[Rule Tuning] Several rule tunings (#3024)

* [Rule Tuning] Several rule tunings * Added 1 more * optimized ransomware encryption rules * Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml * Update rules/linux/impact_potential_linux_ransomware_note_detected.toml * Added 2 more tunings based on todays telemetry * Some tunings * Tuning * Tuning * fixed user.id comparison * Something went wrong with deprecation * Something went wrong with deprecation * Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml * Update rules/linux/discovery_linux_nping_activity.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/discovery_linux_hping_activity.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Dedeprecated the rule to deprecate later --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2023-08-25 14:03:29 +02:00
parent 17d0e5cda8
commit a1716bd673
31 changed files with 186 additions and 179 deletions
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/26"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -24,9 +24,11 @@ severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
 type = "eql"
 query = '''
-sequence by host.id, process.parent.executable, user.name with maxspan=1s
-[ process where host.os.type == "linux" and event.type == "start" and 
-  event.action == "exec" and process.name == "su" ] with runs=10
+sequence by host.id, process.parent.executable, user.id with maxspan=1s
+ [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and 
+  not process.parent.name in (
+   "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server"
+  )] with runs=10
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -34,7 +34,7 @@ type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and user.name == "root" and
  process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and
-  not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*")
+  not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd")
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -14,20 +14,20 @@ a network and how. Adversaries may remove these files over the course of an intr
 remove them at the end as part of the post-intrusion cleanup process.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
+index = ["logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "File Deletion via Shred"
 risk_score = 21
 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
 timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:shred and
-  process.args:("-u" or "--remove" or "-z" or "--zero")
+event.category:process and host.os.type:linux and event.type:start and process.name:shred and
+process.args:("-u" or "--remove" or "-z" or "--zero") and not process.parent.name:logrotate
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -37,10 +37,10 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where host.os.type == "linux" and event.type in ("start", "process_started") and
-  process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
-  process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
-  not process.name in ("ls", "find", "grep")
+process where host.os.type == "linux" and event.type == "start" and
+process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
+process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
+not process.name in ("ls", "find", "grep", "git")
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -25,16 +25,17 @@ language = "eql"
 license = "Elastic License v2"
 name = "Kernel Module Removal"
 references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"]
-risk_score = 73
+risk_score = 47
 rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef"
-severity = "high"
+severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

 query = '''
 process where host.os.type == "linux" and event.action == "exec" and process.name == "rmmod" or
-(process.name == "modprobe" and process.args in ("--remove", "-r"))
+(process.name == "modprobe" and process.args in ("--remove", "-r")) and 
+process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "The linux.advanced.capture_env_vars option for Elastic Defend has been introduced in 8.6.0"
 min_stack_version = "8.6.0"
-updated_date = "2023/06/26"
+updated_date = "2023/08/25"

 [rule]
 author = ["Elastic"]
@@ -18,8 +18,9 @@ from = "now-9m"
 index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Potential Process Injection via LD_PRELOAD Environment Variable"
-note = """## Setup
+name = "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable"
+note = """ This rule was deprecated due to the large amount of false positives and the lack of true positives generated by the rule.
+## Setup
 By default, the `Elastic Defend` integration does not collect environment variable logging. In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the `Elastic Defend` integration. 
 ```
 Kibana -->
@@ -34,68 +35,73 @@ linux.advanced.capture_env_vars
 After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.
 """
 references = ["https://www.getambassador.io/resources/code-injection-on-linux-and-macos"]
-risk_score = 47
+risk_score = 21
 rule_id = "4973e46b-a663-41b8-a875-ced16dda2bb0"
-severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation"]
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Tactic: Persistence",
+    "Tactic: Privilege Escalation",
+]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and 
- event.action == "exec" and  
- process.env_vars : ("LD_PRELOAD=?*", "LD_LIBRARY_PATH=?*") 
+process where host.os.type == "linux" and event.action == "exec" and process.env_vars : ("LD_PRELOAD=?*", "LD_LIBRARY_PATH=?*")
 '''

 [[rule.threat]]
 framework = "MITRE ATT&CK"

+[[rule.threat.technique]]
+id = "T1574"
+name = "Hijack Execution Flow"
+reference = "https://attack.mitre.org/techniques/T1574/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1574.006"
+name = "Dynamic Linker Hijacking"
+reference = "https://attack.mitre.org/techniques/T1574/006/"
+
 [rule.threat.tactic]
-name = "Defense Evasion"
 id = "TA0005"
+name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"

-[[rule.threat.technique]]
-name = "Hijack Execution Flow"
-id = "T1574"
-reference = "https://attack.mitre.org/techniques/T1574/"
-
-[[rule.threat.technique.subtechnique]]
-name = "Dynamic Linker Hijacking"
-id = "T1574.006"
-reference = "https://attack.mitre.org/techniques/T1574/006/"
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"

+[[rule.threat.technique]]
+id = "T1574"
+name = "Hijack Execution Flow"
+reference = "https://attack.mitre.org/techniques/T1574/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1574.006"
+name = "Dynamic Linker Hijacking"
+reference = "https://attack.mitre.org/techniques/T1574/006/"
+
 [rule.threat.tactic]
-name = "Persistence"
 id = "TA0003"
+name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"

-[[rule.threat.technique]]
-name = "Hijack Execution Flow"
-id = "T1574"
-reference = "https://attack.mitre.org/techniques/T1574/"
-
-[[rule.threat.technique.subtechnique]]
-name = "Dynamic Linker Hijacking"
-id = "T1574.006"
-reference = "https://attack.mitre.org/techniques/T1574/006/"
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"

-[rule.threat.tactic]
-name = "Privilege Escalation"
-id = "TA0004"
-reference = "https://attack.mitre.org/tactics/TA0004/"
-
 [[rule.threat.technique]]
-name = "Hijack Execution Flow"
 id = "T1574"
+name = "Hijack Execution Flow"
 reference = "https://attack.mitre.org/techniques/T1574/"

 [[rule.threat.technique.subtechnique]]
-name = "Dynamic Linker Hijacking"
 id = "T1574.006"
+name = "Dynamic Linker Hijacking"
 reference = "https://attack.mitre.org/techniques/T1574/006/"
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/04/11"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -32,21 +32,19 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where process.name=="mount" and event.action =="exec" and
-    process.args: ( "/proc") and process.args: ("-o") and process.args:("*hidepid=2*") and
-    host.os.type == "linux"
+process where host.os.type == "linux" and process.name == "mount" and event.action == "exec" and
+process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*"
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1564"
 name = "Hide Artifacts"
 reference = "https://attack.mitre.org/techniques/T1564/"

-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
-reference = "https://attack.mitre.org/tactics/TA0005/"
+reference = "https://attack.mitre.org/tactics/TA0005/"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.5.0"
-updated_date = "2023/04/11"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -30,8 +30,8 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
-process.name : ("grep", "egrep", "pgrep") and
-process.args : ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem")
+process.name in ("grep", "egrep", "pgrep") and
+process.args in ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem")
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/07/31"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -35,7 +35,8 @@ event.category:process and host.os.type:linux and event.type:start and (
 (process.name:(lsmod or modinfo)) or 
 (process.name:kmod and process.args:list) or 
 (process.name:depmod and process.args:(--all or -a))
-) and not process.parent.user.id:0
+) and process.parent.name:(sudo or bash or dash or ash or sh or tcsh or csh or zsh or ksh or fish) and 
+not process.parent.user.id:0
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -20,19 +20,20 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Hping Process Activity"
 references = ["https://en.wikipedia.org/wiki/Hping"]
-risk_score = 73
+risk_score = 47
 rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52"
-severity = "high"
+severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"

 query = '''
-event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)
+process where host.os.type == "linux" and event.type == "start"
+and process.name in ("hping", "hping2", "hping3")
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Nping Process Activity"
 references = ["https://en.wikipedia.org/wiki/Nmap"]
@@ -29,10 +29,10 @@ rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77"
 severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"

 query = '''
-event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:nping
+process where host.os.type == "linux" and event.type == "start" and process.name == "nping"
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/07/31"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -85,7 +85,8 @@ file.name : ("auditd.pid" or python* or "apport.pid" or "apport.lock" or kworker
 "acpid.pid" or "unattended-upgrades.lock" or "unattended-upgrades.pid" or "cmd.pid" or "yum.pid" or "netconfig.pid" or 
 "docker.pid" or "atd.pid" or "lfd.pid" or "atop.pid" or "nginx.pid" or "dhclient.pid" or "smtpd.pid" or "stunnel.pid" or 
 "1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid" or "winbindd.pid" or "chronyd.pid") and
-not process.name : ("runc" or "ufw" or "snapd" or "snap" or "iptables")
+not process.name : ("runc" or "ufw" or "snapd" or "snap" or "iptables" or "libvirtd" or "containerd-shim-runc-v2" or 
+"ifdown" or "snap-confine" or "ifup" or "dhclient" or "containerd")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -38,15 +38,10 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where host.os.type == "linux" and event.type == "start" and
-    event.action : ("exec", "exec_event") and user.name == "root" and
-    process.executable : (
-        "/dev/shm/*",
-        "/run/shm/*",
-        "/var/run/*",
-        "/var/lock/*"
-    ) and
-    not process.executable : ( "/var/run/docker/*")
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
+process.executable : ("/dev/shm/*", "/run/shm/*", "/var/run/*", "/var/lock/*") and
+not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/*", "/var/run/cloudera-scm-agent/*") and
+user.id == "0"
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4"
 min_stack_version = "8.4.0"
-updated_date = "2023/06/14"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -28,19 +28,15 @@ timestamp_override = "event.ingested"
 type = "new_terms"

 query = '''
-host.os.type : "linux" and event.category : "process" and 
-event.action : ("exec" or "exec_event" or "fork" or "fork_event") and 
-process.executable : (
+host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and 
+process.executable:(
  /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or
  /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or 
-  /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*
-  ) and process.args : (
-  "whoami" or "id" or "hostname" or "uptime" or "top" or "ifconfig" or "netstat" or "route" or 
-  "ps" or "pwd" or "ls"
-  ) and not process.name : (
-  "sudo" or "which" or "whoami" or "id" or "hostname" or "uptime" or "top" or "netstat" or "ps" or 
-  "pwd" or "ls" or "apt" or "dpkg" or "yum" or "rpm" or "dnf" or "dockerd" or "snapd" or "snap"
-  )
+  /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*) 
+  and process.args:(whoami or id or hostname or uptime or top or ifconfig or netstat or route or ps or pwd or ls) and 
+  not process.name:(sudo or which or whoami or id or hostname or uptime or top or netstat or ps or pwd or ls or apt or 
+  dpkg or yum or rpm or dnf or dockerd or docker or snapd or snap) and
+  not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*)
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/02"
+updated_date = "2023/08/22"

 [rule]
 author = ["Elastic"]
@@ -25,20 +25,18 @@ severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"]
 type = "eql"
 query = '''
-sequence by host.id, process.entity_id with maxspan=1s 
-  [ file where host.os.type == "linux" and event.type == "change" and
-    event.action == "rename" and file.extension != "" and 
-    file.path : (
-      "/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*"
-      ) and not 
-    file.extension : (
-      "xml", "json", "conf", "dat", "gz", "info", "mod", "final",
-      "php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old"
-      ) and not 
-    process.name : (
-      "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", 
-      "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy"
-    ) ] with runs=100 | tail 1
+sequence by host.id, process.entity_id with maxspan=1s
+  [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" 
+   and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or
+   (process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and
+   file.path : (
+   "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*",
+   "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not ((
+   process.name : (
+   "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
+   "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
+   "systemsettings", "vmis-launcher")) or file.path : "/etc/selinux/*" or (file.extension in ("qmlc", "txt")
+   ))] with runs=25
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/02"
+updated_date = "2023/08/22"

 [rule]
 author = ["Elastic"]
@@ -27,23 +27,20 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
 type = "eql"
 query = '''
 sequence by host.id, process.entity_id with maxspan=1s 
-  [ file where host.os.type == "linux" and event.type == "change" and
-    event.action == "rename" and file.extension != "" and 
-    file.path : (
-      "/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*"
-      ) and not 
-    file.extension : (
-      "xml", "json", "conf", "dat", "gz", "info", "mod", "final",
-      "php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old"
-      ) and not 
-    process.name : (
-      "dpkg",  "yum", "dnf", "rpm", "dockerd"
-      ) ] with runs=100
-  [ file where host.os.type == "linux" and event.action == "creation" and file.extension == "txt" and 
-    file.name : (
-      "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", 
-      "*read*", "*instruction*", "*how_to*", "*ransom*"
-      ) and not process.name : ("go", "java", "pip*", "python*", "node", "containerd") ] | tail 1
+  [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" 
+   and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or
+   (process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and
+   file.path : (
+   "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*",
+   "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not ((
+   process.name : (
+   "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
+   "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
+   "systemsettings", "vmis-launcher")) or (file.path : "/etc/selinux/*") or (file.extension in ("qmlc", "txt")
+   ))] with runs=25
+  [file where host.os.type == "linux" and event.action == "creation" and file.name : (
+   "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*"
+  )]
 '''

 [[rule.threat]]
@@ -3,13 +3,16 @@ creation_date = "2022/07/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/29"
+updated_date = "2023/08/24"
 integration = ["endpoint"]

 [rule]
 author = ["Elastic"]
 description = """
-Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.
+Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize
+this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has
+either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run 
+providing long-term persistence.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*", "endgame-*"]
@@ -36,6 +39,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event")

 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1037"
 name = "Boot or Logon Initialization Scripts"
@@ -50,4 +54,3 @@ reference = "https://attack.mitre.org/techniques/T1037/004/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ type = "query"

 query = '''
 event.category:file and host.os.type:linux and event.type:change and 
-  process.name:(* and not (dnf or dnf-automatic or dpkg or yum)) and 
+  process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron)) and 
  (file.path:(/usr/bin/scp or 
                /usr/bin/sftp or 
                /usr/bin/ssh or 
@@ -3,7 +3,7 @@ creation_date = "2022/07/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/08/24"
 integration = ["endpoint"]

 [rule]
@@ -32,9 +32,9 @@ type = "eql"
 query = '''
 file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.name == "root" and
 file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*",
-"/usr//lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd",
+"/usr/lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd",
 "*/snapd", "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd",
-"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension == "swp"
+"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension in ("swp", "swpx", "tmp")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/07/31"
+updated_date = "2023/08/21"

 [transform]
 [[transform.osquery]]
@@ -132,7 +132,7 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
 host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and 
-file.path : /etc/init.d/* and not process.name : ("dpkg" or "dockerd" or "rpm" or "chef-client" or "apk" or "yum" or 
+file.path : /etc/init.d/* and not process.name : ("dpkg" or "dockerd" or "rpm" or "dnf" or "chef-client" or "apk" or "yum" or 
 "rpm" or "vmis-launcher" or "exe") and not file.extension : ("swp" or "swx")
 '''

@@ -3,7 +3,7 @@ creation_date = "2022/07/11"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/08/24"
 integration = ["endpoint"]

 [rule]
@@ -27,8 +27,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where host.os.type == "linux" and event.type == "start" and
-  process.executable : "/usr/sbin/insmod" and process.args : "*.ko"
+process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -47,7 +47,8 @@ file where host.os.type == "linux" and event.type != "deletion" and
      "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*",
      "/etc/xdg/autostart/*", "/usr/share/autostart/*"
    ) and
-    not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic")
+    not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd", 
+    "rpm")
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/20"
+updated_date = "2023/08/24"

 [transform]
 [[transform.osquery]]
@@ -122,7 +122,8 @@ event.action in ("exec", "exec_event") and process.parent.executable : (
  "*/bin/catalina.sh"
 ) and
 process.name : ("*sh", "python*", "perl", "php*", "tmux") and
-process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd")
+process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") and
+not process.name == "phpquery"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/31"
+updated_date = "2023/08/21"

 [transform]
 [[transform.osquery]]
@@ -128,7 +128,7 @@ process where host.os.type == "linux" and
 event.type == "start" and event.action : ("exec", "exec_event") and
 process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and
 process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "nc", "ncat", 
-"netcat", "socat", "lua", "java", "openssl", "ruby", "telnet", "awk")
+"netcat", "socat", "lua", "java", "openssl", "ruby", "telnet")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/07/31"
+updated_date = "2023/08/21"

 [transform]
 [[transform.osquery]]
@@ -111,7 +111,7 @@ type = "new_terms"
 query = '''
 host.os.type : "linux" and event.category : "file" and 
 event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and
-file.path : "/etc/rc.local" and not process.name : ("dockerd" or "yum" or "rpm" or "dpkg") and not file.extension : ("swp" or "swx")
+file.path : "/etc/rc.local" and not process.name : ("dockerd" or "docker" or "dnf" or "yum" or "rpm" or "dpkg") and not file.extension : ("swp" or "swx")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/07/31"
+updated_date = "2023/08/21"

 [transform]
 [[transform.osquery]]
@@ -141,8 +141,7 @@ type = "new_terms"
 query = '''
 host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and
 file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or 
-/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not 
-process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm" or "/proc/self/exe" or "/usr/sbin/dockerd")
+/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : ("docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/27"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -44,7 +44,8 @@ event.type == "start" and process.name == "ln" and
    (process.args : ("/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.weekly/*", "/etc/cron.monthly/*")) or
    (process.args : ("/home/*/.ssh/*", "/root/.ssh/*","/etc/sudoers.d/*", "/dev/shm/*"))
  ) and 
-not user.Ext.real.id == "0" and not group.Ext.real.id == "0"
+  process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and 
+  not user.Ext.real.id == "0" and not group.Ext.real.id == "0"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/31"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -20,7 +20,8 @@ false_positives = [
    by ordinary users is uncommon. These can be exempted by process name or username.
    """,
 ]
-from = "now-9m"
+from = "now-119m"
+interval = "60m"
 index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
 language = "eql"
 license = "Elastic License v2"
@@ -44,9 +45,10 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen
 risk_score = 21
 rule_id = "80084fa9-8677-4453-8680-b891d3c0c778"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
 timestamp_override = "event.ingested"
 type = "eql"
+building_block_type = "default"
 query = '''
 file where host.os.type == "linux" and event.action == "opened-file" and file.path == "/proc/modules" and not 
 (
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/31"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,8 @@ manipulation of critical kernel modules. Attackers may tamper with the modprobe
 kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the 
 system.
 """
-from = "now-9m"
+from = "now-119m"
+interval = "60m"
 index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
 language = "eql"
 license = "Elastic License v2"
@@ -43,15 +44,16 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen
 risk_score = 21
 rule_id = "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd"
 severity = "low"
-tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
+tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
 timestamp_override = "event.ingested"
 type = "eql"
+building_block_type = "default"
 query = '''
 file where host.os.type == "linux" and event.action == "opened-file" and
 file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not 
 (
-  process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp") or 
-  process.title : "*grep*" or process.parent.pid == 1
+  process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp", "mkinitramfs",
+  "readlink") or process.title : "*grep*" or process.parent.pid == 1
 )
 '''

@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/31"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,8 @@ Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc
 unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl 
 configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.
 """
-from = "now-9m"
+from = "now-119m"
+interval = "60m"
 index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
 language = "eql"
 license = "Elastic License v2"
@@ -43,13 +44,14 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen
 risk_score = 21
 rule_id = "7592c127-89fb-4209-a8f6-f9944dfd7e02"
 severity = "low"
-tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
+tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
 timestamp_override = "event.ingested"
 type = "eql"
+building_block_type = "default"
 query = '''
 file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and
 file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and 
-not process.name in ("auditbeat", "systemd-sysctl")
+not process.name in ("auditbeat", "systemd-sysctl", "dpkg", "dnf", "yum", "rpm", "apt")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/03"
+updated_date = "2023/08/24"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,8 @@ This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and e
 activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about 
 running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets. 
 """
-from = "now-9m"
+from = "now-119m"
+interval = "60m"
 index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
 language = "kuery"
 license = "Elastic License v2"
@@ -41,10 +42,10 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen
 risk_score = 21
 rule_id = "0787daa6-f8c5-453b-a4ec-048037f6c1cd"
 severity = "low"
-tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
+tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
 timestamp_override = "event.ingested"
 type = "threshold"
-
+building_block_type = "default"
 query = '''
 host.os.type : "linux" and event.category : "file" and event.action : "opened-file" and 
 file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : "pidof" and