From a2dbfff31b9776b0530f900b3090958e565d48c3 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Fri, 20 May 2022 11:10:56 -0400 Subject: [PATCH] [Rule tuning] add support for osx, zsh, and expand tampering techniques (#1974) * add support for osx, zsh, and expand tampering techniques * migrate to cross-platform and add macOS tag (cherry picked from commit 77966473d13a8c01b135659f0939901355daeea6) --- ..._evasion_deletion_of_bash_command_line_history.toml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) rename rules/{linux => cross-platform}/defense_evasion_deletion_of_bash_command_line_history.toml (74%) diff --git a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml similarity index 74% rename from rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml rename to rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index 6a15df20d..59c0890dc 100644 --- a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/04" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/05/16" [rule] author = ["Elastic"] @@ -21,14 +21,18 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Defense Evasion"] timestamp_override = "event.ingested" type = "eql" query = ''' process where event.type in ("start", "process_started") and ( - (process.args : ("rm", "echo") and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history")) or + ((process.args : ("rm", "echo") or + (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or + (process.args : "truncate" and process.args : "-s0")) + and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history", + ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or (process.name : "history" and process.args : "-c") or (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or (process.args : "unset" and process.args : "HISTFILE") or