[Rule Tuning] Q2 Linux DR Tuning - Part 6 (#4167)

2024-10-18 16:25:54 +02:00
parent 39fc23cb3d
commit ac6a49eeea
6 changed files with 51 additions and 38 deletions
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0"
 min_stack_version = "8.11.0"
-updated_date = "2024/02/21"
+updated_date = "2024/10/17"

 [rule]
 author = ["Elastic"]
@@ -60,7 +60,17 @@ type = "new_terms"
 query = '''
 event.category:process and host.os.type:linux and event.type:start and event.action:exec and
 (process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and
-process.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not user.id:"0"
+process.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not (
+  user.id : "0" or
+  process.name : (
+    "tar" or "getent" or "su" or "stat" or "dirname" or "chown" or "sudo" or "dpkg-split" or "dpkg-deb" or "dpkg" or
+    "podman" or "awk" or "passwd" or "dpkg-maintscript-helper" or "mutt_dotlock" or "nscd" or "logger" or "gpasswd"
+  ) or
+  process.executable : /usr/lib/*/lxc/rootfs/* or
+  process.parent.name : (
+    "dpkg" or "java" or *postinst or "dpkg-preconfigure" or "gnome-shell"
+  )
+)
 '''

 [[rule.threat]]
@@ -78,7 +88,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/"

 [rule.new_terms]
 field = "new_terms_fields"
-value = ["host.id", "process.command_line", "process.executable"]
+value = ["process.executable"]

 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
@@ -2,7 +2,7 @@
 creation_date = "2023/06/09"
 integration = ["endpoint", "auditd_manager"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/17"

 [rule]
 author = ["Elastic"]
@@ -64,57 +64,57 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
- and process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u")
+ and process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") and not
+ process.parent.name in ("kdumpctl", "unload.sh")
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1611"
 name = "Escape to Host"
 reference = "https://attack.mitre.org/techniques/T1611/"

-
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1547"
 name = "Boot or Logon Autostart Execution"
 reference = "https://attack.mitre.org/techniques/T1547/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1547.006"
 name = "Kernel Modules and Extensions"
 reference = "https://attack.mitre.org/techniques/T1547/006/"

-
-
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1601"
 name = "Modify System Image"
 reference = "https://attack.mitre.org/techniques/T1601/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1601.001"
 name = "Patch System Image"
 reference = "https://attack.mitre.org/techniques/T1601/001/"

-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -2,7 +2,7 @@
 creation_date = "2024/06/17"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/10/17"

 [rule]
 author = ["Elastic"]
@@ -59,7 +59,6 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
  (process.user.id == "0" and process.real_user.id != "0") or 
@@ -92,12 +91,12 @@ process where host.os.type == "linux" and event.type == "start" and event.action
  process.name == "ip" and (
    (process.args == "-force" and process.args in ("-batch", "-b")) or (process.args == "exec")
  )
-)
+) and not process.parent.name == "spine"
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1068"
 name = "Exploitation for Privilege Escalation"
@@ -107,17 +106,17 @@ reference = "https://attack.mitre.org/techniques/T1068/"
 id = "T1548"
 name = "Abuse Elevation Control Mechanism"
 reference = "https://attack.mitre.org/techniques/T1548/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1548.001"
 name = "Setuid and Setgid"
 reference = "https://attack.mitre.org/techniques/T1548/001/"

-
-
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"

@@ -125,4 +124,3 @@ framework = "MITRE ATT&CK"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
@@ -2,7 +2,7 @@
 creation_date = "2022/09/01"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/17"

 [rule]
 author = ["Elastic"]
@@ -56,40 +56,41 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"
-
 query = '''
 host.os.type : "linux" and event.category : "process" and event.action : ("exec" or "exec_event") and
-(process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) and not 
-(process.executable : ("/bin/chown" or "/usr/bin/chown") and process.args : "root:shadow") and not 
-(process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640")
+(process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) and not (
+  (process.executable : ("/bin/chown" or "/usr/bin/chown") and process.args : "root:shadow") or
+  (process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640") or
+  process.executable:(/vz/* or /var/lib/docker/* or /run/containerd/* or /tmp/.criu* or /tmp/newroot/*) or
+  process.parent.name:(gen_passwd_sets or scc_* or wazuh-modulesd)
+)
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1068"
 name = "Exploitation for Privilege Escalation"
 reference = "https://attack.mitre.org/techniques/T1068/"

-
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1003.008"
 name = "/etc/passwd and /etc/shadow"
 reference = "https://attack.mitre.org/techniques/T1003/008/"

-
-
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
@@ -97,9 +98,8 @@ reference = "https://attack.mitre.org/tactics/TA0006/"

 [rule.new_terms]
 field = "new_terms_fields"
-value = ["process.command_line", "host.id", "process.executable"]
+value = ["process.executable"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-10d"
-
-
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0"
 min_stack_version = "8.11.0"
-updated_date = "2024/07/18"
+updated_date = "2024/10/17"

 [rule]
 author = ["Elastic"]
@@ -64,12 +64,17 @@ sequence by host.id, process.entity_id with maxspan=1s
     process.parent.executable : ("/tmp/newroot/*", "/opt/carbonblack*") or
     process.parent.executable in (
       "/opt/SolarWinds/Agent/bin/Plugins/JobEngine/SolarWinds.Agent.JobEngine.Plugin", "/usr/bin/vmware-toolbox-cmd",
-       "/usr/bin/dbus-daemon", "/usr/bin/update-notifier", "/usr/share/language-tools/language-options"
+       "/usr/bin/dbus-daemon", "/usr/bin/update-notifier", "/usr/share/language-tools/language-options",
+       "/opt/SolarWinds/Agent/*", "/usr/local/sbin/lynis.sh"
     ) or
-     process.executable : ("/opt/dynatrace/*", "/tmp/newroot/*") or
+     process.executable : ("/opt/dynatrace/*", "/tmp/newroot/*", "/opt/SolarWinds/Agent/*") or
     process.executable in (
       "/bin/fgrep", "/usr/bin/sudo", "/usr/bin/pkexec", "/usr/lib/cockpit/cockpit-session", "/usr/sbin/suexec"
-     )
+     ) or
+     process.parent.name in ("update-notifier", "language-options", "osqueryd", "saposcol", "dbus-daemon", "osqueryi", "sdbrun") or
+     process.command_line like ("sudo*BECOME-SUCCESS*", "/bin/sh*sapsysinfo.sh*", "sudo su", "sudo su -") or
+     process.name == "sudo" or
+     process.parent.command_line like "/usr/bin/python*ansible*"
   )]
  [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and 
   (process.thread.capabilities.effective : "CAP_SET?ID" or process.thread.capabilities.permitted : "CAP_SET?ID")
@@ -2,7 +2,7 @@
 creation_date = "2023/10/26"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/07/18"
+updated_date = "2024/10/17"

 [rule]
 author = ["Elastic"]
@@ -64,7 +64,7 @@ and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or
    /opt/psa/admin/* or /usr/lib/snapd/snap-confine or /opt/dynatrace/* or /opt/microsoft/* or
    /var/lib/snapd/snap/bin/node or /opt/gitlab/embedded/sbin/logrotate or /etc/apt/universal-hooks/* or
    /opt/puppetlabs/puppet/bin/puppet or /opt/cisco/* or /run/k3s/containerd/* or /usr/lib/postfix/sbin/master or
-    /usr/libexec/postfix/local
+    /usr/libexec/postfix/local or /var/lib/snapd/snap/bin/postgresql* or /opt/puppetlabs/puppet/bin/ruby
  ) or
  process.name:(
    "bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or "ksh" or "fish" or "sudo" or "su" or "apt" or "apt-get" or