[New Rule] Hidden so file (#2131)
* [New Rule] Hidden Shared Object File
* [Rule Tuning] Hidden File from Tmp
* Update updated_date
* Update rules/linux/defense_evasion_hidden_shared_object.toml
* Update rules/linux/defense_evasion_hidden_shared_object.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules/linux/defense_evasion_hidden_shared_object.toml
* Update rules/linux/defense_evasion_hidden_shared_object.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
(cherry picked from commit 98d93bc21e)
This commit is contained in:
Colson Wilhoit
committed by
github-actions[bot]
github-actions[bot]
parent
25493a90c9
commit
7909fb47a0
@@ -3,7 +3,7 @@ creation_date = "2020/04/29"
|
||||
maturity = "production"
|
||||
min_stack_comments = "EQL regex syntax introduced in 7.12"
|
||||
min_stack_version = "7.12.0"
|
||||
updated_date = "2022/03/31"
|
||||
updated_date = "2022/07/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -23,7 +23,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
max_signals = 33
|
||||
name = "Creation of Hidden Files and Directories"
|
||||
name = "Creation of Hidden Files and Directories via CommandLine"
|
||||
note = """## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
|
||||
|
||||
@@ -0,0 +1,52 @@
|
||||
[metadata]
|
||||
creation_date = "2022/07/20"
|
||||
maturity = "production"
|
||||
updated_date = "2022/07/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name.
|
||||
Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["auditbeat-*", "logs-endpoint.events.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
max_signals = 33
|
||||
name = "Creation of Hidden Shared Object File"
|
||||
note = """## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
|
||||
"""
|
||||
risk_score = 47
|
||||
rule_id = "766d3f91-3f12-448c-b65f-20123e9e9e8c"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
file where event.action : "creation" and file.extension == "so" and file.name : ".*.so"
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1564"
|
||||
name = "Hide Artifacts"
|
||||
reference = "https://attack.mitre.org/techniques/T1564/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1564.001"
|
||||
name = "Hidden Files and Directories"
|
||||
reference = "https://attack.mitre.org/techniques/T1564/001/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user