From 9017653e373fce43d1a94afe17dae8dbc8b2da80 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 8 Jan 2024 09:50:15 +0100 Subject: [PATCH] [Rule Tuning] Linux DR Tuning - Part 1 (#3316) * [Rule Tuning] Linux DR Tuning - Part 1 * fix * Update command_and_control_linux_kworker_netcon.toml * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Update defense_evasion_file_mod_writable_dir.toml (cherry picked from commit b5336422723197769770e3ed1ac9385c0284159c) --- ...mand_and_control_linux_kworker_netcon.toml | 17 +++++++++++++---- ...work_activity_from_unknown_executable.toml | 7 ++++--- ...binary_copied_to_suspicious_directory.toml | 12 +++++++++--- ...defense_evasion_chattr_immutable_file.toml | 19 +++++++++++++------ ...defense_evasion_file_mod_writable_dir.toml | 15 +++++++++++---- .../defense_evasion_hidden_file_dir_tmp.toml | 18 ++++++++++++------ 6 files changed, 62 insertions(+), 26 deletions(-) diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml index fe416ebb3..3d37c612c 100644 --- a/rules/linux/command_and_control_linux_kworker_netcon.toml +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/30" +updated_date = "2023/12/12" [rule] author = ["Elastic"] @@ -58,10 +58,19 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and -process.name:kworker* +process.name:kworker* and not destination.ip:( + 10.0.0.0/8 or + 127.0.0.0/8 or + 169.254.0.0/16 or + 172.16.0.0/12 or + 192.168.0.0/16 or + 224.0.0.0/4 or + "::1" or + "FE80::/10" or + "FF00::/8" +) ''' [[rule.threat]] @@ -105,7 +114,7 @@ framework = "MITRE ATT&CK" [rule.new_terms] field = "new_terms_fields" -value = ["destination.ip", "process.name", "host.id"] +value = ["host.id", "process.name", "destination.ip"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index e0d8634c1..40e8c96e0 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/11/02" +updated_date = "2023/12/12" [transform] [[transform.osquery]] @@ -196,8 +196,9 @@ not destination.ip:( 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or - 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" -) + 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" or 0.0.0.0 +) and +not destination.port:(22 or 80 or 443) ''' [[rule.threat]] diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index 7d5fc8e33..c2e75aafc 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/22" +updated_date = "2023/12/12" [rule] author = ["Elastic"] @@ -47,7 +47,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s @@ -76,7 +82,7 @@ sequence by host.id, process.entity_id with maxspan=1s ) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")] [file where host.os.type == "linux" and event.action == "creation" and file.path : ( "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*" - ) and not file.path : "/tmp/rear*"] + ) and not file.path : ("/tmp/rear*", "/var/tmp/dracut*")] ''' [[rule.threat]] diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index f0ec2bf0e..215cdd56c 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2023/12/12" [rule] author = ["Elastic"] @@ -64,30 +64,37 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and user.name == "root" and process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and - not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd") + not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd") and + not process.parent.name in ("systemd", "cf-agent", "ntpdate", "xargs", "px", "preinst", "auth") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" + [[rule.threat.technique.subtechnique]] id = "T1222.002" name = "Linux and Mac File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 98fcc694e..4fdca27c9 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/11/02" +updated_date = "2023/12/12" [rule] author = ["Elastic"] @@ -64,14 +64,21 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" query = ''' host.os.type:linux and event.category:process and event.type:start and -process.name:(chmod or chown or chattr or chgrp) and -process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm") +process.name:((chattr or chgrp or chmod or chown) and +not (apt-key or update-motd-updates-available)) and +process.working_directory:(/dev/shm or /tmp or /var/tmp) ''' [[rule.threat]] diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 4422a4d67..5497fee65 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2023/12/12" [rule] author = ["Elastic"] @@ -69,7 +69,13 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -77,27 +83,27 @@ query = ''' process where host.os.type == "linux" and event.type == "start" and process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and -not process.name in ("ls", "find", "grep", "git") +not process.name in ("ls", "find", "grep", "git", "jq", "basename") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK"