[Tuning] Linux Cross-Platform Tuning - Part 1 (#3468)

* [Tuning] Linux Cross-Platform Tuning - Part 1 * Update defense_evasion_deletion_of_bash_command_line_history.toml * Update defense_evasion_deletion_of_bash_command_line_history.toml * Update defense_evasion_deletion_of_bash_command_line_history.toml * Update defense_evasion_deletion_of_bash_command_line_history.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
2024-03-07 18:20:55 +01:00
parent 9c4ba4559d
commit a438052ff3
3 changed files with 31 additions and 18 deletions
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/05/04"
-integration = ["endpoint"]
+integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/19"
+updated_date = "2024/02/22"

 [rule]
 author = ["Elastic"]
@@ -13,10 +13,10 @@ Adversaries may attempt to clear or disable the Bash command-line history in an
 investigations.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Tampering of Bash Command-Line History"
+name = "Tampering of Shell Command-Line History"
 risk_score = 47
 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
 setup = """
@@ -28,12 +28,21 @@ Hence for this rule to work effectively, users will need to add a custom ingest
 For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "OS: macOS",
+        "Use Case: Threat Detection",
+        "Tactic: Defense Evasion",
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame",
+        "Data Source: Auditd Manager"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and
+process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
 (
  ((process.args : ("rm", "echo") or
    (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or
@@ -47,22 +56,20 @@ process where event.type in ("start", "process_started") and
 )
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1070"
 name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1070.003"
 name = "Clear Command History"
 reference = "https://attack.mitre.org/techniques/T1070/003/"

-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/12/18"
+updated_date = "2024/02/22"

 [rule]
 author = ["Elastic"]
@@ -80,7 +80,11 @@ type = "new_terms"

 query = '''
 event.category:process and event.type:("start" or "process_started") and process.parent.name:"java" and process.name:(
-  "sh" or "bash" or "dash" or "ksh" or "tcsh" or "zsh" or "curl" or "wget"
+  bash or dash or sh or tcsh or csh or zsh or ksh or fish or python* or php* or perl or ruby or lua* or openssl or
+  nc or netcat or ncat or telnet or awk or socat or wget or curl
+) and process.args :(
+  whoami or id or uname or cat or hostname or ip or curl or wget or pwd or ls or cd or python* or php* or perl or
+  ruby or lua* or openssl or nc or netcat or ncat or telnet or awk or socat
 )
 '''

@@ -104,7 +108,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/"

 [rule.new_terms]
 field = "new_terms_fields"
-value = ["host.id", "process.command_line", "process.parent.command_line"]
+value = ["host.id", "process.command_line"]

 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/09/22"
+updated_date = "2024/02/22"

 [rule]
 author = ["Elastic"]
@@ -30,7 +30,6 @@ tags = ["Domain: Endpoint",
        ]
 timestamp_override = "event.ingested"
 type = "new_terms"
-
 query = '''
 event.category:file and event.type:(change or creation) and
 file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and
@@ -46,7 +45,10 @@ event.category:file and event.type:(change or creation) and
              /usr/bin/touch or
              /var/lib/docker/* or
              /usr/bin/google_guest_agent or 
-              /opt/jc/bin/jumpcloud-agent)
+              /opt/jc/bin/jumpcloud-agent or 
+              /opt/puppetlabs/puppet/bin/puppet or
+              /usr/bin/chef-client
+)
 '''

 [[rule.threat]]
@@ -97,8 +99,8 @@ reference = "https://attack.mitre.org/tactics/TA0008/"

 [rule.new_terms]
 field = "new_terms_fields"
-value = ["host.id", "process.executable", "file.path"]
+value = ["host.id", "process.executable"]

 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-7d"
+value = "now-10d"