diff --git a/rules/linux/execution_interpreter_tty_upgrade.toml b/rules/linux/execution_interpreter_tty_upgrade.toml index 791a62e39..3df209bbc 100644 --- a/rules/linux/execution_interpreter_tty_upgrade.toml +++ b/rules/linux/execution_interpreter_tty_upgrade.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/09/20" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/08" [rule] author = ["Elastic"] @@ -12,7 +14,7 @@ simple reverse shell to a fully interactive tty after obtaining initial access t stable connection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Upgrade of Non-interactive Shell" @@ -51,16 +53,20 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( - (process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or - (process.name == "script" and process.args in ("-qc", "-c") and process.args == "/dev/null" and - process.args_count == 4) -) +process where host.os.type == "linux" and event.type == "start" and + event.action in ("exec", "exec_event", "start", "ProcessRollup2") and + ( + (process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or + (process.name == "script" and process.args in ("-qc", "-c") and process.args == "/dev/null" and + process.args_count == 4) + ) ''' diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index d629fd28e..9298d4d3d 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/09/22" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/08" [rule] author = ["Elastic"] @@ -19,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Netcat Listener Established via rlwrap" @@ -59,14 +61,17 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and -process.name == "rlwrap" and process.args in ("nc", "ncat", "netcat", "nc.openbsd", "socat") and -process.args : "*l*" and process.args_count >= 4 +process where host.os.type == "linux" and event.type == "start" and + event.action in ("exec", "exec_event", "start", "ProcessRollup2") and + process.name == "rlwrap" and process.args in ("nc", "ncat", "netcat", "nc.openbsd", "socat") and + process.args : "*l*" and process.args_count >= 4 ''' diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index 3a3496769..c1c2f7c4f 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/09/22" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/22" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/08" [rule] author = ["Elastic"] @@ -12,7 +14,7 @@ this rule should be investigated further, as hack tools are commonly used by blu well. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Hack Tool Launched" @@ -53,12 +55,14 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and -event.action in ("exec", "exec_event", "executed", "process_started") and +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name in~ ( // exploitation frameworks "crackmapexec", "msfconsole", "msfvenom", "sliver-client", "sliver-server", "havoc", diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 04af725fa..5dd00e416 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/04/15" -integration = ["endpoint"] +integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/08" [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a interactive tty after obtaining initial access to a host. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Interactive Terminal Spawned via Python" @@ -50,12 +52,13 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and ( (process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.parent.args_count >= 3 and process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or diff --git a/rules/linux/execution_python_webserver_spawned.toml b/rules/linux/execution_python_webserver_spawned.toml index afa9c6bdc..9f0f14b01 100644 --- a/rules/linux/execution_python_webserver_spawned.toml +++ b/rules/linux/execution_python_webserver_spawned.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/11/04" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/11/04" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/08" [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ This rule identifies when a web server is spawned via Python. Attackers may use exfiltrate/infiltrate data or to move laterally within a network. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Web Server Spawned via Python" @@ -49,17 +51,22 @@ tags = [ "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( - (process.name like "python*" and process.args in ("http.server", "SimpleHTTPServer")) or +process where host.os.type == "linux" and event.type == "start" and + event.action in ("exec", "exec_event", "start", "ProcessRollup2") and ( - process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and - process.command_line like~ "*python* -m http.server*" + (process.name like "python*" and process.args in ("http.server", "SimpleHTTPServer")) or + ( + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + process.command_line like~ "*python* -m http.server*" + ) ) -) ''' [[rule.threat]] diff --git a/rules/linux/execution_shell_openssl_client_or_server.toml b/rules/linux/execution_shell_openssl_client_or_server.toml index 4052b35ac..4333ff0cc 100644 --- a/rules/linux/execution_shell_openssl_client_or_server.toml +++ b/rules/linux/execution_shell_openssl_client_or_server.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/07/30" -integration = ["endpoint"] +integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/17" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/08" [rule] author = ["Elastic"] @@ -12,7 +14,7 @@ establish a secure connection to a remote server or to create a secure server to may be used to exfiltrate data or establish a command and control channel. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Openssl Client or Server Activity" @@ -51,17 +53,18 @@ tags = [ "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" + "Data Source: Elastic Endgame", + "Data Source: SentinelOne" ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and -process.name == "openssl" and ( - (process.args == "s_client" and process.args : ("-connect", "*:*") and not process.args == "-showcerts") or - (process.args == "s_server" and process.args == "-port") -) and -not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/opt/antidot-svc/nrpe/plugins/check_cert") +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and + process.name == "openssl" and ( + (process.args == "s_client" and process.args : ("-connect", "*:*") and not process.args == "-showcerts") or + (process.args == "s_server" and process.args == "-port") + ) and + not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/opt/antidot-svc/nrpe/plugins/check_cert") ''' [[rule.threat]] diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 2c768bc41..1b18cd143 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/09/20" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/08" [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ Monitors for the execution of background processes with process arguments capabl channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Background Process" @@ -50,14 +52,17 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and -process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and -process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") +process where host.os.type == "linux" and event.type == "start" and + event.action in ("exec", "exec_event", "start", "ProcessRollup2") and + process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index 95c59d602..5ad64dc78 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/06/26" -integration = ["endpoint"] +integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/08" [rule] author = ["Elastic"] @@ -13,7 +15,7 @@ output from tail can be piped to funzip in order to decompress malicious code be consistent with malware families such as Bundlore. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Content Extracted or Decompressed via Funzip" @@ -53,12 +55,13 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "start") and ((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and not process.args : "/var/log/messages" and not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xargs") and diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 1422ba8d4..fbd2b0989 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2022/07/11" -integration = ["endpoint"] +integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/08" [rule] author = ["Elastic"] @@ -13,7 +15,7 @@ A threat actor can utilize tc to set a bpf filter on an interface for the purpos This technique is not at all common and should indicate abnormal, suspicious or malicious activity. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "BPF filter applied using TC" @@ -57,6 +59,7 @@ tags = [ "Threat: TripleCross", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/execution_unix_socket_communication.toml b/rules/linux/execution_unix_socket_communication.toml index 7bb76b693..561bf0c43 100644 --- a/rules/linux/execution_unix_socket_communication.toml +++ b/rules/linux/execution_unix_socket_communication.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/09/04" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/18" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/08" [rule] author = ["Elastic"] @@ -13,7 +15,7 @@ privileges or set up malicious communication channels via Unix sockets for inter evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Unix Socket Connection" @@ -28,12 +30,15 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") - and ( +process where host.os.type == "linux" and event.type == "start" and + event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and + ( (process.name in ("nc", "ncat", "netcat", "nc.openbsd") and process.args == "-U" and process.args : ("/usr/local/*", "/run/*", "/var/run/*")) or (process.name == "socat" and