 27eba833f..1c5be6028 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -128,7 +128,14 @@ This rule monitors the creation of new systemd timer files, potentially indicati - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://opensource.com/article/20/7/systemd-timers", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" +] +risk_score = 21 +rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c" +setup = """ This rule requires data coming in from Elastic Defend. @@ -155,12 +162,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://opensource.com/article/20/7/systemd-timers", - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" -] -risk_score = 21 -rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index 346b1ece8..31f6d7d6a 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -19,7 +19,13 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "New Systemd Service Created by Previously Unknown Process" -note = """## Setup +references = [ + "https://opensource.com/article/20/7/systemd-timers", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" +] +risk_score = 47 +rule_id = "17b0a495-4d9f-414c-8ad0-92f018b8e001" +setup = """ This rule requires data coming in from Elastic Defend. @@ -46,12 +52,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://opensource.com/article/20/7/systemd-timers", - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" -] -risk_score = 47 -rule_id = "17b0a495-4d9f-414c-8ad0-92f018b8e001" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index 4bb1c86e1..37e274ca2 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -19,7 +19,10 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Unauthorized Access via Wildcard Injection Detected" -note = """## Setup +references = ["https://www.exploit-db.com/papers/33930"] +risk_score = 21 +rule_id = "4a99ac6f-9a54-4ba5-a64f-6eb65695841b" +setup = """ This rule requires data coming in from Elastic Defend. @@ -46,9 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = ["https://www.exploit-db.com/papers/33930"] -risk_score = 21 -rule_id = "4a99ac6f-9a54-4ba5-a64f-6eb65695841b" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml index 3b89cb067..1f523a382 100644 --- a/rules/linux/privilege_escalation_container_util_misconfiguration.toml +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -20,7 +20,13 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Container Misconfiguration" -note = """## Setup +references = [ + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation", + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" + ] +risk_score = 47 +rule_id = "afe6b0eb-dd9d-4922-b08a-1910124d524d" +setup = """ This rule requires data coming in from Elastic Defend. @@ -57,12 +63,6 @@ For more information about the additional fields collected when this setting is the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). """ -references = [ - "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation", - "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" - ] -risk_score = 47 -rule_id = "afe6b0eb-dd9d-4922-b08a-1910124d524d" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 5b7cdee9c..b25c6ff05 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -17,7 +17,12 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Modification of Dynamic Linker Preload Shared Object" -note = """## Setup +references = [ + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang", +] +risk_score = 47 +rule_id = "717f82c2-7741-4f9b-85b8-d06aeb853f4f" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -54,11 +59,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -references = [ - "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang", -] -risk_score = 47 -rule_id = "717f82c2-7741-4f9b-85b8-d06aeb853f4f" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index 1afa6a674..6a0b2c81d 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -20,7 +20,9 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Symbolic Link Created" -note = """## Setup +risk_score = 21 +rule_id = "8a024633-c444-45c0-a4fe-78128d8c1ab6" +setup = """ This rule requires data coming in from Elastic Defend. @@ -47,8 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 21 -rule_id = "8a024633-c444-45c0-a4fe-78128d8c1ab6" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml index 0f4bf5a56..d75535a50 100644 --- a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml +++ b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml @@ -18,7 +18,13 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via UID INT_MAX Bug Detected" -note = """## Setup +references = [ + "https://twitter.com/paragonsec/status/1071152249529884674", + "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", + "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74"] +risk_score = 47 +rule_id = "d55436a8-719c-445f-92c4-c113ff2f9ba5" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,12 +51,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://twitter.com/paragonsec/status/1071152249529884674", - "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", - "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74"] -risk_score = 47 -rule_id = "d55436a8-719c-445f-92c4-c113ff2f9ba5" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index 1650e7588..42bae30dd 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -20,7 +20,14 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Kernel Load or Unload via Kexec Detected" -note = """## Setup +references = [ + "https://www.crowdstrike.com/blog/venom-vulnerability-details/", + "https://www.makeuseof.com/what-is-venom-vulnerability/", + "https://madaidans-insecurities.github.io/guides/linux-hardening.html" +] +risk_score = 47 +rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957" +setup = """ This rule requires data coming in from Elastic Defend. @@ -47,13 +54,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.crowdstrike.com/blog/venom-vulnerability-details/", - "https://www.makeuseof.com/what-is-venom-vulnerability/", - "https://madaidans-insecurities.github.io/guides/linux-hardening.html" -] -risk_score = 47 -rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml index cb6397acd..4bc6f8901 100644 --- a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml +++ b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml @@ -17,7 +17,10 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via CVE-2023-4911" -note = """## Setup +references = ["https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so"] +risk_score = 73 +rule_id = "6d8685a1-94fa-4ef7-83de-59302e7c4ca8" +setup = """ This rule requires data coming in from Elastic Defend. @@ -58,9 +61,6 @@ the rule will function properly. For more information on capturing environment variables refer the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). """ -references = ["https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so"] -risk_score = 73 -rule_id = "6d8685a1-94fa-4ef7-83de-59302e7c4ca8" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index 9c21014ea..90c623e53 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -18,7 +18,12 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via OverlayFS" -note = """## Setup +references = [ + "https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability", + "https://twitter.com/liadeliyahu/status/1684841527959273472"] +risk_score = 73 +rule_id = "b51dbc92-84e2-4af1-ba47-65183fcd0c57" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,11 +50,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = [ - "https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability", - "https://twitter.com/liadeliyahu/status/1684841527959273472"] -risk_score = 73 -rule_id = "b51dbc92-84e2-4af1-ba47-65183fcd0c57" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 72b261bf6..a07265022 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -17,7 +17,10 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via PKEXEC" -note = """## Setup +references = ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/blasty-vs-pkexec.c"] +risk_score = 73 +rule_id = "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9" +setup = """ This rule requires data coming in from Elastic Defend. @@ -44,9 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/blasty-vs-pkexec.c"] -risk_score = 73 -rule_id = "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index d758d5950..d450ee6fb 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -19,7 +19,10 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Shell via Wildcard Injection Detected" -note = """## Setup +references = ["https://www.exploit-db.com/papers/33930"] +risk_score = 47 +rule_id = "0b803267-74c5-444d-ae29-32b5db2d562a" +setup = """ This rule requires data coming in from Elastic Defend. @@ -46,9 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = ["https://www.exploit-db.com/papers/33930"] -risk_score = 47 -rule_id = "0b803267-74c5-444d-ae29-32b5db2d562a" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index d29462493..d5573c48b 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -20,7 +20,10 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Suspicious DebugFS Root Device Access" -note = """## Setup +references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group"] +risk_score = 21 +rule_id = "2605aa59-29ac-4662-afad-8d86257c7c91" +setup = """ This rule requires data coming in from Elastic Defend. @@ -47,9 +50,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group"] -risk_score = 21 -rule_id = "2605aa59-29ac-4662-afad-8d86257c7c91" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index 956ba1fd2..d4a4ee038 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -18,7 +18,10 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Potential Shadow File Read via Command Line Utilities" -note = """## Setup +references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"] +risk_score = 47 +rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,9 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"] -risk_score = 47 -rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index baa49acaf..5fc7846be 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -19,7 +19,10 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Sudo Privilege Escalation via CVE-2019-14287" -note = """## Setup +references = ["https://www.exploit-db.com/exploits/47502"] +risk_score = 47 +rule_id = "8af5b42f-8d74-48c8-a8d0-6d14b4197288" +setup = """ This rule requires data coming in from Elastic Defend. @@ -46,9 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = ["https://www.exploit-db.com/exploits/47502"] -risk_score = 47 -rule_id = "8af5b42f-8d74-48c8-a8d0-6d14b4197288" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Use Case: Vulnerability"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index 2ba4a6d0a..6926f3b31 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -18,7 +18,10 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Sudo Hijacking Detected" -note = """## Setup +references = ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"] +risk_score = 47 +rule_id = "88fdcb8c-60e5-46ee-9206-2663adf1b1ce" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,9 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"] -risk_score = 47 -rule_id = "88fdcb8c-60e5-46ee-9206-2663adf1b1ce" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index 87b4880b1..eb18f91c2 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -20,7 +20,10 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Sudo Token Manipulation via Process Injection" -note = """## Setup +references = ["https://github.com/nongiach/sudo_inject"] +risk_score = 47 +rule_id = "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b" +setup = """ This rule requires data coming in from Elastic Defend. @@ -47,9 +50,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = ["https://github.com/nongiach/sudo_inject"] -risk_score = 47 -rule_id = "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/privilege_escalation_uid_change_post_compilation.toml b/rules/linux/privilege_escalation_uid_change_post_compilation.toml index c5e973630..ff74083a3 100644 --- a/rules/linux/privilege_escalation_uid_change_post_compilation.toml +++ b/rules/linux/privilege_escalation_uid_change_post_compilation.toml @@ -18,7 +18,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Recently Compiled Executable" -note = """## Setup +risk_score = 47 +rule_id = "193549e8-bb9e-466a-a7f9-7e783f5cb5a6" +setup = """ This rule requires data coming in from Elastic Defend. @@ -45,8 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -risk_score = 47 -rule_id = "193549e8-bb9e-466a-a7f9-7e783f5cb5a6" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index 3be3707ba..0633c05a4 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -18,7 +18,13 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Namespace Manipulation Using Unshare" -note = """## Setup +references = [ + "https://man7.org/linux/man-pages/man1/unshare.1.html", + "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/", +] +risk_score = 47 +rule_id = "d00f33e7-b57d-4023-9952-2db91b1767c4" +setup = """ This rule requires data coming in either from Elastic Defend, or Auditbeat integration. @@ -55,12 +61,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -references = [ - "https://man7.org/linux/man-pages/man1/unshare.1.html", - "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/", -] -risk_score = 47 -rule_id = "d00f33e7-b57d-4023-9952-2db91b1767c4" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml index c72918266..e24fad689 100644 --- a/rules/linux/privilege_escalation_writable_docker_socket.toml +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -19,7 +19,10 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation through Writable Docker Socket" -note = """## Setup +references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"] +risk_score = 47 +rule_id = "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8" +setup = """ This rule requires data coming in from Elastic Defend. @@ -46,9 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"] -risk_score = 47 -rule_id = "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] timestamp_override = "event.ingested"