From a7ff449fbc89207a88c962cc148609f355d5586b Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 3 Aug 2023 15:25:33 +0200 Subject: [PATCH] [Rule Tuning] Some Tunings of several 8.9 rules (#2985) * [Rule Tuning] Doing some quick tunings * updated_date bump * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_sysctl_enumeration.toml * Update rules/linux/persistence_init_d_file_creation.toml * Update rules/linux/persistence_rc_script_creation.toml * Update rules/linux/persistence_shared_object_creation.toml * deprecate rule * deprecate rule * Update execution_abnormal_process_id_file_created.toml * Update discovery_kernel_module_enumeration_via_proc.toml * Update discovery_linux_modprobe_enumeration.toml * Update execution_remote_code_execution_via_postgresql.toml * Update discovery_potential_syn_port_scan_detected.toml * Added 2 tunings, sorry I missed those.. * One more tune * Update discovery_suspicious_proc_enumeration.toml --- ...ction_attempt_by_non_ssh_root_session.toml | 5 +-- ...work_activity_from_unknown_executable.toml | 10 +++--- .../discovery_kernel_module_enumeration.toml | 31 +++++++++++-------- ...ry_kernel_module_enumeration_via_proc.toml | 18 +++++------ .../discovery_linux_modprobe_enumeration.toml | 17 +++++----- .../discovery_linux_sysctl_enumeration.toml | 5 +-- ...discovery_suspicious_proc_enumeration.toml | 11 ++++--- ...tion_abnormal_process_id_file_created.toml | 11 ++++--- ..._remote_code_execution_via_postgresql.toml | 11 ++++--- ...tial_linux_ransomware_file_encryption.toml | 14 ++++----- ...ential_linux_ransomware_note_detected.toml | 13 ++++---- .../linux/persistence_cron_job_creation.toml | 7 +++-- .../persistence_init_d_file_creation.toml | 6 ++-- ...rsistence_message_of_the_day_creation.toml | 5 +-- ...sistence_message_of_the_day_execution.toml | 5 +-- .../linux/persistence_rc_script_creation.toml | 4 +-- .../persistence_shared_object_creation.toml | 4 +-- ...tence_systemd_scheduled_timer_created.toml | 4 +-- .../persistence_systemd_service_creation.toml | 5 +-- ...n_load_and_unload_of_kernel_via_kexec.toml | 6 ++-- ...very_potential_network_sweep_detected.toml | 15 ++++----- ...iscovery_potential_port_scan_detected.toml | 15 ++++----- ...very_potential_syn_port_scan_detected.toml | 15 ++++----- 23 files changed, 128 insertions(+), 109 deletions(-) rename rules/{linux => _deprecated}/command_and_control_connection_attempt_by_non_ssh_root_session.toml (97%) diff --git a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml b/rules/_deprecated/command_and_control_connection_attempt_by_non_ssh_root_session.toml similarity index 97% rename from rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml rename to rules/_deprecated/command_and_control_connection_attempt_by_non_ssh_root_session.toml index f8aa06253..df76e6ea9 100644 --- a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml +++ b/rules/_deprecated/command_and_control_connection_attempt_by_non_ssh_root_session.toml @@ -1,10 +1,11 @@ [metadata] creation_date = "2022/05/16" +deprecation_date = "2023/07/31" integration = ["endpoint"] -maturity = "production" +maturity = "deprecated" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/31" [rule] author = ["Elastic"] diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index 3efda02b8..0df4316f2 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/06/22" +updated_date = "2023/07/31" [rule] author = ["Elastic"] @@ -88,15 +88,14 @@ and source.ip : ( "FF00::/8") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -105,8 +104,7 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["destination.ip", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-2d" - - +value = "now-7d" diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index b80211b64..c09801e7e 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -2,9 +2,9 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/07/31" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ ] from = "now-9m" index = ["logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Enumeration of Kernel Modules" risk_score = 47 @@ -29,27 +29,32 @@ rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] timestamp_override = "event.ingested" -type = "eql" - +type = "new_terms" query = ''' -process where host.os.type == "linux" and event.type == "start" and -((process.name == "kmod" and process.args == "list") or (process.name == "modinfo" and process.parent.user.id != "0") or -(process.name == "depmod" and process.args in ("--all", "-a") and process.parent.user.id != "0") -or process.name == "lsmod") and not process.parent.name : ("vboxmanage", "virtualbox", "prime-offload", "vboxdrv.sh") and not -process.group_leader.name : "qualys-cloud-agent" +event.category:process and host.os.type:linux and event.type:start and ( + (process.name:(lsmod or modinfo)) or + (process.name:kmod and process.args:list) or + (process.name:depmod and process.args:(--all or -a)) +) and not process.parent.user.id:0 ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] + id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[rule.new_terms] +field = "new_terms_fields" +value = ["process.parent.name", "host.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/linux/discovery_kernel_module_enumeration_via_proc.toml b/rules/linux/discovery_kernel_module_enumeration_via_proc.toml index e9bebd37c..617b7f1e5 100644 --- a/rules/linux/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules/linux/discovery_kernel_module_enumeration_via_proc.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/12" +updated_date = "2023/07/31" [rule] author = ["Elastic"] @@ -41,29 +41,29 @@ For this detection rule to trigger, the following additional audit rules are req ``` Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. """ -risk_score = 47 +risk_score = 21 rule_id = "80084fa9-8677-4453-8680-b891d3c0c778" -severity = "medium" +severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] timestamp_override = "event.ingested" type = "eql" - query = ''' -file where host.os.type == "linux" and event.action == "opened-file" and -file.path == "/proc/modules" and not process.parent.pid == 1 +file where host.os.type == "linux" and event.action == "opened-file" and file.path == "/proc/modules" and not +( + process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "SchedulerRunner", "grep") or + process.parent.pid == 1 or process.title : "*grep*" +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_linux_modprobe_enumeration.toml b/rules/linux/discovery_linux_modprobe_enumeration.toml index 23615e264..530d983ab 100644 --- a/rules/linux/discovery_linux_modprobe_enumeration.toml +++ b/rules/linux/discovery_linux_modprobe_enumeration.toml @@ -4,15 +4,15 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/06" +updated_date = "2023/07/31" [rule] author = ["Elastic"] description = """ -Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized -access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or -unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities -within the system. +Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or +manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized +kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the +system. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -47,9 +47,12 @@ tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] timestamp_override = "event.ingested" type = "eql" query = ''' -file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and +file where host.os.type == "linux" and event.action == "opened-file" and file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not -(process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod") or process.title : ("*grep*") or process.parent.pid == 1) +( + process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp") or + process.title : "*grep*" or process.parent.pid == 1 +) ''' [[rule.threat]] diff --git a/rules/linux/discovery_linux_sysctl_enumeration.toml b/rules/linux/discovery_linux_sysctl_enumeration.toml index 8ba133148..9929e3079 100644 --- a/rules/linux/discovery_linux_sysctl_enumeration.toml +++ b/rules/linux/discovery_linux_sysctl_enumeration.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/06" +updated_date = "2023/07/31" [rule] author = ["Elastic"] @@ -48,7 +48,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and -file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and not process.name == "auditbeat" +file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and +not process.name in ("auditbeat", "systemd-sysctl") ''' [[rule.threat]] diff --git a/rules/linux/discovery_suspicious_proc_enumeration.toml b/rules/linux/discovery_suspicious_proc_enumeration.toml index 317694ca4..43ff71874 100644 --- a/rules/linux/discovery_suspicious_proc_enumeration.toml +++ b/rules/linux/discovery_suspicious_proc_enumeration.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/09" +updated_date = "2023/08/03" [rule] author = ["Elastic"] @@ -38,16 +38,17 @@ For this detection rule to trigger, the following additional audit rules are req Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. """ -risk_score = 47 +risk_score = 21 rule_id = "0787daa6-f8c5-453b-a4ec-048037f6c1cd" -severity = "medium" +severity = "low" tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] timestamp_override = "event.ingested" type = "threshold" query = ''' host.os.type : "linux" and event.category : "file" and event.action : "opened-file" and -file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.parent.pid : 1 +file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : "pidof" and +not process.parent.pid : 1 ''' [[rule.threat]] @@ -72,4 +73,4 @@ field = ["host.id", "process.pid", "process.name"] value = 1 [[rule.threshold.cardinality]] field = "file.path" -value = 25 +value = 100 diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 9d5a699de..7dd224925 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/06/22" +updated_date = "2023/07/31" [rule] author = ["Elastic"] @@ -80,11 +80,12 @@ type = "new_terms" query = ''' host.os.type : "linux" and event.category : "file" and event.action : ("creation" or "file_create_event") and -user.id : "0" and file.path : (/var/run/* or /run/*) and file.extension : ("pid" or "lock" or "reboot") and not -file.name : ("auditd.pid" or "python*" or "apport.pid" or "apport.lock" or "kworker*" or "gdm3.pid" or "sshd.pid" or +user.id : "0" and file.extension : ("pid" or "lock" or "reboot") and file.path : (/var/run/* or /run/*) and not +file.name : ("auditd.pid" or python* or "apport.pid" or "apport.lock" or kworker* or "gdm3.pid" or "sshd.pid" or "acpid.pid" or "unattended-upgrades.lock" or "unattended-upgrades.pid" or "cmd.pid" or "yum.pid" or "netconfig.pid" or "docker.pid" or "atd.pid" or "lfd.pid" or "atop.pid" or "nginx.pid" or "dhclient.pid" or "smtpd.pid" or "stunnel.pid" or -"1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid") +"1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid" or "winbindd.pid" or "chronyd.pid") and +not process.name : ("runc" or "ufw" or "snapd" or "snap" or "iptables") ''' [[rule.threat]] @@ -106,4 +107,4 @@ value = ["process.executable", "file.path"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-14d" diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index f74edf64e..1add706fc 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/20" +updated_date = "2023/07/31" [rule] author = ["Elastic"] @@ -20,15 +20,18 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Code Execution via Postgresql" -risk_score = 73 +risk_score = 47 rule_id = "2a692072-d78d-42f3-a48a-775677d79c4e" -severity = "high" +severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] type = "eql" query = ''' process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and -event.type == "start" and user.name == "postgres" and (process.parent.args : "*sh" or process.args : "*sh") +event.type == "start" and user.name == "postgres" and ( + (process.parent.args : "*sh" and process.parent.args : "echo*") or + (process.args : "*sh" and process.args : "echo*") +) and not process.parent.name : "puppet" ''' [[rule.threat]] diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index 5a9a2eee0..cbf3e0011 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/15" +updated_date = "2023/08/02" [rule] author = ["Elastic"] @@ -19,9 +19,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious File Changes Activity Detected" -risk_score = 73 +risk_score = 47 rule_id = "28738f9f-7427-4d23-bc69-756708b5f624" -severity = "high" +severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"] type = "eql" query = ''' @@ -36,20 +36,20 @@ sequence by host.id, process.entity_id with maxspan=1s "php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old" ) and not process.name : ( - "dpkg", "yum", "dnf", "rpm", "dockerd" + "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", + "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy" ) ] with runs=100 | tail 1 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" - [rule.threat.tactic] id = "TA0040" name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index b7fa43d55..ff51a6926 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/15" +updated_date = "2023/08/02" [rule] author = ["Elastic"] @@ -20,9 +20,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Ransomware Note Creation Detected" -risk_score = 73 +risk_score = 47 rule_id = "c8935a8b-634a-4449-98f7-bb24d3b2c0af" -severity = "high" +severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"] type = "eql" query = ''' @@ -43,19 +43,18 @@ sequence by host.id, process.entity_id with maxspan=1s file.name : ( "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*" - ) ] | tail 1 + ) and not process.name : ("go", "java", "pip*", "python*", "node", "containerd") ] | tail 1 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" - [rule.threat.tactic] id = "TA0040" name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index bf1d58d5c..25060c71c 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" -updated_date = "2023/06/09" +updated_date = "2023/07/31" [rule] author = ["Elastic"] @@ -31,8 +31,9 @@ type = "new_terms" query = ''' host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or -/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /var/spool/cron/* or /usr/sbin/cron or /usr/sbin/anacron) -and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd") or file.extension : "swp") +/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) +and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "5") or +file.extension : ("swp" or "swx")) ''' [[rule.threat]] diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index b972add3e..451c49a41 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/07/20" +updated_date = "2023/07/31" [transform] [[transform.osquery]] @@ -132,8 +132,8 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and -file.path : /etc/init.d/* and not process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not -file.extension : "swp" +file.path : /etc/init.d/* and not process.name : ("dpkg" or "dockerd" or "rpm" or "chef-client" or "apk" or "yum" or +"rpm" or "vmis-launcher" or "exe") and not file.extension : ("swp" or "swx") ''' [[rule.threat]] diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 6c41eef9c..1aa9ecf08 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/07/20" +updated_date = "2023/07/31" [transform] [[transform.osquery]] @@ -126,7 +126,8 @@ type = "new_terms" query = ''' host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not -process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not file.extension : "swp" +process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm" or "/kaniko/executor") and not +file.extension : ("swp" or "swx") ''' [[rule.threat]] diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index 2babdec17..35a00361d 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/20" +updated_date = "2023/07/31" [transform] [[transform.osquery]] @@ -127,7 +127,8 @@ query = ''' process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and -process.executable : ("*sh", "python*", "perl", "php*") +process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "nc", "ncat", +"netcat", "socat", "lua", "java", "openssl", "ruby", "telnet", "awk") ''' [[rule.threat]] diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index 08215e361..f9ada63da 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/07/20" +updated_date = "2023/07/31" [transform] [[transform.osquery]] @@ -111,7 +111,7 @@ type = "new_terms" query = ''' host.os.type : "linux" and event.category : "file" and event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and -file.path : "/etc/rc.local" and not file.extension : "swp" +file.path : "/etc/rc.local" and not process.name : ("dockerd" or "yum" or "rpm" or "dpkg") and not file.extension : ("swp" or "swx") ''' [[rule.threat]] diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index dccb41bcf..ef6a71725 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" -updated_date = "2023/06/22" +updated_date = "2023/07/31" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ type = "new_terms" query = ''' host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and -process.name:(* and not (5 or dockerd or dpkg or rpm or snapd)) +process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher")) ''' diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index e36c2c3c5..7e97d9bd9 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/07/20" +updated_date = "2023/07/31" [transform] [[transform.osquery]] @@ -142,7 +142,7 @@ query = ''' host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or /usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not -process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") +process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm" or "/proc/self/exe" or "/usr/sbin/dockerd") ''' [[rule.threat]] diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index 32660fb56..b8abfebe4 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" -updated_date = "2023/06/09" +updated_date = "2023/07/31" [rule] author = ["Elastic"] @@ -34,7 +34,8 @@ query = ''' host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or /usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not -(process.name : ("dpkg" or "dockerd" or "rpm" or "snapd") or file.extension : "swp") +(process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "dnf-automatic" or python* or + "elastic-agent" or "cinc-client") or file.extension : ("swp" or "swx")) ''' [[rule.threat]] diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index 5f49255c9..8419a7031 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -3,7 +3,7 @@ creation_date = "2023/06/09" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/09" +updated_date = "2023/07/31" integration = ["endpoint"] [rule] @@ -25,9 +25,9 @@ references = [ "https://www.makeuseof.com/what-is-venom-vulnerability/", "https://madaidans-insecurities.github.io/guides/linux-hardening.html" ] -risk_score = 73 +risk_score = 47 rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957" -severity = "high" +severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index 0ea2ed720..a830369f0 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/05/26" +updated_date = "2023/07/31" [rule] author = ["Elastic"] @@ -20,19 +20,19 @@ index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat language = "kuery" license = "Elastic License v2" name = "Potential Network Sweep Detected" - -risk_score = 47 +risk_score = 21 rule_id = "781f8746-2180-4691-890c-4c96d11ca91d" -severity = "medium" +severity = "low" tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"] type = "threshold" - query = ''' -destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) +destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and +source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" @@ -64,5 +64,6 @@ reference = "https://attack.mitre.org/tactics/TA0043/" field = ["source.ip"] value = 1 [[rule.threshold.cardinality]] + field = "destination.ip" -value = 10 +value = 100 diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml index f90c7fc80..37ecaf6df 100644 --- a/rules/network/discovery_potential_port_scan_detected.toml +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/05/26" +updated_date = "2023/07/31" [rule] author = ["Elastic"] @@ -21,19 +21,18 @@ index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat language = "kuery" license = "Elastic License v2" name = "Potential Network Scan Detected" - -risk_score = 47 +risk_score = 21 rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b" -severity = "medium" +severity = "low" tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"] type = "threshold" - query = ''' -destination.port :* and event.action: ("network_flow" or "connection_accepted" or "connection_attempted" ) +destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" @@ -46,6 +45,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1595" name = "Active Scanning" @@ -64,6 +64,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/" [rule.threshold] field = ["destination.ip", "source.ip"] value = 1 + [[rule.threshold.cardinality]] field = "destination.port" -value = 20 +value = 250 diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml index d95732050..9d18c04d2 100644 --- a/rules/network/discovery_potential_syn_port_scan_detected.toml +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/05/26" +updated_date = "2023/07/31" [rule] author = ["Elastic"] @@ -21,19 +21,18 @@ index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat language = "kuery" license = "Elastic License v2" name = "Potential SYN-Based Network Scan Detected" - -risk_score = 47 +risk_score = 21 rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409" -severity = "medium" +severity = "low" tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"] type = "threshold" - query = ''' -destination.port :* and network.packets <= 2 +destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" @@ -46,6 +45,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1595" name = "Active Scanning" @@ -64,6 +64,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/" [rule.threshold] field = ["destination.ip", "source.ip"] value = 1 + [[rule.threshold.cardinality]] field = "destination.port" -value = 10 +value = 250