BBR Rules Addition (#3027)

(cherry picked from commit d21ed24e4f)
2023-08-25 19:10:12 +05:30
parent ed2daecb25
commit 8aad7d7d02
5 changed files with 241 additions and 0 deletions
@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identify activity related where adversaries can add the 'hidden' flag to files to hide
+them from the user in an attempt to evade detection.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Hidden Files and Directories via Hidden Flag"
+risk_score = 21
+rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+file where event.type : "creation" and process.name : "chflags"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1564"
+name = "Hide Artifacts"
+reference = "https://attack.mitre.org/techniques/T1564/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1564.001"
+name = "Hidden Files and Directories"
+reference = "https://attack.mitre.org/techniques/T1564/001/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2023/08/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/24"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identify instances where adversaries include trailing space characters to mimic regular files, disguising their 
+activity to evade default file handling mechanisms.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Processes with Trailing Spaces"
+risk_score = 21
+rule_id = "0c093569-dff9-42b6-87b1-0242d9f7d9b4"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where  event.type in ("start", "process_started") and process.name : "* "
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1036.006"
+name = "Space after Filename"
+reference = "https://attack.mitre.org/techniques/T1036/006/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
@@ -0,0 +1,45 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identifies the execution of Linux built-in commands related to account or group enumeration.
+Adversaries may use account and group information to orient themselves before deciding how to act."""
+from = "now-119m"
+interval = "60m"
+index = ["auditbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Discovery of Domain Groups"
+risk_score = 21
+rule_id = "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where event.type : ("start", "process_started") and  host.os.type == "linux" and
+  (    process.name : ("ldapsearch", "dscacheutil") or
+       (process.name : "dscl" and process.args : "*-list*")
+  )
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1069"
+name = "Permission Groups Discovery"
+reference = "https://attack.mitre.org/techniques/T1069/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+
@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["auditbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Creation of Kernel Module"
+risk_score = 21
+rule_id = "947827c6-9ed6-4dec-903e-c856c86e72f3"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+file where event.type in ("change", "creation") and host.os.type == "linux" and
+file.path : "/lib/modules/*" and file.name : "*.ko"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1547"
+name = "Boot or Logon Autostart Execution"
+reference = "https://attack.mitre.org/techniques/T1547/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1547.006"
+name = "Kernel Modules and Extensions"
+reference = "https://attack.mitre.org/techniques/T1547/006/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2023/08/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/24"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identify activity related where adversaries can include a trap command which then allows programs and shells to specify
+commands that will be executed upon receiving interrupt signals.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Trap Signals Execution"
+risk_score = 21
+rule_id = "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where  event.type : ("start", "process_started") and process.name : "trap" and  process.args : "SIG*"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1546"
+name = "Event Triggered Execution"
+reference = "https://attack.mitre.org/techniques/T1546/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1546.005"
+name = "Trap"
+reference = "https://attack.mitre.org/techniques/T1546/005/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"