From 8aad7d7d02a2457654e76cd5bd6ae070f9103651 Mon Sep 17 00:00:00 2001
From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Date: Fri, 25 Aug 2023 19:10:12 +0530
Subject: [PATCH] BBR Rules Addition (#3027)

(cherry picked from commit d21ed24e4f5f191eafacfa79f9518a9f9644107a)
---
 ..._creation_of_hidden_files_directories.toml | 49 +++++++++++++++++++
 ...vasion_processes_with_trailing_spaces.toml | 49 +++++++++++++++++++
 .../discovery_of_domain_groups.toml           | 45 +++++++++++++++++
 ...persistence_creation_of_kernel_module.toml | 49 +++++++++++++++++++
 .../privilege_escalation_trap_execution.toml  | 49 +++++++++++++++++++
 5 files changed, 241 insertions(+)
 create mode 100644 rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml
 create mode 100644 rules_building_block/defense_evasion_processes_with_trailing_spaces.toml
 create mode 100644 rules_building_block/discovery_of_domain_groups.toml
 create mode 100644 rules_building_block/persistence_creation_of_kernel_module.toml
 create mode 100644 rules_building_block/privilege_escalation_trap_execution.toml

diff --git a/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml b/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml
new file mode 100644
index 000000000..ec9244b93
--- /dev/null
+++ b/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml
@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identify activity related where adversaries can add the 'hidden' flag to files to hide
+them from the user in an attempt to evade detection.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Hidden Files and Directories via Hidden Flag"
+risk_score = 21
+rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+file where event.type : "creation" and process.name : "chflags"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1564"
+name = "Hide Artifacts"
+reference = "https://attack.mitre.org/techniques/T1564/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1564.001"
+name = "Hidden Files and Directories"
+reference = "https://attack.mitre.org/techniques/T1564/001/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
diff --git a/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml
new file mode 100644
index 000000000..31856fb93
--- /dev/null
+++ b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml
@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2023/08/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/24"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identify instances where adversaries include trailing space characters to mimic regular files, disguising their 
+activity to evade default file handling mechanisms.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Processes with Trailing Spaces"
+risk_score = 21
+rule_id = "0c093569-dff9-42b6-87b1-0242d9f7d9b4"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where  event.type in ("start", "process_started") and process.name : "* "
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1036.006"
+name = "Space after Filename"
+reference = "https://attack.mitre.org/techniques/T1036/006/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
diff --git a/rules_building_block/discovery_of_domain_groups.toml b/rules_building_block/discovery_of_domain_groups.toml
new file mode 100644
index 000000000..9ab6598e7
--- /dev/null
+++ b/rules_building_block/discovery_of_domain_groups.toml
@@ -0,0 +1,45 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identifies the execution of Linux built-in commands related to account or group enumeration.
+Adversaries may use account and group information to orient themselves before deciding how to act."""
+from = "now-119m"
+interval = "60m"
+index = ["auditbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Discovery of Domain Groups"
+risk_score = 21
+rule_id = "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where event.type : ("start", "process_started") and  host.os.type == "linux" and
+  (    process.name : ("ldapsearch", "dscacheutil") or
+       (process.name : "dscl" and process.args : "*-list*")
+  )
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1069"
+name = "Permission Groups Discovery"
+reference = "https://attack.mitre.org/techniques/T1069/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+
diff --git a/rules_building_block/persistence_creation_of_kernel_module.toml b/rules_building_block/persistence_creation_of_kernel_module.toml
new file mode 100644
index 000000000..12f9e84a5
--- /dev/null
+++ b/rules_building_block/persistence_creation_of_kernel_module.toml
@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["auditbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Creation of Kernel Module"
+risk_score = 21
+rule_id = "947827c6-9ed6-4dec-903e-c856c86e72f3"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+file where event.type in ("change", "creation") and host.os.type == "linux" and
+file.path : "/lib/modules/*" and file.name : "*.ko"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1547"
+name = "Boot or Logon Autostart Execution"
+reference = "https://attack.mitre.org/techniques/T1547/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1547.006"
+name = "Kernel Modules and Extensions"
+reference = "https://attack.mitre.org/techniques/T1547/006/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
diff --git a/rules_building_block/privilege_escalation_trap_execution.toml b/rules_building_block/privilege_escalation_trap_execution.toml
new file mode 100644
index 000000000..19e7ea0ed
--- /dev/null
+++ b/rules_building_block/privilege_escalation_trap_execution.toml
@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2023/08/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/24"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identify activity related where adversaries can include a trap command which then allows programs and shells to specify
+commands that will be executed upon receiving interrupt signals.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Trap Signals Execution"
+risk_score = 21
+rule_id = "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where  event.type : ("start", "process_started") and process.name : "trap" and  process.args : "SIG*"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1546"
+name = "Event Triggered Execution"
+reference = "https://attack.mitre.org/techniques/T1546/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1546.005"
+name = "Trap"
+reference = "https://attack.mitre.org/techniques/T1546/005/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"