diff --git a/rules/linux/defense_evasion_apt_binary.toml b/rules/linux/execution_apt_binary.toml similarity index 58% rename from rules/linux/defense_evasion_apt_binary.toml rename to rules/linux/execution_apt_binary.toml index 061ed212b..3f8978e99 100644 --- a/rules/linux/defense_evasion_apt_binary.toml +++ b/rules/linux/execution_apt_binary.toml @@ -1,27 +1,25 @@ [metadata] creation_date = "2022/02/24" maturity = "production" -updated_date = "2022/02/24" +updated_date = "2022/03/17" [rule] author = ["Elastic"] description = """ Identifies Linux binary apt/apt-get abuse to breakout out of restricted shells or environments by spawning an -interactive system shell. This activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their access. +interactive system shell. This activity is not standard use with this binary for a user or system administrator. It +indicates a potentially malicious actor attempting to improve the capabilities or stability of their access. """ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape" -references = [ - "https://gtfobins.github.io/gtfobins/apt/", - "https://gtfobins.github.io/gtfobins/apt-get/" -] +references = ["https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/"] risk_score = 47 rule_id = "8fed8450-847e-43bd-874c-3bbf0cd425f3" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"] timestamp_override = "event.ingested" type = "eql" @@ -36,18 +34,18 @@ sequence by host.id, process.pid with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1548.004" -name = "Elevated Execution with Prompt" -reference = "https://attack.mitre.org/techniques/T1548/004/" +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_awk_binary_shell.toml b/rules/linux/execution_awk_binary_shell.toml similarity index 51% rename from rules/linux/defense_evasion_awk_binary_shell.toml rename to rules/linux/execution_awk_binary_shell.toml index 938a5ecc0..53dfb3e5b 100644 --- a/rules/linux/defense_evasion_awk_binary_shell.toml +++ b/rules/linux/execution_awk_binary_shell.toml @@ -1,25 +1,25 @@ [metadata] creation_date = "2022/02/24" maturity = "production" -updated_date = "2022/02/24" +updated_date = "2022/03/17" [rule] author = ["Elastic"] description = """ -Identifies Linux binary awk abuse to breakout out of restricted shells or environments by spawning an -interactive system shell. This activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their access. +Identifies Linux binary awk abuse to breakout out of restricted shells or environments by spawning an interactive system +shell. This activity is not standard use with this binary for a user or system administrator. It indicates a potentially +malicious actor attempting to improve the capabilities or stability of their access. """ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Linux Restricted Shell Breakout via awk Commands" -references = ["https://gtfobins.github.io/gtfobins/nawk/", - "https://gtfobins.github.io/gtfobins/mawk/"] +references = ["https://gtfobins.github.io/gtfobins/nawk/", "https://gtfobins.github.io/gtfobins/mawk/"] risk_score = 47 rule_id = "10754992-28c7-4472-be5b-f3770fd04f2d" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"] timestamp_override = "event.ingested" type = "eql" @@ -33,17 +33,18 @@ sequence by host.id, process.pid with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1548.004" -name = "Elevated Execution with Prompt" -reference = "https://attack.mitre.org/techniques/T1548/004/" +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" \ No newline at end of file +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/defense_evasion_env_binary.toml b/rules/linux/execution_env_binary.toml similarity index 71% rename from rules/linux/defense_evasion_env_binary.toml rename to rules/linux/execution_env_binary.toml index 547458b36..cd6b204f1 100644 --- a/rules/linux/defense_evasion_env_binary.toml +++ b/rules/linux/execution_env_binary.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/02/24" maturity = "production" -updated_date = "2022/03/04" +updated_date = "2022/03/17" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/env/"] risk_score = 47 rule_id = "72d33577-f155-457d-aad3-379f9b750c97" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"] timestamp_override = "event.ingested" type = "eql" @@ -31,18 +31,18 @@ process where event.type == "start" and process.name : "env" and process.args_co [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1548.004" -name = "Elevated Execution with Prompt" -reference = "https://attack.mitre.org/techniques/T1548/004/" +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_expect_binary.toml b/rules/linux/execution_expect_binary.toml similarity index 73% rename from rules/linux/defense_evasion_expect_binary.toml rename to rules/linux/execution_expect_binary.toml index 408c363a2..4479911d2 100644 --- a/rules/linux/defense_evasion_expect_binary.toml +++ b/rules/linux/execution_expect_binary.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/03/07" maturity = "development" -updated_date = "2022/03/07" +updated_date = "2022/03/17" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/expect/"] risk_score = 47 rule_id = "fd3fc25e-7c7c-4613-8209-97942ac609f6" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"] timestamp_override = "event.ingested" type = "eql" @@ -30,23 +30,6 @@ sequence by host.id, process.pid with maxspan=1m ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.004" -name = "Elevated Execution with Prompt" -reference = "https://attack.mitre.org/techniques/T1548/004/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/linux/defense_evasion_find_binary.toml b/rules/linux/execution_find_binary.toml similarity index 53% rename from rules/linux/defense_evasion_find_binary.toml rename to rules/linux/execution_find_binary.toml index ccc0567af..ca32d0df7 100644 --- a/rules/linux/defense_evasion_find_binary.toml +++ b/rules/linux/execution_find_binary.toml @@ -1,11 +1,15 @@ [metadata] creation_date = "2022/02/28" maturity = "production" -updated_date = "2022/02/28" +updated_date = "2022/03/17" [rule] author = ["Elastic"] -description = "Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell. This activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their access." +description = """ +Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell. +This activity is not standard use with this binary for a user or system administrator. It indicates a potentially +malicious actor attempting to improve the capabilities or stability of their access. +""" from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" @@ -15,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/find/"] risk_score = 47 rule_id = "6f683345-bb10-47a7-86a7-71e9c24fb358" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"] timestamp_override = "event.ingested" type = "eql" @@ -29,18 +33,18 @@ sequence by host.id, process.pid with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1548.004" -name = "Elevated Execution with Prompt" -reference = "https://attack.mitre.org/techniques/T1548/004/" +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_gcc_binary.toml b/rules/linux/execution_gcc_binary.toml similarity index 73% rename from rules/linux/defense_evasion_gcc_binary.toml rename to rules/linux/execution_gcc_binary.toml index c7a436949..200ee8787 100644 --- a/rules/linux/defense_evasion_gcc_binary.toml +++ b/rules/linux/execution_gcc_binary.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/03/09" maturity = "production" -updated_date = "2022/03/09" +updated_date = "2022/03/17" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/gcc/"] risk_score = 47 rule_id = "da986d2c-ffbf-4fd6-af96-a88dbf68f386" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"] timestamp_override = "event.ingested" type = "eql" @@ -33,18 +33,18 @@ sequence by host.id, process.pid with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1548.004" -name = "Elevated Execution with Prompt" -reference = "https://attack.mitre.org/techniques/T1548/004/" +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_mysql_binary.toml b/rules/linux/execution_mysql_binary.toml similarity index 73% rename from rules/linux/defense_evasion_mysql_binary.toml rename to rules/linux/execution_mysql_binary.toml index 12001f9e7..ffc0c30b4 100644 --- a/rules/linux/defense_evasion_mysql_binary.toml +++ b/rules/linux/execution_mysql_binary.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/03/09" maturity = "production" -updated_date = "2022/03/09" +updated_date = "2022/03/17" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/mysql/"] risk_score = 47 rule_id = "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"] timestamp_override = "event.ingested" type = "eql" @@ -33,18 +33,18 @@ sequence by host.id, process.pid with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1548.004" -name = "Elevated Execution with Prompt" -reference = "https://attack.mitre.org/techniques/T1548/004/" +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_nice_binary.toml b/rules/linux/execution_nice_binary.toml similarity index 72% rename from rules/linux/defense_evasion_nice_binary.toml rename to rules/linux/execution_nice_binary.toml index 9cb6b2e06..276d421b1 100644 --- a/rules/linux/defense_evasion_nice_binary.toml +++ b/rules/linux/execution_nice_binary.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/03/07" maturity = "development" -updated_date = "2022/03/07" +updated_date = "2022/03/17" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/nice/"] risk_score = 47 rule_id = "22755f7f-1e1e-4528-a75f-bb3f4026d1b9" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"] timestamp_override = "event.ingested" type = "eql" @@ -33,18 +33,18 @@ sequence by host.id, process.pid with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1548.004" -name = "Elevated Execution with Prompt" -reference = "https://attack.mitre.org/techniques/T1548/004/" +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_ssh_binary.toml b/rules/linux/execution_ssh_binary.toml similarity index 74% rename from rules/linux/defense_evasion_ssh_binary.toml rename to rules/linux/execution_ssh_binary.toml index c5b5a55e7..0b94c6cd1 100644 --- a/rules/linux/defense_evasion_ssh_binary.toml +++ b/rules/linux/execution_ssh_binary.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/03/10" maturity = "production" -updated_date = "2022/03/10" +updated_date = "2022/03/17" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/ssh/"] risk_score = 47 rule_id = "97da359b-2b61-4a40-b2e4-8fc48cf7a294" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"] timestamp_override = "event.ingested" type = "eql" @@ -33,18 +33,18 @@ sequence by host.id, process.pid with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] -id = "T1548.004" -name = "Elevated Execution with Prompt" -reference = "https://attack.mitre.org/techniques/T1548/004/" +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_vi_binary.toml b/rules/linux/execution_vi_binary.toml similarity index 72% rename from rules/linux/defense_evasion_vi_binary.toml rename to rules/linux/execution_vi_binary.toml index 2f3a714e1..97014e31f 100644 --- a/rules/linux/defense_evasion_vi_binary.toml +++ b/rules/linux/execution_vi_binary.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/03/03" maturity = "production" -updated_date = "2022/03/03" +updated_date = "2022/03/17" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = ["https://gtfobins.github.io/gtfobins/vi/"] risk_score = 47 rule_id = "89583d1b-3c2e-4606-8b74-0a9fd2248e88" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"] timestamp_override = "event.ingested" type = "eql" @@ -30,23 +30,6 @@ sequence by host.id,process.pid with maxspan=1m ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.004" -name = "Elevated Execution with Prompt" -reference = "https://attack.mitre.org/techniques/T1548/004/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]]