diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index 2abe70f7c..cc6cd22ad 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/04" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -13,10 +13,10 @@ Adversaries may attempt to clear or disable the Bash command-line history in an investigations. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" -name = "Tampering of Bash Command-Line History" +name = "Tampering of Shell Command-Line History" risk_score = 47 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba" setup = """ @@ -28,12 +28,21 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and +process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and ( ((process.args : ("rm", "echo") or (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or @@ -47,22 +56,20 @@ process where event.type in ("start", "process_started") and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.003" name = "Clear Command History" reference = "https://attack.mitre.org/techniques/T1070/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 086c47d83..1eea44315 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/12/18" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -80,7 +80,11 @@ type = "new_terms" query = ''' event.category:process and event.type:("start" or "process_started") and process.parent.name:"java" and process.name:( - "sh" or "bash" or "dash" or "ksh" or "tcsh" or "zsh" or "curl" or "wget" + bash or dash or sh or tcsh or csh or zsh or ksh or fish or python* or php* or perl or ruby or lua* or openssl or + nc or netcat or ncat or telnet or awk or socat or wget or curl +) and process.args :( + whoami or id or uname or cat or hostname or ip or curl or wget or pwd or ls or cd or python* or php* or perl or + ruby or lua* or openssl or nc or netcat or ncat or telnet or awk or socat ) ''' @@ -104,7 +108,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.command_line", "process.parent.command_line"] +value = ["host.id", "process.command_line"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index 3ad311540..af9946d38 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/22" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -30,7 +30,6 @@ tags = ["Domain: Endpoint", ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' event.category:file and event.type:(change or creation) and file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and @@ -46,7 +45,10 @@ event.category:file and event.type:(change or creation) and /usr/bin/touch or /var/lib/docker/* or /usr/bin/google_guest_agent or - /opt/jc/bin/jumpcloud-agent) + /opt/jc/bin/jumpcloud-agent or + /opt/puppetlabs/puppet/bin/puppet or + /usr/bin/chef-client +) ''' [[rule.threat]] @@ -97,8 +99,8 @@ reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.executable", "file.path"] +value = ["host.id", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-10d"