security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container (#2837)

Browse Source 
* [New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container

new rule

* removed priv_esc tag

removed priv_esc tag

* adjusted tags

adjusted tags

* updated tags

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Isai
2023-07-17 15:03:24 -04:00
committed by GitHub
parent db90345fd5
commit 80e2b699b6
1 changed files with 56 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml
+56
View File
@@ -0,0 +1,56 @@
[metadata]
creation_date = "2023/06/06"
integration = ["cloud_defend"]
maturity = "production"
min_stack_comments = "New Integration: Cloud Defend"
min_stack_version = "8.8.0"
updated_date = "2023/06/23"
[rule]
author = ["Elastic"]
description = """
This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container.
The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying
the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and
has been used to evade detection of malicious processes in container environments.
"""
from = "now-6m"
index = ["logs-cloud_defend*"]
interval = "5m"
language = "eql"
license = "Elastic License v2"
name = "Modification of Dynamic Linker Preload Shared Object Inside A Container"
references = [
"https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/",
"https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/",
"https://sysdig.com/blog/threat-detection-aws-cloud-containers/",
]
risk_score = 73
rule_id = "342f834b-21a6-41bf-878c-87d116eba3ee"
severity = "high"
tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.006"
name = "Dynamic Linker Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"