From 76fdd549a3dfa887b0ca56b809ca948f0dda419a Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 19 Jul 2024 15:13:42 +0200 Subject: [PATCH] [Rule Tuning] Misc. DR Rule Tuning (#3904) * [Rule Tuning] Misc. DR Rule Tuning * Update execution_unknown_rwx_mem_region_binary_executed.toml * Update command_and_control_suspicious_network_activity_from_unknown_executable.toml * I love KQL validation --- ...tial_linux_ransomware_file_encryption.toml | 5 ++- ...work_activity_from_unknown_executable.toml | 40 +++++++++---------- ...binary_copied_to_suspicious_directory.toml | 6 ++- ...us_executable_running_system_commands.toml | 36 ++++++++++------- ...nknown_rwx_mem_region_binary_executed.toml | 19 +++++---- ...ential_linux_ransomware_note_detected.toml | 11 ++--- ...ersistence_apt_package_manager_netcon.toml | 12 +++++- .../linux/persistence_cron_job_creation.toml | 11 +++-- ...ersistence_kde_autostart_modification.toml | 4 +- .../persistence_kworker_file_creation.toml | 17 ++++---- 10 files changed, 92 insertions(+), 69 deletions(-) rename rules/{linux => _deprecated}/impact_potential_linux_ransomware_file_encryption.toml (98%) diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml similarity index 98% rename from rules/linux/impact_potential_linux_ransomware_file_encryption.toml rename to rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml index ad559bb91..348247726 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/03/20" +deprecation_date = "2024/07/18" integration = ["endpoint"] -maturity = "production" -updated_date = "2024/05/21" +maturity = "deprecated" +updated_date = "2024/07/18" [rule] author = ["Elastic"] diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index 9b2563370..056dc2937 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2024/05/24" +updated_date = "2024/07/18" [transform] [[transform.osquery]] @@ -181,35 +181,35 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and +host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and process.executable:( - (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or - /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/* or - /var/log/* - ) and not (/tmp/newroot/* or /tmp/snap.rootfs*) - ) and -source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and + (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or + /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/lib/update-notifier/* or /var/log/* or /var/tmp/* +) and +not (/tmp/newroot/* or /tmp/snap.rootfs*) and +not /etc/cron.hourly/BitdefenderRedline) and +source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not process.name:( - apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or - saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform* -) and + apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or kited or node + or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or php* or pip* or python* + or steam* or terraform* +) and not destination.ip:( - 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or - 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or - 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or - 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" or 0.0.0.0 + 0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or + 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or 192.168.0.0/16 or + 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or 198.51.100.0/24 or 203.0.113.0/24 + or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -217,10 +217,8 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.executable"] +value = ["process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" - - +value = "now-20d" diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index 6d0022cb2..dcb6d7349 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/03" +updated_date = "2024/07/18" [rule] author = ["Elastic"] @@ -71,7 +71,9 @@ file.Ext.original.path : ( "/usr/bin/update-alternatives", "/bin/update-alternatives", "/usr/sbin/update-alternatives", "/sbin/update-alternatives", "/usr/bin/pip3", "/bin/pip3", "/usr/local/bin/pip3", "/usr/local/bin/node", "/bin/node", "/usr/bin/node", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/pip", "/bin/pip", - "/usr/local/bin/pip" + "/usr/local/bin/pip", "/usr/libexec/platform-python", "/usr/bin/platform-python", "/bin/platform-python", + "/usr/lib/systemd/systemd", "/usr/sbin/sshd", "/sbin/sshd", "/usr/local/sbin/sshd", "/usr/sbin/crond", "/sbin/crond", + "/usr/local/sbin/crond", "/usr/sbin/gdm", ) or file.Ext.original.path : ( "/bin/*.tmp", "/usr/bin/*.tmp", "/usr/local/bin/*.tmp", "/sbin/*.tmp", "/usr/sbin/*.tmp", "/usr/local/sbin/*.tmp" diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index 39074a87a..e8c5c4c01 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/07/18" [rule] author = ["Elastic"] @@ -58,31 +58,38 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and +host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and process.executable:( - /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or - /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or - /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*) - and process.args:(whoami or id or hostname or uptime or top or ifconfig or netstat or route or ps or pwd or ls) and - not process.name:(sudo or which or whoami or id or hostname or uptime or top or netstat or ps or pwd or ls or apt or - dpkg or yum or rpm or dnf or dockerd or docker or snapd or snap) and - not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*) + (/etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or + /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or + /usr/share/* or /var/tmp/*) and not /tmp/go-build* +) and +process.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and +not process.name:( + apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or snapd + or sudo or top or uptime or which or whoami or yum +) and +not process.parent.executable:( + /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or + /opt/puppetlabs/puppet/bin/puppet or /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or + /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or /etc/network/* or /opt/Elastic/* or + /run/k3s/* or /tmp/newroot/* or /usr/bin/* +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -90,9 +97,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "user.id", "process.executable"] +value = ["process.parent.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml index 27ee5bebe..35f465824 100644 --- a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml +++ b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/07/18" [rule] author = ["Elastic"] @@ -50,23 +50,27 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 +event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 and not ( + process.executable:( + "/usr/share/kibana/node/bin/node" or "/usr/share/elasticsearch/jdk/bin/java" or "/usr/sbin/apache2" + ) or + process.name:httpd +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -74,9 +78,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.executable"] +value = ["process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index c7ffba1b3..ff40e1b5d 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/07/18" [rule] author = ["Elastic"] @@ -54,18 +54,17 @@ tags = [ "Data Source: Elastic Defend", ] type = "eql" - query = ''' sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" - and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and + and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*") and file.path : ( "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not process.name : ( "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git", - "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader" + "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader", "rustup-init" ) ] with runs=25 [file where host.os.type == "linux" and event.action == "creation" and file.name : ( @@ -74,17 +73,15 @@ sequence by process.entity_id, host.id with maxspan=1s ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index d8d89dba4..212eef6db 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/09" +updated_date = "2024/07/18" [rule] author = ["Elastic"] @@ -65,7 +65,15 @@ sequence by host.id with maxspan=5s "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish" ) ] by process.entity_id - [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" + [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and not ( + destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch( + destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", + "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", + "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", + "FF00::/8", "172.31.0.0/16" + ) + ) and not process.executable == "/usr/bin/apt-listbugs" ] by process.parent.entity_id ''' diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 4ca980785..bd76cff86 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/31" +updated_date = "2024/07/18" [transform] [[transform.osquery]] @@ -190,13 +190,18 @@ event.action in ("rename", "creation") and file.path : ( "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", - "/bin/pamac-daemon", "/usr/local/bin/dockerd" + "/bin/pamac-daemon", "/usr/local/bin/dockerd", "/opt/elasticbeanstalk/bin/platform-engine", + "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/opt/imunify360/venv/bin/python3", + "/opt/eset/efs/lib/utild", "/usr/sbin/anacron", "/usr/bin/podman", "/kaniko/kaniko-executor" ) or file.path : "/var/spool/cron/crontabs/tmp.*" or file.extension in ("swp", "swpx", "swx", "dpkg-remove") or file.Ext.original.extension == "dpkg-new" or - process.executable : ("/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*") or + process.executable : ( + "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/libexec/platform-python*" + ) or process.executable == null or + process.name in ("crontab", "crond", "executor", "puppet", "droplet-agent.postinst", "cf-agent") or (process.name == "sed" and file.name : "sed*") or (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index bebb8f3e4..e3e716a8f 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/07/18" [transform] [[transform.osquery]] @@ -221,7 +221,7 @@ file where host.os.type == "linux" and event.type != "deletion" and "/etc/xdg/autostart/*", "/usr/share/autostart/*" ) and not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd", - "rpm", "pacman", "podman", "nautilus", "remmina", "cinnamon-settings.py") + "rpm", "pacman", "podman", "nautilus", "remmina", "cinnamon-settings.py", "executor") ''' diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index d9e80c23b..9d2d16e7c 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/07/18" [transform] [[transform.osquery]] @@ -162,38 +162,41 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and process.name : "kworker*" and not ( (process.name : "kworker*kcryptd*") or - (file.path : ("/var/log/*", "/var/crash/*", "/var/run/*", "/var/lib/systemd/coredump/*", "/var/spool/*")) + (file.path : ( + "/var/log/*", "/var/crash/*", "/var/run/*", "/var/lib/systemd/coredump/*", "/var/spool/*", + "/var/lib/nfs/nfsdcltrack/main.sqlite-journal", "/proc/*/cwd/core.*", "/var/run/apport.lock", + "/var/spool/abrt/ccpp-*" + ) + ) ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -