diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index 3d4410070..7a7c86e38 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/26" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -24,9 +24,11 @@ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" query = ''' -sequence by host.id, process.parent.executable, user.name with maxspan=1s -[ process where host.os.type == "linux" and event.type == "start" and - event.action == "exec" and process.name == "su" ] with runs=10 +sequence by host.id, process.parent.executable, user.id with maxspan=1s + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and + not process.parent.name in ( + "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server" + )] with runs=10 ''' [[rule.threat]] diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index cf0c62d02..cbd550eb8 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and user.name == "root" and process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and - not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*") + not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd") ''' diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 432b50e09..d41d06402 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -14,20 +14,20 @@ a network and how. Adversaries may remove these files over the course of an intr remove them at the end as part of the post-intrusion cleanup process. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" name = "File Deletion via Shred" risk_score = 21 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:shred and - process.args:("-u" or "--remove" or "-z" or "--zero") +event.category:process and host.os.type:linux and event.type:start and process.name:shred and +process.args:("-u" or "--remove" or "-z" or "--zero") and not process.parent.name:logrotate ''' diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 90956eccf..18b73e23f 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -37,10 +37,10 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type in ("start", "process_started") and - process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and - process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and - not process.name in ("ls", "find", "grep") +process where host.os.type == "linux" and event.type == "start" and +process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and +process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and +not process.name in ("ls", "find", "grep", "git") ''' diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 81bcb2b24..c6e6d0744 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -25,16 +25,17 @@ language = "eql" license = "Elastic License v2" name = "Kernel Module Removal" references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"] -risk_score = 73 +risk_score = 47 rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef" -severity = "high" +severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.action == "exec" and process.name == "rmmod" or -(process.name == "modprobe" and process.args in ("--remove", "-r")) +(process.name == "modprobe" and process.args in ("--remove", "-r")) and +process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' diff --git a/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml b/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml index d826f2c2e..858e61c72 100644 --- a/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml +++ b/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "The linux.advanced.capture_env_vars option for Elastic Defend has been introduced in 8.6.0" min_stack_version = "8.6.0" -updated_date = "2023/06/26" +updated_date = "2023/08/25" [rule] author = ["Elastic"] @@ -18,8 +18,9 @@ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" -name = "Potential Process Injection via LD_PRELOAD Environment Variable" -note = """## Setup +name = "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable" +note = """ This rule was deprecated due to the large amount of false positives and the lack of true positives generated by the rule. +## Setup By default, the `Elastic Defend` integration does not collect environment variable logging. In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the `Elastic Defend` integration. ``` Kibana --> @@ -34,68 +35,73 @@ linux.advanced.capture_env_vars After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. """ references = ["https://www.getambassador.io/resources/code-injection-on-linux-and-macos"] -risk_score = 47 +risk_score = 21 rule_id = "4973e46b-a663-41b8-a875-ced16dda2bb0" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation"] +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Tactic: Privilege Escalation", +] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and - event.action == "exec" and - process.env_vars : ("LD_PRELOAD=?*", "LD_LIBRARY_PATH=?*") +process where host.os.type == "linux" and event.action == "exec" and process.env_vars : ("LD_PRELOAD=?*", "LD_LIBRARY_PATH=?*") ''' [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -name = "Hijack Execution Flow" -id = "T1574" -reference = "https://attack.mitre.org/techniques/T1574/" - -[[rule.threat.technique.subtechnique]] -name = "Dynamic Linker Hijacking" -id = "T1574.006" -reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] -name = "Persistence" id = "TA0003" +name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat.technique]] -name = "Hijack Execution Flow" -id = "T1574" -reference = "https://attack.mitre.org/techniques/T1574/" - -[[rule.threat.technique.subtechnique]] -name = "Dynamic Linker Hijacking" -id = "T1574.006" -reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Privilege Escalation" -id = "TA0004" -reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat.technique]] -name = "Hijack Execution Flow" id = "T1574" +name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] -name = "Dynamic Linker Hijacking" id = "T1574.006" +name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index 6955e3ffa..2e7bfe433 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/11" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -32,21 +32,19 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: timestamp_override = "event.ingested" type = "eql" query = ''' -process where process.name=="mount" and event.action =="exec" and - process.args: ( "/proc") and process.args: ("-o") and process.args:("*hidepid=2*") and - host.os.type == "linux" +process where host.os.type == "linux" and process.name == "mount" and event.action == "exec" and +process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index 3f705126c..f7f0f9663 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/04/11" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -30,8 +30,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and -process.name : ("grep", "egrep", "pgrep") and -process.args : ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem") +process.name in ("grep", "egrep", "pgrep") and +process.args in ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem") ''' diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index c09801e7e..4c8e1a74a 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/07/31" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -35,7 +35,8 @@ event.category:process and host.os.type:linux and event.type:start and ( (process.name:(lsmod or modinfo)) or (process.name:kmod and process.args:list) or (process.name:depmod and process.args:(--all or -a)) -) and not process.parent.user.id:0 +) and process.parent.name:(sudo or bash or dash or ash or sh or tcsh or csh or zsh or ksh or fish) and +not process.parent.user.id:0 ''' [[rule.threat]] diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 95dc3fcbf..2f71ae875 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -20,19 +20,20 @@ false_positives = [ ] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] -language = "kuery" +language = "eql" license = "Elastic License v2" name = "Hping Process Activity" references = ["https://en.wikipedia.org/wiki/Hping"] -risk_score = 73 +risk_score = 47 rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52" -severity = "high" +severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" -type = "query" +type = "eql" query = ''' -event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(hping or hping2 or hping3) +process where host.os.type == "linux" and event.type == "start" +and process.name in ("hping", "hping2", "hping3") ''' diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 06832b8ee..88a59b40a 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] -language = "kuery" +language = "eql" license = "Elastic License v2" name = "Nping Process Activity" references = ["https://en.wikipedia.org/wiki/Nmap"] @@ -29,10 +29,10 @@ rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" -type = "query" +type = "eql" query = ''' -event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:nping +process where host.os.type == "linux" and event.type == "start" and process.name == "nping" ''' diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 7dd224925..992509bee 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/07/31" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -85,7 +85,8 @@ file.name : ("auditd.pid" or python* or "apport.pid" or "apport.lock" or kworker "acpid.pid" or "unattended-upgrades.lock" or "unattended-upgrades.pid" or "cmd.pid" or "yum.pid" or "netconfig.pid" or "docker.pid" or "atd.pid" or "lfd.pid" or "atop.pid" or "nginx.pid" or "dhclient.pid" or "smtpd.pid" or "stunnel.pid" or "1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid" or "winbindd.pid" or "chronyd.pid") and -not process.name : ("runc" or "ufw" or "snapd" or "snap" or "iptables") +not process.name : ("runc" or "ufw" or "snapd" or "snap" or "iptables" or "libvirtd" or "containerd-shim-runc-v2" or +"ifdown" or "snap-confine" or "ifup" or "dhclient" or "containerd") ''' [[rule.threat]] diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index ea2c4d77f..471b8cdc0 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -38,15 +38,10 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and - event.action : ("exec", "exec_event") and user.name == "root" and - process.executable : ( - "/dev/shm/*", - "/run/shm/*", - "/var/run/*", - "/var/lock/*" - ) and - not process.executable : ( "/var/run/docker/*") +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process.executable : ("/dev/shm/*", "/run/shm/*", "/var/run/*", "/var/lock/*") and +not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/*", "/var/run/cloudera-scm-agent/*") and +user.id == "0" ''' diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index fcf4350fe..ca8469571 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4" min_stack_version = "8.4.0" -updated_date = "2023/06/14" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -28,19 +28,15 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type : "linux" and event.category : "process" and -event.action : ("exec" or "exec_event" or "fork" or "fork_event") and -process.executable : ( +host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and +process.executable:( /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or - /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/* - ) and process.args : ( - "whoami" or "id" or "hostname" or "uptime" or "top" or "ifconfig" or "netstat" or "route" or - "ps" or "pwd" or "ls" - ) and not process.name : ( - "sudo" or "which" or "whoami" or "id" or "hostname" or "uptime" or "top" or "netstat" or "ps" or - "pwd" or "ls" or "apt" or "dpkg" or "yum" or "rpm" or "dnf" or "dockerd" or "snapd" or "snap" - ) + /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*) + and process.args:(whoami or id or hostname or uptime or top or ifconfig or netstat or route or ps or pwd or ls) and + not process.name:(sudo or which or whoami or id or hostname or uptime or top or netstat or ps or pwd or ls or apt or + dpkg or yum or rpm or dnf or dockerd or docker or snapd or snap) and + not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*) ''' [[rule.threat]] diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index cbf3e0011..7684e471a 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/02" +updated_date = "2023/08/22" [rule] author = ["Elastic"] @@ -25,20 +25,18 @@ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"] type = "eql" query = ''' -sequence by host.id, process.entity_id with maxspan=1s - [ file where host.os.type == "linux" and event.type == "change" and - event.action == "rename" and file.extension != "" and - file.path : ( - "/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*" - ) and not - file.extension : ( - "xml", "json", "conf", "dat", "gz", "info", "mod", "final", - "php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old" - ) and not - process.name : ( - "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", - "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy" - ) ] with runs=100 | tail 1 +sequence by host.id, process.entity_id with maxspan=1s + [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" + and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or + (process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and + file.path : ( + "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", + "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not (( + process.name : ( + "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", + "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git", + "systemsettings", "vmis-launcher")) or file.path : "/etc/selinux/*" or (file.extension in ("qmlc", "txt") + ))] with runs=25 ''' [[rule.threat]] diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index ff51a6926..d9e4f7fd6 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/02" +updated_date = "2023/08/22" [rule] author = ["Elastic"] @@ -27,23 +27,20 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s - [ file where host.os.type == "linux" and event.type == "change" and - event.action == "rename" and file.extension != "" and - file.path : ( - "/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*" - ) and not - file.extension : ( - "xml", "json", "conf", "dat", "gz", "info", "mod", "final", - "php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old" - ) and not - process.name : ( - "dpkg", "yum", "dnf", "rpm", "dockerd" - ) ] with runs=100 - [ file where host.os.type == "linux" and event.action == "creation" and file.extension == "txt" and - file.name : ( - "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", - "*read*", "*instruction*", "*how_to*", "*ransom*" - ) and not process.name : ("go", "java", "pip*", "python*", "node", "containerd") ] | tail 1 + [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" + and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or + (process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and + file.path : ( + "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", + "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not (( + process.name : ( + "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", + "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git", + "systemsettings", "vmis-launcher")) or (file.path : "/etc/selinux/*") or (file.extension in ("qmlc", "txt") + ))] with runs=25 + [file where host.os.type == "linux" and event.action == "creation" and file.name : ( + "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*" + )] ''' [[rule.threat]] diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index e362093a8..69d83bb09 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -3,13 +3,16 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/29" +updated_date = "2023/08/24" integration = ["endpoint"] [rule] author = ["Elastic"] description = """ -Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. +Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize +this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has +either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run +providing long-term persistence. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -36,6 +39,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" @@ -50,4 +54,3 @@ reference = "https://attack.mitre.org/techniques/T1037/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index f4ed4950a..003408789 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ type = "query" query = ''' event.category:file and host.os.type:linux and event.type:change and - process.name:(* and not (dnf or dnf-automatic or dpkg or yum)) and + process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron)) and (file.path:(/usr/bin/scp or /usr/bin/sftp or /usr/bin/ssh or diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index ebb4a34e8..5076f21d3 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/24" integration = ["endpoint"] [rule] @@ -32,9 +32,9 @@ type = "eql" query = ''' file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.name == "root" and file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*", -"/usr//lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd", +"/usr/lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd", "*/snapd", "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd", -"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension == "swp" +"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension in ("swp", "swpx", "tmp") ''' [[rule.threat]] diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index 451c49a41..28f0aa8c2 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/07/31" +updated_date = "2023/08/21" [transform] [[transform.osquery]] @@ -132,7 +132,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and -file.path : /etc/init.d/* and not process.name : ("dpkg" or "dockerd" or "rpm" or "chef-client" or "apk" or "yum" or +file.path : /etc/init.d/* and not process.name : ("dpkg" or "dockerd" or "rpm" or "dnf" or "chef-client" or "apk" or "yum" or "rpm" or "vmis-launcher" or "exe") and not file.extension : ("swp" or "swx") ''' diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index fb12391ca..dc8d1178c 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/24" integration = ["endpoint"] [rule] @@ -27,8 +27,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and - process.executable : "/usr/sbin/insmod" and process.args : "*.ko" +process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" ''' [[rule.threat]] diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 3af88a646..e6bafa17e 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -47,7 +47,8 @@ file where host.os.type == "linux" and event.type != "deletion" and "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*", "/etc/xdg/autostart/*", "/usr/share/autostart/*" ) and - not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic") + not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd", + "rpm") ''' diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index c40b76ac2..fa4df3ba2 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/20" +updated_date = "2023/08/24" [transform] [[transform.osquery]] @@ -122,7 +122,8 @@ event.action in ("exec", "exec_event") and process.parent.executable : ( "*/bin/catalina.sh" ) and process.name : ("*sh", "python*", "perl", "php*", "tmux") and -process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") +process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") and +not process.name == "phpquery" ''' [[rule.threat]] diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index 35a00361d..abe18dc01 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/31" +updated_date = "2023/08/21" [transform] [[transform.osquery]] @@ -128,7 +128,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "nc", "ncat", -"netcat", "socat", "lua", "java", "openssl", "ruby", "telnet", "awk") +"netcat", "socat", "lua", "java", "openssl", "ruby", "telnet") ''' [[rule.threat]] diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index f9ada63da..7dd978579 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/07/31" +updated_date = "2023/08/21" [transform] [[transform.osquery]] @@ -111,7 +111,7 @@ type = "new_terms" query = ''' host.os.type : "linux" and event.category : "file" and event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and -file.path : "/etc/rc.local" and not process.name : ("dockerd" or "yum" or "rpm" or "dpkg") and not file.extension : ("swp" or "swx") +file.path : "/etc/rc.local" and not process.name : ("dockerd" or "docker" or "dnf" or "yum" or "rpm" or "dpkg") and not file.extension : ("swp" or "swx") ''' [[rule.threat]] diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 7e97d9bd9..9591ef154 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/07/31" +updated_date = "2023/08/21" [transform] [[transform.osquery]] @@ -141,8 +141,7 @@ type = "new_terms" query = ''' host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or -/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not -process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm" or "/proc/self/exe" or "/usr/sbin/dockerd") +/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : ("docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor") ''' [[rule.threat]] diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index ae4eedd53..2cb3742af 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -44,7 +44,8 @@ event.type == "start" and process.name == "ln" and (process.args : ("/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.weekly/*", "/etc/cron.monthly/*")) or (process.args : ("/home/*/.ssh/*", "/root/.ssh/*","/etc/sudoers.d/*", "/dev/shm/*")) ) and -not user.Ext.real.id == "0" and not group.Ext.real.id == "0" + process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + not user.Ext.real.id == "0" and not group.Ext.real.id == "0" ''' [[rule.threat]] diff --git a/rules/linux/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml similarity index 95% rename from rules/linux/discovery_kernel_module_enumeration_via_proc.toml rename to rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index 617b7f1e5..22574493f 100644 --- a/rules/linux/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/31" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -20,7 +20,8 @@ false_positives = [ by ordinary users is uncommon. These can be exempted by process name or username. """, ] -from = "now-9m" +from = "now-119m" +interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" @@ -44,9 +45,10 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen risk_score = 21 rule_id = "80084fa9-8677-4453-8680-b891d3c0c778" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' file where host.os.type == "linux" and event.action == "opened-file" and file.path == "/proc/modules" and not ( diff --git a/rules/linux/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml similarity index 92% rename from rules/linux/discovery_linux_modprobe_enumeration.toml rename to rules_building_block/discovery_linux_modprobe_enumeration.toml index 530d983ab..5e2688a6b 100644 --- a/rules/linux/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/31" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -14,7 +14,8 @@ manipulation of critical kernel modules. Attackers may tamper with the modprobe kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system. """ -from = "now-9m" +from = "now-119m" +interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" @@ -43,15 +44,16 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen risk_score = 21 rule_id = "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd" severity = "low" -tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' file where host.os.type == "linux" and event.action == "opened-file" and file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not ( - process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp") or - process.title : "*grep*" or process.parent.pid == 1 + process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp", "mkinitramfs", + "readlink") or process.title : "*grep*" or process.parent.pid == 1 ) ''' diff --git a/rules/linux/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml similarity index 93% rename from rules/linux/discovery_linux_sysctl_enumeration.toml rename to rules_building_block/discovery_linux_sysctl_enumeration.toml index 9929e3079..24fc90046 100644 --- a/rules/linux/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/31" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -13,7 +13,8 @@ Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security. """ -from = "now-9m" +from = "now-119m" +interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" @@ -43,13 +44,14 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen risk_score = 21 rule_id = "7592c127-89fb-4209-a8f6-f9944dfd7e02" severity = "low" -tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and -not process.name in ("auditbeat", "systemd-sysctl") +not process.name in ("auditbeat", "systemd-sysctl", "dpkg", "dnf", "yum", "rpm", "apt") ''' [[rule.threat]] diff --git a/rules/linux/discovery_suspicious_proc_enumeration.toml b/rules_building_block/discovery_suspicious_proc_enumeration.toml similarity index 96% rename from rules/linux/discovery_suspicious_proc_enumeration.toml rename to rules_building_block/discovery_suspicious_proc_enumeration.toml index 43ff71874..9a8342266 100644 --- a/rules/linux/discovery_suspicious_proc_enumeration.toml +++ b/rules_building_block/discovery_suspicious_proc_enumeration.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/03" +updated_date = "2023/08/24" [rule] author = ["Elastic"] @@ -13,7 +13,8 @@ This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and e activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets. """ -from = "now-9m" +from = "now-119m" +interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" @@ -41,10 +42,10 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen risk_score = 21 rule_id = "0787daa6-f8c5-453b-a4ec-048037f6c1cd" severity = "low" -tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "threshold" - +building_block_type = "default" query = ''' host.os.type : "linux" and event.category : "file" and event.action : "opened-file" and file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : "pidof" and