security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule tunings / New Rule] Kernel Unload and Enumeration (#2838)

Browse Source 
* [Rule Tunings] Kernel Module Enumeration / Removal

* [Rule Tunings] Kernel Module Enumeration and Removal

* Deleted copy of wrong file

* EQL Conversion and made the rule more resilient

* Converted rules to EQL and made rules more resilient

* Removed unwanted rule from PR

* fixed unit tests

* fixed unit testing, removed endgame support

* Added a rule to detect kernel module enum via proc

* Did some additional tuning, 0 hits in RedSector now
This commit is contained in:
Ruben Groenewoud
2023-06-22 10:11:52 +02:00
committed by GitHub
parent 082e92c95c
commit 7d64dc2a87
3 changed files with 85 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/discovery_kernel_module_enumeration.toml
+10 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/22"
updated_date = "2023/06/08"
[rule]
author = ["Elastic"]
@@ -20,20 +20,23 @@ false_positives = [
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "kuery"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Enumeration of Kernel Modules"
risk_score = 47
rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"]
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
timestamp_override = "event.ingested"
type = "query"
type = "eql"
query = '''
event.category:process and host.os.type:linux and event.type:(start or process_started) and
process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))
process where host.os.type == "linux" and event.type == "start" and
((process.name == "kmod" and process.args == "list") or (process.name == "modinfo" and process.parent.user.id != "0") or
(process.name == "depmod" and process.args in ("--all", "-a") and process.parent.user.id != "0")
or process.name == "lsmod") and not process.parent.name : ("vboxmanage", "virtualbox", "prime-offload", "vboxdrv.sh") and not
process.group_leader.name : "qualys-cloud-agent"
'''