[Security Content] Add Investigation Guides to Linux DRs 8.9 (#2868)

* [Investigation Guide] 10 new Linux IG's 8.9

* Added 4 more IG tags

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_account_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_execution.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_execution.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_execution.toml

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* implemented feedback

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

rules/linux/persistence_init_d_file_creation.toml

@@ -2,24 +2,122 @@
 creation_date = "2023/03/21"
 integration = ["endpoint"]
 maturity = "production"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
+min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/04/03"
+updated_date = "2023/06/22"
+
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve File Information"
+query = "SELECT * FROM file WHERE path = {{file.path}}"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve File Listing Information"
+query = "SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Additional File Listing Information"
+query = """
+SELECT
+  f.path,
+  u.username AS file_owner,
+  g.groupname AS group_owner,
+  datetime(f.atime, 'unixepoch') AS file_last_access_time,
+  datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+  datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
+  datetime(f.btime, 'unixepoch') AS file_created_time,
+  f.size AS size_bytes
+FROM
+  file f
+  LEFT JOIN users u ON f.uid = u.uid
+  LEFT JOIN groups g ON f.gid = g.gid
+WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')
+"""
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Running Processes by User"
+query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Crontab Information"
+query = "SELECT * FROM crontab"
 
 [rule]
 author = ["Elastic"]
 description = """
-Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications,
-services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd, however, 
-through the "systemd-sysv-generator" init.d files can be converted to service unit files that run at boot.
-Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code on boot
-time in order to gain persistence onto the system. 
+Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts
+or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the 
+"systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or 
+alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence 
+on the system. 
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Persistence Through init.d Detected"
+note = """## Triage and analysis
+
+### Investigating Potential Persistence Through init.d Detected
+
+The `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.
+
+Attackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.
+
+This rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.
+
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
+#### Possible Investigation Steps
+
+- Investigate the file that was created or modified.
+  - $osquery_0
+- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.
+  - $osquery_1
+  - $osquery_2
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
+  - $osquery_3
+- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.
+- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. 
+  - If scripts or executables were dropped, retrieve the files and determine if they are malicious:
+    - Use a private sandboxed malware analysis system to perform analysis.
+      - Observe and collect information about the following activities:
+        - Attempts to contact external domains and addresses.
+          - Check if the domain is newly registered or unexpected.
+          - Check the reputation of the domain or IP address.
+        - File access, modification, and creation activities.
+        - Cron jobs, services and other persistence mechanisms.
+            - $osquery_4
+
+### False Positive Analysis
+
+- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.
+- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. 
+- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.
+
+### Related Rules
+
+- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Delete the maliciously created service/init.d files or restore it to the original configuration.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
 references = [
     "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/",
     "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts",
@@ -29,35 +127,32 @@ references = [
 risk_score = 47
 rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "new_terms"
-
 query = '''
 host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and 
 file.path : /etc/init.d/* and not process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not 
 file.extension : "swp"
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1037"
 name = "Boot or Logon Initialization Scripts"
 reference = "https://attack.mitre.org/techniques/T1037/"
 
-
-
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
 
-
 [rule.new_terms]
 field = "new_terms_fields"
 value = ["file.path", "process.name"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-7d"

rules/linux/persistence_linux_backdoor_user_creation.toml

@@ -6,6 +6,27 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s
 min_stack_version = "8.3.0"
 updated_date = "2023/06/22"
 
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve User Accounts with a UID of 0"
+query = "SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Running Processes by User"
+query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Information for a Specific User"
+query = "SELECT * FROM users WHERE username = {{user.name}}"
+
+[[transform.osquery]]
+label = "Osquery - Investigate the Account Authentication Status"
+query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Information for a Specific Group"
+query = "SELECT * FROM groups WHERE groupname = {{group.name}}"
+
 [rule]
 author = ["Elastic"]
 description = """
@@ -17,10 +38,56 @@ index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Linux Backdoor User Account Creation"
+note = """## Triage and analysis
+
+### Investigating Potential Linux Backdoor User Account Creation
+
+The `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.
+
+Attackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.
+
+This rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. 
+
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
+#### Possible investigation steps
+- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.
+  - $osquery_0
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
+  - $osquery_1
+- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.
+  - $osquery_2
+- Investigate whether the user is currently logged in and active.
+  - $osquery_3
+- Identify if the account was added to privileged groups or assigned special privileges after creation.
+  - $osquery_4
+- Investigate other alerts associated with the user/host during the past 48 hours.
+
+### False positive analysis
+
+- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
+- Delete the created account.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
 risk_score = 47
 rule_id = "494ebba4-ecb7-4be4-8c6f-654c686549ad"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''

rules/linux/persistence_linux_group_creation.toml

@@ -6,6 +6,23 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s
 min_stack_version = "8.3.0"
 updated_date = "2023/06/22"
 
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve Information for a Specific Group"
+query = "SELECT * FROM groups WHERE groupname = {{group.name}}"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Information for a Specific User"
+query = "SELECT * FROM users WHERE username = {{user.name}}"
+
+[[transform.osquery]]
+label = "Osquery - Investigate the Account Authentication Status"
+query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Running Processes by User"
+query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
+
 [rule]
 author = ["Elastic"]
 description = """
@@ -16,10 +33,56 @@ index = ["logs-system.auth-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Linux Group Creation"
+note = """## Triage and analysis
+
+### Investigating Linux Group Creation
+
+The `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.
+
+Attackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.
+
+This rule identifies the usages of `groupadd` and `addgroup` to create new groups.
+
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
+#### Possible investigation steps
+
+- Investigate whether the group was created succesfully.
+  - $osquery_0
+- Identify if a user account was added to this group after creation.
+  - $osquery_1
+- Investigate whether the user is currently logged in and active.
+  - $osquery_2
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
+  - $osquery_3
+- Investigate other alerts associated with the user/host during the past 48 hours.
+
+### False positive analysis
+
+- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
+- Delete the created group and, in case an account was added to this group, delete the account.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
 risk_score = 21
 rule_id = "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''

rules/linux/persistence_linux_shell_activity_via_web_server.toml

@@ -4,11 +4,36 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/04/03"
+updated_date = "2023/06/22"
+
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve Listening Ports"
+query = "SELECT pid, address, port, socket, protocol, path FROM listening_ports"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Open Sockets"
+query = "SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Process Info"
+query = "SELECT name, cmdline, parent, path, uid FROM processes"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Process Info for Webapp User"
+query = "SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Crontab Information"
+query = "SELECT * FROM crontab"
 
 [rule]
 author = ["Elastic"]
-description = "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access."
+description = """
+Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. 
+Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor 
+file that can be abused to gain code execution as a mechanism for persistence.
+"""
 false_positives = [
     """
     Network monitoring or management products may have a web server component that runs shell commands as part of normal
@@ -20,6 +45,58 @@ index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Remote Code Execution via Web Server"
+note = """## Triage and analysis
+
+### Investigating Potential Remote Code Execution via Web Server
+
+Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.
+
+This rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.
+
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
+#### Possible investigation steps
+
+- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.
+  - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.
+    - $osquery_0
+    - $osquery_1
+  - Investigate the process information for malicious or uncommon processes/process trees.
+    - $osquery_2
+  - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.
+    - $osquery_3
+- Examine the command line to determine which commands or scripts were executed.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- If scripts or executables were dropped, retrieve the files and determine if they are malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+        - Check if the domain is newly registered or unexpected.
+        - Check the reputation of the domain or IP address.
+      - File access, modification, and creation activities.
+      - Cron jobs, services and other persistence mechanisms.
+        - $osquery_4
+
+### False positive analysis
+
+- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
 references = [
     "https://pentestlab.blog/tag/web-shell/",
     "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965",
@@ -27,10 +104,9 @@ references = [
 risk_score = 73
 rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event") and process.parent.executable : (
@@ -48,32 +124,32 @@ process.name : ("*sh", "python*", "perl", "php*", "tmux") and
 process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd")
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1505"
 name = "Server Software Component"
 reference = "https://attack.mitre.org/techniques/T1505/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1505.003"
 name = "Web Shell"
 reference = "https://attack.mitre.org/techniques/T1505/003/"
 
-
-
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1190"
 name = "Exploit Public-Facing Application"
 reference = "https://attack.mitre.org/techniques/T1190/"
 
-
 [rule.threat.tactic]
 id = "TA0001"
 name = "Initial Access"

rules/linux/persistence_linux_user_account_creation.toml

@@ -6,6 +6,23 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s
 min_stack_version = "8.3.0"
 updated_date = "2023/06/22"
 
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve Information for a Specific User"
+query = "SELECT * FROM users WHERE username = {{user.name}}"
+
+[[transform.osquery]]
+label = "Osquery - Investigate the Account Authentication Status"
+query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Information for a Specific Group"
+query = "SELECT * FROM groups WHERE groupname = {{group.name}}"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Running Processes by User"
+query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
+
 [rule]
 author = ["Elastic"]
 description = """
@@ -16,10 +33,55 @@ index = ["logs-system.auth-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Linux User Account Creation"
+note = """## Triage and analysis
+
+### Investigating Linux User Account Creation
+
+The `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.
+
+Attackers may create new accounts (both local and domain) to maintain access to victim systems.
+
+This rule identifies the usage of `useradd` and `adduser` to create new accounts.
+
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
+#### Possible investigation steps
+
+- Investigate whether the user was created succesfully.
+  - $osquery_0
+- Investigate whether the user is currently logged in and active.
+  - $osquery_1
+- Identify if the account was added to privileged groups or assigned special privileges after creation.
+  - $osquery_2
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
+  - $osquery_3
+- Investigate other alerts associated with the user/host during the past 48 hours.
+
+### False positive analysis
+
+- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
+- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
+- Delete the created account.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
 risk_score = 21
 rule_id = "edfd5ca9-9d6c-44d9-b615-1e56b920219c"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''

rules/linux/persistence_linux_user_added_to_privileged_group.toml

@@ -6,6 +6,23 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s
 min_stack_version = "8.3.0"
 updated_date = "2023/06/22"
 
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve Information for a Specific User"
+query = "SELECT * FROM users WHERE username = {{user.name}}"
+
+[[transform.osquery]]
+label = "Osquery - Investigate the Account Authentication Status"
+query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Information for a Specific Group"
+query = "SELECT * FROM groups WHERE groupname = {{group.name}}"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Running Processes by User"
+query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
+
 [rule]
 author = ["Elastic"]
 description = """
@@ -17,10 +34,55 @@ index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Linux User Added to Privileged Group"
+note = """## Triage and analysis
+
+### Investigating Linux User User Added to Privileged Group
+
+The `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.
+
+Attackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.
+
+This rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.
+
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
+#### Possible investigation steps
+
+- Investigate whether the user was succesfully added to the privileged group.
+  - $osquery_0
+- Investigate whether the user is currently logged in and active.
+  - $osquery_1
+- Retrieve information about the privileged group to which the user was added.
+  - $osquery_2
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
+  - $osquery_3
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+
+### False positive analysis
+
+- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
+- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
+- Delete the account that seems to be involved in malicious activity.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
 risk_score = 47
 rule_id = "43d6ec12-2b1c-47b5-8f35-e9de65551d3b"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''

rules/linux/persistence_message_of_the_day_creation.toml

@@ -2,9 +2,45 @@
 creation_date = "2023/02/28"
 integration = ["endpoint"]
 maturity = "production"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
+min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/04/05"
+updated_date = "2023/06/22"
+
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve File Information"
+query = "SELECT * FROM file WHERE path = {{file.path}}"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve File Listing Information"
+query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Additional File Listing Information"
+query = """
+SELECT
+  f.path,
+  u.username AS file_owner,
+  g.groupname AS group_owner,
+  datetime(f.atime, 'unixepoch') AS file_last_access_time,
+  datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+  datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
+  datetime(f.btime, 'unixepoch') AS file_created_time,
+  f.size AS size_bytes
+FROM
+  file f
+  LEFT JOIN users u ON f.uid = u.uid
+  LEFT JOIN groups g ON f.gid = g.gid
+WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')
+"""
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Running Processes by User"
+query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Crontab Information"
+query = "SELECT * FROM crontab"
 
 [rule]
 author = ["Elastic"]
@@ -21,41 +57,94 @@ index = ["logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Persistence Through MOTD File Creation Detected"
+note = """## Triage and analysis
+
+### Investigating Potential Persistence Through MOTD File Creation Detected
+
+The message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.
+
+Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.
+
+This rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.
+
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
+#### Possible Investigation Steps
+
+- Investigate the file that was created or modified.
+  - $osquery_0
+- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.
+  - $osquery_1
+  - $osquery_2
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
+  - $osquery_3
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. 
+  - If scripts or executables were dropped, retrieve the files and determine if they are malicious:
+    - Use a private sandboxed malware analysis system to perform analysis.
+      - Observe and collect information about the following activities:
+        - Attempts to contact external domains and addresses.
+          - Check if the domain is newly registered or unexpected.
+          - Check the reputation of the domain or IP address.
+        - File access, modification, and creation activities.
+        - Cron jobs, services and other persistence mechanisms.
+            - $osquery_4
+
+### Related Rules
+
+- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447
+
+### False positive analysis
+
+- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Delete the MOTD files or restore their original configuration.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
 references = [
     "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"
 ]
 risk_score = 47
 rule_id = "96d11d31-9a79-480f-8401-da28b194608f"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
 type = "new_terms"
-
 query = '''
 host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and 
 file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not 
-process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not 
-file.extension : "swp"
+process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not file.extension : "swp"
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1037"
 name = "Boot or Logon Initialization Scripts"
 reference = "https://attack.mitre.org/techniques/T1037/"
 
-
-
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
 
-
 [rule.new_terms]
 field = "new_terms_fields"
 value = ["file.path", "process.name"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-7d"
+value = "now-7d"

rules/linux/persistence_message_of_the_day_execution.toml

@@ -4,8 +4,43 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/04/03"
+updated_date = "2023/06/22"
 
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve File Information"
+query = "SELECT * FROM file WHERE path = {{file.path}}"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve File Listing Information"
+query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Additional File Listing Information"
+query = """
+SELECT
+  f.path,
+  u.username AS file_owner,
+  g.groupname AS group_owner,
+  datetime(f.atime, 'unixepoch') AS file_last_access_time,
+  datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+  datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
+  datetime(f.btime, 'unixepoch') AS file_created_time,
+  f.size AS size_bytes
+FROM
+  file f
+  LEFT JOIN users u ON f.uid = u.uid
+  LEFT JOIN groups g ON f.gid = g.gid
+WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')
+"""
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Running Processes by User"
+query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Crontab Information"
+query = "SELECT * FROM crontab"
 [rule]
 author = ["Elastic"]
 description = """
@@ -21,16 +56,72 @@ index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Process Spawned from MOTD Detected"
+note = """## Triage and analysis
+
+### Investigating Suspicious Process Spawned from MOTD Detected
+
+The message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.
+
+Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.
+
+This rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. 
+
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
+#### Possible Investigation Steps
+
+- Investigate the file that was created or modified from which the suspicious process was executed.
+  - $osquery_0
+- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.
+  - $osquery_1
+  - $osquery_2
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
+  - $osquery_3
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. 
+  - If scripts or executables were dropped, retrieve the files and determine if they are malicious:
+    - Use a private sandboxed malware analysis system to perform analysis.
+      - Observe and collect information about the following activities:
+        - Attempts to contact external domains and addresses.
+          - Check if the domain is newly registered or unexpected.
+          - Check the reputation of the domain or IP address.
+        - File access, modification, and creation activities.
+        - Cron jobs, services, and other persistence mechanisms.
+            - $osquery_4
+
+### Related Rules
+
+- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f
+
+### False positive analysis
+
+- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Delete the MOTD files or restore them to the original configuration.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
 references = [
     "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"
 ]
 risk_score = 73
 rule_id = "4ec47004-b34a-42e6-8003-376a123ea447"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and 
 event.type == "start" and event.action : ("exec", "exec_event") and
@@ -38,16 +129,14 @@ process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*
 process.executable : ("*sh", "python*", "perl", "php*")
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1037"
 name = "Boot or Logon Initialization Scripts"
 reference = "https://attack.mitre.org/techniques/T1037/"
 
-
-
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"

rules/linux/persistence_rc_script_creation.toml

@@ -6,6 +6,23 @@ min_stack_comments = "Multiple field support in the New Terms rule type was adde
 min_stack_version = "8.6.0"
 updated_date = "2023/06/22"
 
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve File Information"
+query = "SELECT * FROM file WHERE path = {{file.path}}"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Running Processes by User"
+query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve rc-local.service File Information"
+query = "SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Crontab Information"
+query = "SELECT * FROM crontab"
+
 [rule]
 author = ["Elastic"]
 description = """
@@ -17,10 +34,68 @@ boot. Adversaries may alter rc.local to execute malicious code at start-up, and
 system. 
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "auditbeat-*", "endgame-*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Persistence Through Run Control Detected"
+note = """## Triage and analysis
+
+### Investigating Potential Persistence Through Run Control Detected
+
+The `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. 
+
+There might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. 
+
+Detection alerts from this rule indicate the creation of a new `/etc/rc.local` file. 
+
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
+#### Possible Investigation Steps
+
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Investigate the file that was created or modified.
+  - $osquery_0
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
+  - $osquery_1
+- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.
+  - $osquery_2
+  - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.
+  - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep "rc-local.service|/etc/rc.local Compatibility"` can be executed to check for the execution of the service.
+    - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.
+- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. 
+  - If scripts or executables were dropped, retrieve the files and determine if they are malicious:
+    - Use a private sandboxed malware analysis system to perform analysis.
+      - Observe and collect information about the following activities:
+        - Attempts to contact external domains and addresses.
+          - Check if the domain is newly registered or unexpected.
+          - Check the reputation of the domain or IP address.
+        - File access, modification, and creation activities.
+        - Cron jobs, services and other persistence mechanisms.
+            - $osquery_3
+
+### False Positive Analysis
+
+- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.
+- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. 
+- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.
+
+### Response and remediation
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Delete the `service/rc.local` files or restore their original configuration.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
 references = [
     "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/",
     "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts",
@@ -30,9 +105,8 @@ references = [
 risk_score = 47
 rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
 type = "new_terms"
-
 query = '''
 host.os.type : "linux" and event.category : "file" and 
 event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and

rules/linux/persistence_systemd_scheduled_timer_created.toml

@@ -2,9 +2,59 @@
 creation_date = "2023/02/24"
 integration = ["endpoint"]
 maturity = "production"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
+min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/04/05"
+updated_date = "2023/06/22"
+
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve File Information"
+query = "SELECT * FROM file WHERE path = {{file.path}}"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve File Listing Information"
+query = """
+SELECT * FROM file WHERE (
+path LIKE '/etc/systemd/system/%' OR 
+path LIKE '/usr/local/lib/systemd/system/%' OR 
+path LIKE '/lib/systemd/system/%' OR
+path LIKE '/usr/lib/systemd/system/%' OR
+path LIKE '/home/user/.config/systemd/user/%'
+)
+"""
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Additional File Listing Information"
+query = """
+SELECT
+  f.path,
+  u.username AS file_owner,
+  g.groupname AS group_owner,
+  datetime(f.atime, 'unixepoch') AS file_last_access_time,
+  datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+  datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
+  datetime(f.btime, 'unixepoch') AS file_created_time,
+  f.size AS size_bytes
+FROM
+  file f
+  LEFT JOIN users u ON f.uid = u.uid
+  LEFT JOIN groups g ON f.gid = g.gid
+WHERE (
+path LIKE '/etc/systemd/system/%' OR 
+path LIKE '/usr/local/lib/systemd/system/%' OR 
+path LIKE '/lib/systemd/system/%' OR
+path LIKE '/usr/lib/systemd/system/%' OR
+path LIKE '/home/{{user.name}}/.config/systemd/user/%'
+)
+"""
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Running Processes by User"
+query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Crontab Information"
+query = "SELECT * FROM crontab"
 
 [rule]
 author = ["Elastic"]
@@ -19,6 +69,64 @@ index = ["logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "New Systemd Timer Created"
+note = """## Triage and analysis
+
+### Investigating New Systemd Timer Created
+
+Systemd timers are used for scheduling and automating recurring tasks or services on Linux systems. 
+
+Attackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. 
+
+This rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.
+
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
+#### Possible Investigation Steps
+
+- Investigate the timer file that was created or modified.
+  - $osquery_0
+- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.
+- Search for the systemd service file named similarly to the timer that was created.
+- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.
+  - $osquery_1
+  - $osquery_2
+- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
+  - $osquery_3
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.
+- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. 
+  - If scripts or executables were dropped, retrieve the files and determine if they are malicious:
+    - Use a private sandboxed malware analysis system to perform analysis.
+      - Observe and collect information about the following activities:
+        - Attempts to contact external domains and addresses.
+          - Check if the domain is newly registered or unexpected.
+          - Check the reputation of the domain or IP address.
+        - File access, modification, and creation activities.
+        - Cron jobs, services and other persistence mechanisms.
+            - $osquery_4
+
+### False Positive Analysis
+
+- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.
+- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. 
+- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Delete the service/timer or restore its original configuration.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
 references = [
     "https://opensource.com/article/20/7/systemd-timers",
     "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"
@@ -26,10 +134,9 @@ references = [
 risk_score = 21
 rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "new_terms"
-
 query = '''
 host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and
 file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or 
@@ -39,26 +146,26 @@ process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm")
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1053"
 name = "Scheduled Task/Job"
 reference = "https://attack.mitre.org/techniques/T1053/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1053.006"
 name = "Systemd Timers"
 reference = "https://attack.mitre.org/techniques/T1053/006/"
 
-
-
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
 
-
 [rule.new_terms]
 field = "new_terms_fields"
 value = ["file.path", "process.name"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-7d"