security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rule tuning as part of Linux Detection Rules Review (#2170)

Browse Source
This commit is contained in:
shashank-elastic
2022-07-29 21:55:49 +05:30
committed by GitHub
parent 998afcf9c4
commit 8afded11e7
10 changed files with 29 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
+4 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/05/16"
maturity = "production"
updated_date = "2022/05/16"
updated_date = "2022/07/26"
[rule]
author = ["Elastic"]
@@ -43,8 +43,9 @@ type = "eql"
query = '''
sequence by process.entity_id with maxspan=1m
[network where event.type == "start" and event.action == "connection_attempted" and user.id == "0" and
not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd")]
[process where event.action == "session_id_change" and user.id == "0"]
not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")]
[process where event.action == "session_id_change" and user.id == "0" and
not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")]
'''
rules/linux/credential_access_ssh_backdoor_log.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/12/21"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/07/28"
[rule]
author = ["Elastic"]
@@ -34,7 +34,7 @@ type = "eql"
query = '''
file where event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and
(
file.name : (".*", "~*") or
(file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history")) or
file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or
file.path :
(
rules/linux/defense_evasion_hidden_file_dir_tmp.toml
+2 -2
View File
@@ -3,7 +3,7 @@ creation_date = "2020/04/29"
maturity = "production"
min_stack_comments = "EQL regex syntax introduced in 7.12"
min_stack_version = "7.12.0"
updated_date = "2022/07/20"
updated_date = "2022/07/26"
[rule]
author = ["Elastic"]
@@ -39,7 +39,7 @@ query = '''
process where event.type in ("start", "process_started") and
process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
not process.name in ("ls", "find")
not process.name in ("ls", "find", "grep")
'''
rules/linux/defense_evasion_log_files_deleted.toml
+3 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/03"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/07/26"
[rule]
author = ["Elastic"]
@@ -41,7 +41,8 @@ file where event.type == "deletion" and
"/var/log/messages",
"/var/log/secure",
"/var/log/auth.log"
)
) and
not process.name : ("gzip")
'''
rules/linux/execution_process_started_in_shared_memory_directory.toml
+3 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/05/10"
maturity = "production"
updated_date = "2022/05/11"
updated_date = "2022/07/26"
[rule]
author = ["Elastic"]
@@ -41,7 +41,8 @@ process where event.type == "start" and
"/run/shm/*",
"/var/run/*",
"/var/lock/*"
)
) and
not process.executable : ( "/var/run/docker/*")
'''
rules/linux/execution_shell_evasion_linux_binary.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/05/06"
maturity = "production"
updated_date = "2022/05/25"
updated_date = "2022/07/28"
[rule]
author = ["Elastic"]
@@ -108,7 +108,7 @@ process where event.type == "start" and
/* launching shells from unusual parents or parent+arg combos */
(process.name in ("bash", "sh", "dash","ash") and
(process.parent.name in ("byebug","git","ftp")) or
(process.parent.name in ("byebug","git","ftp","strace")) or
/* shells specified in parent args */
/* nice rule is broken in 8.2 */
rules/linux/persistence_credential_access_modify_ssh_binaries.toml
+3 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/12/21"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2022/07/26"
[rule]
author = ["Elastic"]
@@ -26,10 +26,10 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:file and event.type:change and
event.category:file and event.type:change and
process.name:* and
(file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and
not process.executable:/usr/bin/dpkg
not process.name:("dpkg" or "yum" or "dnf" or "dnf-automatic")
'''
rules/linux/persistence_kde_autostart_modification.toml
+3 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/01/06"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/07/26"
[rule]
author = ["Elastic"]
@@ -43,7 +43,8 @@ file where event.type != "deletion" and
"/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*",
"/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*",
"/etc/xdg/autostart/*", "/usr/share/autostart/*"
)
) and
not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic")
'''
rules/linux/persistence_shell_activity_by_web_server.toml
+4 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2022/07/26"
[rule]
author = ["Elastic"]
@@ -26,8 +26,9 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and
user.name:(apache or nginx or www or "www-data")
event.category:process and event.type:(start or process_started) and
process.name:(bash or dash or ash or zsh or "python*" or "perl*" or "php*") and
process.parent.name:("apache" or "nginx" or "www" or "apache2" or "httpd" or "www-data")
'''
rules/linux/privilege_escalation_linux_strace_activity.toml
-49
View File
@@ -1,49 +0,0 @@
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2021/06/15"
[rule]
author = ["Elastic"]
description = """
Strace is a useful diagnostic, instructional, and debugging tool. This rule identifies a privileged context execution of
strace which can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or
move laterally.
"""
false_positives = [
"""
Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may
originate from developers or SREs engaged in debugging or system call tracing.
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Strace Process Activity"
references = ["https://en.wikipedia.org/wiki/Strace"]
risk_score = 21
rule_id = "d6450d4e-81c6-46a3-bd94-079886318ed5"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process and event.type:(start or process_started) and process.name:strace
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"