diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index b4dd010d2..a489d20cb 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2023/12/18" [rule] author = ["Elastic"] @@ -29,7 +29,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -37,7 +44,9 @@ query = ''' process where event.type == "start" and process.name : "touch" and user.id != "0" and process.args : ("-r", "-t", "-a*","-m*") and - not process.args : ("/usr/lib/go-*/bin/go", "/usr/lib/dracut/dracut-functions.sh", "/tmp/KSInstallAction.*/m/.patch/*") + not process.args : ( + "/usr/lib/go-*/bin/go", "/usr/lib/dracut/dracut-functions.sh", "/tmp/KSInstallAction.*/m/.patch/*" +) and not process.parent.name in ("pmlogger_daily", "pmlogger_janitor", "systemd") ''' diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 4e9d9c1c8..3567e7242 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2023/12/18" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ type = "eql" query = ''' process where event.type == "start" and process.name : "grep" and user.id != "0" and - not process.parent.executable : "/Library/Application Support/*" and + not process.parent.executable : ("/Library/Application Support/*", "/opt/McAfee/agent/scripts/ma") and process.args : ("Little Snitch*", "Avast*", @@ -115,7 +115,12 @@ process.name : "grep" and user.id != "0" and "grep -i McAfee Web Gateway Core version:", "grep --color=auto ESET Command-line scanner, version %s -A2" ) - ) + ) or + (process.parent.command_line : ( + """sh -c printf "command_start_%s"*; perl -pe 's/[^ -~]/\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf "command_done_%s*""", + """bash -c perl -pe 's/[^ -~]/\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1""" + ) + ) ) ''' diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 7afbcbd6c..086c47d83 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/19" +updated_date = "2023/12/18" [rule] author = ["Elastic"] @@ -104,8 +104,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.command_line"] +value = ["host.id", "process.command_line", "process.parent.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-14d" diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index 7320c3562..f7b7b826d 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/22" +updated_date = "2023/12/18" [rule] author = ["Elastic"] @@ -20,12 +20,21 @@ name = "Sudoers File Modification" risk_score = 47 rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) +event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) and +not process.name:(dpkg or platform-python or puppet or yum or dnf) and +not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd) ''' [[rule.threat]]