Rule tuning as part of Linux Detection Rules Review (#2170)

2022-07-29 21:55:49 +05:30
parent 998afcf9c4
commit 8afded11e7
10 changed files with 29 additions and 23 deletions
@@ -0,0 +1,50 @@
+[metadata]
+creation_date = "2020/02/18"
+deprecation_date = "2022/07/28"
+maturity = "deprecated"
+updated_date = "2022/07/28"
+
+[rule]
+author = ["Elastic"]
+description = """
+Strace is a useful diagnostic, instructional, and debugging tool. This rule identifies a privileged context execution of
+strace which can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or
+move laterally.
+"""
+false_positives = [
+    """
+    Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may
+    originate from developers or SREs engaged in debugging or system call tracing.
+    """,
+]
+from = "now-9m"
+index = ["auditbeat-*", "logs-endpoint.events.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Strace Process Activity"
+references = ["https://en.wikipedia.org/wiki/Strace"]
+risk_score = 21
+rule_id = "d6450d4e-81c6-46a3-bd94-079886318ed5"
+severity = "low"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.category:process and event.type:(start or process_started) and process.name:strace
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1068"
+name = "Exploitation for Privilege Escalation"
+reference = "https://attack.mitre.org/techniques/T1068/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+