[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 8 (#4355)
This commit is contained in:
Jonhnathan
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2023/09/20"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
updated_date = "2025/01/08"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +14,7 @@ simple reverse shell to a fully interactive tty after obtaining initial access t
|
||||
stable connection.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Upgrade of Non-interactive Shell"
|
||||
@@ -51,16 +53,20 @@ tags = [
|
||||
"Tactic: Execution",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Crowdstrike",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and (
|
||||
(process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or
|
||||
(process.name == "script" and process.args in ("-qc", "-c") and process.args == "/dev/null" and
|
||||
process.args_count == 4)
|
||||
)
|
||||
process where host.os.type == "linux" and event.type == "start" and
|
||||
event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
|
||||
(
|
||||
(process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or
|
||||
(process.name == "script" and process.args in ("-qc", "-c") and process.args == "/dev/null" and
|
||||
process.args_count == 4)
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2023/09/22"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
updated_date = "2025/01/08"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -19,7 +21,7 @@ false_positives = [
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Netcat Listener Established via rlwrap"
|
||||
@@ -59,14 +61,17 @@ tags = [
|
||||
"Tactic: Execution",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Crowdstrike",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
|
||||
process.name == "rlwrap" and process.args in ("nc", "ncat", "netcat", "nc.openbsd", "socat") and
|
||||
process.args : "*l*" and process.args_count >= 4
|
||||
process where host.os.type == "linux" and event.type == "start" and
|
||||
event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
|
||||
process.name == "rlwrap" and process.args in ("nc", "ncat", "netcat", "nc.openbsd", "socat") and
|
||||
process.args : "*l*" and process.args_count >= 4
|
||||
'''
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2023/09/22"
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/10/22"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
updated_date = "2025/01/08"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +14,7 @@ this rule should be investigated further, as hack tools are commonly used by blu
|
||||
well.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Linux Hack Tool Launched"
|
||||
@@ -53,12 +55,14 @@ tags = [
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Auditd Manager",
|
||||
"Data Source: Crowdstrike",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and
|
||||
event.action in ("exec", "exec_event", "executed", "process_started") and
|
||||
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
|
||||
process.name in~ (
|
||||
// exploitation frameworks
|
||||
"crackmapexec", "msfconsole", "msfvenom", "sliver-client", "sliver-server", "havoc",
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2020/04/15"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
updated_date = "2025/01/08"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +13,7 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a
|
||||
interactive tty after obtaining initial access to a host.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Interactive Terminal Spawned via Python"
|
||||
@@ -50,12 +52,13 @@ tags = [
|
||||
"Tactic: Execution",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and
|
||||
(
|
||||
(process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh",
|
||||
"fish") and process.parent.args_count >= 3 and process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2024/11/04"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/11/04"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
updated_date = "2025/01/08"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +13,7 @@ This rule identifies when a web server is spawned via Python. Attackers may use
|
||||
exfiltrate/infiltrate data or to move laterally within a network.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Web Server Spawned via Python"
|
||||
@@ -49,17 +51,22 @@ tags = [
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Execution",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Crowdstrike",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Elastic Endgame",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
|
||||
(process.name like "python*" and process.args in ("http.server", "SimpleHTTPServer")) or
|
||||
process where host.os.type == "linux" and event.type == "start" and
|
||||
event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
|
||||
(
|
||||
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
|
||||
process.command_line like~ "*python* -m http.server*"
|
||||
(process.name like "python*" and process.args in ("http.server", "SimpleHTTPServer")) or
|
||||
(
|
||||
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
|
||||
process.command_line like~ "*python* -m http.server*"
|
||||
)
|
||||
)
|
||||
)
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2024/07/30"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/10/17"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
updated_date = "2025/01/08"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +14,7 @@ establish a secure connection to a remote server or to create a secure server to
|
||||
may be used to exfiltrate data or establish a command and control channel.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Openssl Client or Server Activity"
|
||||
@@ -51,17 +53,18 @@ tags = [
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Execution",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame"
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: SentinelOne"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
|
||||
process.name == "openssl" and (
|
||||
(process.args == "s_client" and process.args : ("-connect", "*:*") and not process.args == "-showcerts") or
|
||||
(process.args == "s_server" and process.args == "-port")
|
||||
) and
|
||||
not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/opt/antidot-svc/nrpe/plugins/check_cert")
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and
|
||||
process.name == "openssl" and (
|
||||
(process.args == "s_client" and process.args : ("-connect", "*:*") and not process.args == "-showcerts") or
|
||||
(process.args == "s_server" and process.args == "-port")
|
||||
) and
|
||||
not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/opt/antidot-svc/nrpe/plugins/check_cert")
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2023/09/20"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
updated_date = "2025/01/08"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +13,7 @@ Monitors for the execution of background processes with process arguments capabl
|
||||
channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Reverse Shell via Background Process"
|
||||
@@ -50,14 +52,17 @@ tags = [
|
||||
"Tactic: Execution",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Crowdstrike",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
|
||||
process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and
|
||||
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
|
||||
process where host.os.type == "linux" and event.type == "start" and
|
||||
event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
|
||||
process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and
|
||||
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
|
||||
'''
|
||||
|
||||
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2023/06/26"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
updated_date = "2025/01/08"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -13,7 +15,7 @@ output from tail can be piped to funzip in order to decompress malicious code be
|
||||
consistent with malware families such as Bundlore.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious Content Extracted or Decompressed via Funzip"
|
||||
@@ -53,12 +55,13 @@ tags = [
|
||||
"Tactic: Execution",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "start") and
|
||||
((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and
|
||||
not process.args : "/var/log/messages" and
|
||||
not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xargs") and
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2022/07/11"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
updated_date = "2025/01/08"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -13,7 +15,7 @@ A threat actor can utilize tc to set a bpf filter on an interface for the purpos
|
||||
This technique is not at all common and should indicate abnormal, suspicious or malicious activity.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "BPF filter applied using TC"
|
||||
@@ -57,6 +59,7 @@ tags = [
|
||||
"Threat: TripleCross",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2023/09/04"
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/10/18"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
updated_date = "2025/01/08"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -13,7 +15,7 @@ privileges or set up malicious communication channels via Unix sockets for inter
|
||||
evade detection.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Unix Socket Connection"
|
||||
@@ -28,12 +30,15 @@ tags = [
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Auditd Manager",
|
||||
"Data Source: Crowdstrike",
|
||||
"Data Source: SentinelOne",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
|
||||
and (
|
||||
process where host.os.type == "linux" and event.type == "start" and
|
||||
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
|
||||
(
|
||||
(process.name in ("nc", "ncat", "netcat", "nc.openbsd") and
|
||||
process.args == "-U" and process.args : ("/usr/local/*", "/run/*", "/var/run/*")) or
|
||||
(process.name == "socat" and
|
||||
|
||||
Reference in New Issue
Block a user