[Rule Tuning] Linux DR Tuning - Part 1 (#3316)
* [Rule Tuning] Linux DR Tuning - Part 1
* fix
* Update command_and_control_linux_kworker_netcon.toml
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_file_mod_writable_dir.toml
(cherry picked from commit b533642272)
This commit is contained in:
Ruben Groenewoud
committed by
github-actions[bot]
github-actions[bot]
parent
e22cc8030e
commit
9017653e37
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/10/30"
|
||||
updated_date = "2023/12/12"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -58,10 +58,19 @@ tags = [
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and
|
||||
process.name:kworker*
|
||||
process.name:kworker* and not destination.ip:(
|
||||
10.0.0.0/8 or
|
||||
127.0.0.0/8 or
|
||||
169.254.0.0/16 or
|
||||
172.16.0.0/12 or
|
||||
192.168.0.0/16 or
|
||||
224.0.0.0/4 or
|
||||
"::1" or
|
||||
"FE80::/10" or
|
||||
"FF00::/8"
|
||||
)
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
@@ -105,7 +114,7 @@ framework = "MITRE ATT&CK"
|
||||
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["destination.ip", "process.name", "host.id"]
|
||||
value = ["host.id", "process.name", "destination.ip"]
|
||||
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
|
||||
+4
-3
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2023/12/12"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -196,8 +196,9 @@ not destination.ip:(
|
||||
10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or
|
||||
192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or
|
||||
192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or
|
||||
198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8"
|
||||
)
|
||||
198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" or 0.0.0.0
|
||||
) and
|
||||
not destination.port:(22 or 80 or 443)
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/22"
|
||||
updated_date = "2023/12/12"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -47,7 +47,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "low"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Defense Evasion",
|
||||
"Data Source: Elastic Defend"
|
||||
]
|
||||
type = "eql"
|
||||
query = '''
|
||||
sequence by host.id, process.entity_id with maxspan=1s
|
||||
@@ -76,7 +82,7 @@ sequence by host.id, process.entity_id with maxspan=1s
|
||||
) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")]
|
||||
[file where host.os.type == "linux" and event.action == "creation" and file.path : (
|
||||
"/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*"
|
||||
) and not file.path : "/tmp/rear*"]
|
||||
) and not file.path : ("/tmp/rear*", "/var/tmp/dracut*")]
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2023/12/12"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -64,30 +64,37 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Defense Evasion",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and user.name == "root" and
|
||||
process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and
|
||||
not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd")
|
||||
not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd") and
|
||||
not process.parent.name in ("systemd", "cf-agent", "ntpdate", "xargs", "px", "preinst", "auth")
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1222"
|
||||
name = "File and Directory Permissions Modification"
|
||||
reference = "https://attack.mitre.org/techniques/T1222/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1222.002"
|
||||
name = "Linux and Mac File and Directory Permissions Modification"
|
||||
reference = "https://attack.mitre.org/techniques/T1222/002/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2023/12/12"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -64,14 +64,21 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
|
||||
|
||||
"""
|
||||
severity = "low"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Defense Evasion",
|
||||
"Data Source: Elastic Defend"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
host.os.type:linux and event.category:process and event.type:start and
|
||||
process.name:(chmod or chown or chattr or chgrp) and
|
||||
process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm")
|
||||
process.name:((chattr or chgrp or chmod or chown) and
|
||||
not (apt-key or update-motd-updates-available)) and
|
||||
process.working_directory:(/dev/shm or /tmp or /var/tmp)
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2023/12/12"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -69,7 +69,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Defense Evasion",
|
||||
"Data Source: Elastic Defend"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -77,27 +83,27 @@ query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and
|
||||
process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
|
||||
process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
|
||||
not process.name in ("ls", "find", "grep", "git")
|
||||
not process.name in ("ls", "find", "grep", "git", "jq", "basename")
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1564"
|
||||
name = "Hide Artifacts"
|
||||
reference = "https://attack.mitre.org/techniques/T1564/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1564.001"
|
||||
name = "Hidden Files and Directories"
|
||||
reference = "https://attack.mitre.org/techniques/T1564/001/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user