diff --git a/rules/linux/command_and_control_linux_iodine_activity.toml b/rules/linux/command_and_control_linux_iodine_activity.toml index 89686a248..5295985b0 100644 --- a/rules/linux/command_and_control_linux_iodine_activity.toml +++ b/rules/linux/command_and_control_linux_iodine_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/19" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Potential DNS Tunneling via Iodine" @@ -27,7 +27,7 @@ references = ["https://code.kryo.se/iodine/"] risk_score = 73 rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index dd31a77c1..1e77040e6 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ system within a separate protocol to avoid detection and network filtering, or t systems. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via EarthWorm" @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "9f1c4ca3-44b5-481d-ba42-32dc215a2769" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 146bcb877..d1d38b33a 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the use of a compression utility to collect known files containing se and system configurations. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Sensitive Files Compression" @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "6b84d470-9036-4cc0-a27c-6d90bbfe81ab" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Collection", "Credential Access"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Collection", "Credential Access", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index ba3792917..c234ca9f7 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ enable unauthorized access or to log SSH credentials for exfiltration. """ false_positives = ["Updates to approved and trusted SSH executables can trigger this rule."] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential OpenSSH Backdoor Logging Activity" @@ -30,7 +30,7 @@ references = [ risk_score = 73 rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Credential Access"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Credential Access", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index ea3710783..2cca08b51 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -13,14 +13,14 @@ Adversaries may attempt to disable the syslog service in an attempt to an attemp detection by security controls. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Disable Syslog Service" risk_score = 47 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 358883e50..3f9c6f11c 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -16,14 +16,14 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Base16 or Base32 Encoding/Decoding Activity" risk_score = 21 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index 41680313a..916452cb0 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ opened in write mode. Threat actors will commonly utilize this to prevent tamper files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -27,7 +27,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "968ccab9-da51-4a87-9ce2-d3c9782fd759" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 9e7204492..249f59e72 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -14,14 +14,14 @@ support access control policies. Adversaries may disable security tools to avoid activities. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Potential Disabling of SELinux" risk_score = 47 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 9b5458173..fe248183b 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -14,14 +14,14 @@ a network and how. Adversaries may remove these files over the course of an intr remove them at the end as part of the post-intrusion cleanup process. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "File Deletion via Shred" risk_score = 21 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 7e9cb1640..1619d489f 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ a "." as the first character in the file or folder name. Adversaries can use thi folders on the system for persistence and defense evasion. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -26,12 +26,12 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "766d3f91-3f12-448c-b65f-20123e9e9e8c" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.action : "creation" and file.extension == "so" and file.name : ".*.so" +file where event.type : "creation" and file.extension == "so" and file.name : ".*.so" ''' diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 879351b85..69ce7613c 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Kernel Module Removal" @@ -28,7 +28,7 @@ references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"] risk_score = 73 rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index e9efd92c4..13129f267 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the deletion of sensitive Linux system logs. This may indicate an att forensic evidence on a system. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "System Log File Deletion" @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "aa895aea-b69c-4411-b110-8d7599634b30" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 1b7874984..7c9eef621 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -20,14 +20,14 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Enumeration of Kernel Modules" risk_score = 47 rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 4bd393389..7b7521c28 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Hping Process Activity" @@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/Hping"] risk_score = 73 rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index b79ce84db..98d731e82 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Nping Process Activity" @@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/Nmap"] risk_score = 47 rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 52ad7f55e..e0c221291 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -20,14 +20,14 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Virtual Machine Fingerprinting" risk_score = 73 rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index f41e89bef..b067db9a5 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Abnormal Process ID or Lock File Created" @@ -74,7 +74,7 @@ references = [ risk_score = 47 rule_id = "cac91072-d165-11ec-a764-f661ea17fbce" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Investigation Guide"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index ad8030bfe..84e761a4f 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -13,14 +13,14 @@ Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a si interactive tty after obtaining initial access to a host. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Interactive Terminal Spawned via Perl" risk_score = 73 rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 4637a68d2..91afb7474 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Process Started from Process ID (PID) File" @@ -41,7 +41,7 @@ references = [ risk_score = 73 rule_id = "3688577a-d196-11ec-90b0-f661ea17fbce" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 1c4e98585..32beb52ab 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Binary Executed from Shared Memory Directory" @@ -33,13 +33,13 @@ references = [ risk_score = 73 rule_id = "3f3f9fe2-d095-11ec-95dc-f661ea17fbce" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' process where event.type == "start" and - event.action == "exec" and user.name == "root" and + event.action : ("exec", "exec_event") and user.name == "root" and process.executable : ( "/dev/shm/*", "/run/shm/*", diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index e4a0390ba..7dafdaba3 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,9 +2,9 @@ creation_date = "2020/04/15" integration = ["endpoint"] maturity = "production" +updated_date = "2022/12/20" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -13,14 +13,14 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a interactive tty after obtaining initial access to a host. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Interactive Terminal Spawned via Python" risk_score = 73 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/linux/execution_reverse_shell_via_named_pipe.toml b/rules/linux/execution_reverse_shell_via_named_pipe.toml index 341418a90..6ccabe46d 100644 --- a/rules/linux/execution_reverse_shell_via_named_pipe.toml +++ b/rules/linux/execution_reverse_shell_via_named_pipe.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Reverse Shell Created via Named Pipe" @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "dd7f1524-643e-11ed-9e35-f661ea17fbcd" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Investigation Guide"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"] type = "eql" query = ''' diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index e71b8b1c7..6ceca787c 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -14,10 +14,10 @@ shell. The linux utility(s) activity of spawning shell is not a standard use of administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" -name = "Linux Restricted Shell Breakout via Linux Binary(s)" +name = "Linux Restricted Shell Breakout via Linux Binary(s)" note = """## Triage and analysis ### Investigating Shell Evasion via Linux Utilities @@ -97,7 +97,7 @@ references = [ risk_score = 47 rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 6498eff79..0dda8bb65 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/15" +updated_date = "2022/12/20" integration = ["endpoint"] [rule] @@ -12,7 +12,7 @@ description = """ Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "BPF filter applied using TC" @@ -23,7 +23,7 @@ references = [ risk_score = 73 rule_id = "ef04a476-07ec-48fc-8f3d-5e1742de76d3" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "TripleCross"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "TripleCross", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index e2cfb54ca..0094932a3 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -4,13 +4,13 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] description = "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period." from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "High Number of Process Terminations" @@ -50,7 +50,7 @@ This rule identifies a high number (10) of process terminations via pkill from t risk_score = 47 rule_id = "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"] type = "threshold" query = ''' diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 52e9a35cb..d512fa84e 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/15" +updated_date = "2022/12/20" integration = ["endpoint"] [rule] @@ -12,7 +12,7 @@ description = """ Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Chkconfig Service Add" @@ -22,14 +22,14 @@ references = [ risk_score = 47 rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Lightning Framework"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Lightning Framework", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' process where event.type == "start" and - (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or - (process.args : "*chkconfig" and process.args : "--add") + ((process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or + (process.args : "*chkconfig" and process.args : "--add")) ''' [[rule.threat]] diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 073d6cb7a..b9dda8e15 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes.", ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Modification of OpenSSH Binaries" @@ -24,7 +24,7 @@ references = ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusi risk_score = 47 rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access", "Persistence"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access", "Persistence", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 44ca15b76..a6fa6abc0 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/15" +updated_date = "2022/12/20" integration = ["endpoint"] [rule] @@ -12,7 +12,7 @@ description = """ Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious File Creation in /etc for Persistence" @@ -23,12 +23,12 @@ references = [ risk_score = 47 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit", "Lightning Framework"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit", "Lightning Framework", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.action == "creation" and user.name == "root" and +file where event.type == "creation" and user.name == "root" and file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd", "*/snapd", "*/dnf-automatic", "*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system") diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index dee73ba6a..7ec3a0beb 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/15" +updated_date = "2022/12/20" integration = ["endpoint"] [rule] @@ -12,7 +12,7 @@ description = """ Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Kernel module load via insmod" @@ -22,7 +22,7 @@ references = [ risk_score = 47 rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Rootkit"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Rootkit", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index d90657852..3d3c5d46e 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the creation or modification of a K Desktop Environment (KDE) AutoSta execute upon each user logon. Adversaries may abuse this method for persistence. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Persistence via KDE AutoStart Script or Desktop File Modification" @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 198081db0..873ff4b35 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Potential Shell via Web Server" @@ -69,7 +69,7 @@ references = [ risk_score = 47 rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 5b35f2602..f3bb6ebd2 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies modification of the dynamic linker preload shared object (ld.so.prelo payloads by hijacking the dynamic linker used to load libraries. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Modification of Dynamic Linker Preload Shared Object" @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "717f82c2-7741-4f9b-85b8-d06aeb853f4f" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index a707e6a34..618680c73 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies an attempt to exploit a local privilege escalation in polkit pkexec ( variable injection. Successful exploitation allows an unprivileged user to escalate to the root user. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via PKEXEC" @@ -21,7 +21,7 @@ references = ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/ risk_score = 73 rule_id = "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/privilege_escalation_unshare_namesapce_manipulation.toml b/rules/linux/privilege_escalation_unshare_namesapce_manipulation.toml index e48c3eefc..52917f273 100644 --- a/rules/linux/privilege_escalation_unshare_namesapce_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namesapce_manipulation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2022/12/20" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ or escape container security boundaries. Threat actors have utilized this binary host and access other resources or escalate privileges. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Namespace Manipulation Using Unshare" @@ -25,12 +25,12 @@ references = [ risk_score = 47 rule_id = "d00f33e7-b57d-4023-9952-2db91b1767c4" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and event.action == "exec" and +process where event.type == "start" and event.action : ("exec", "exec_event") and process.executable: "/usr/bin/unshare" and not process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd", "/usr/bin/unshare") and not process.args : "/usr/bin/snap"