diff --git a/rules/linux/privilege_escalation_dac_permissions.toml b/rules/linux/privilege_escalation_dac_permissions.toml index 79f680858..f21e31052 100644 --- a/rules/linux/privilege_escalation_dac_permissions.toml +++ b/rules/linux/privilege_escalation_dac_permissions.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0" min_stack_version = "8.11.0" -updated_date = "2024/02/21" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -60,7 +60,17 @@ type = "new_terms" query = ''' event.category:process and host.os.type:linux and event.type:start and event.action:exec and (process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and -process.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not user.id:"0" +process.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not ( + user.id : "0" or + process.name : ( + "tar" or "getent" or "su" or "stat" or "dirname" or "chown" or "sudo" or "dpkg-split" or "dpkg-deb" or "dpkg" or + "podman" or "awk" or "passwd" or "dpkg-maintscript-helper" or "mutt_dotlock" or "nscd" or "logger" or "gpasswd" + ) or + process.executable : /usr/lib/*/lxc/rootfs/* or + process.parent.name : ( + "dpkg" or "java" or *postinst or "dpkg-preconfigure" or "gnome-shell" + ) +) ''' [[rule.threat]] @@ -78,7 +88,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.command_line", "process.executable"] +value = ["process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index 9a7f5068b..37df7e1b9 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -64,57 +64,57 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") - and process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") + and process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") and not + process.parent.name in ("kdumpctl", "unload.sh") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1601" name = "Modify System Image" reference = "https://attack.mitre.org/techniques/T1601/" + [[rule.threat.technique.subtechnique]] id = "T1601.001" name = "Patch System Image" reference = "https://attack.mitre.org/techniques/T1601/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml index 2423ff060..bffea1c2a 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -59,7 +59,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.user.id == "0" and process.real_user.id != "0") or @@ -92,12 +91,12 @@ process where host.os.type == "linux" and event.type == "start" and event.action process.name == "ip" and ( (process.args == "-force" and process.args in ("-batch", "-b")) or (process.args == "exec") ) -) +) and not process.parent.name == "spine" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -107,17 +106,17 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -125,4 +124,3 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index 52293c9bd..327e52480 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -56,40 +56,41 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type : "linux" and event.category : "process" and event.action : ("exec" or "exec_event") and -(process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) and not -(process.executable : ("/bin/chown" or "/usr/bin/chown") and process.args : "root:shadow") and not -(process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640") +(process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) and not ( + (process.executable : ("/bin/chown" or "/usr/bin/chown") and process.args : "root:shadow") or + (process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640") or + process.executable:(/vz/* or /var/lib/docker/* or /run/containerd/* or /tmp/.criu* or /tmp/newroot/*) or + process.parent.name:(gen_passwd_sets or scc_* or wazuh-modulesd) +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -97,9 +98,8 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" -value = ["process.command_line", "host.id", "process.executable"] +value = ["process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" - - diff --git a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml index 69af4babd..f38a290ad 100644 --- a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0" min_stack_version = "8.11.0" -updated_date = "2024/07/18" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -64,12 +64,17 @@ sequence by host.id, process.entity_id with maxspan=1s process.parent.executable : ("/tmp/newroot/*", "/opt/carbonblack*") or process.parent.executable in ( "/opt/SolarWinds/Agent/bin/Plugins/JobEngine/SolarWinds.Agent.JobEngine.Plugin", "/usr/bin/vmware-toolbox-cmd", - "/usr/bin/dbus-daemon", "/usr/bin/update-notifier", "/usr/share/language-tools/language-options" + "/usr/bin/dbus-daemon", "/usr/bin/update-notifier", "/usr/share/language-tools/language-options", + "/opt/SolarWinds/Agent/*", "/usr/local/sbin/lynis.sh" ) or - process.executable : ("/opt/dynatrace/*", "/tmp/newroot/*") or + process.executable : ("/opt/dynatrace/*", "/tmp/newroot/*", "/opt/SolarWinds/Agent/*") or process.executable in ( "/bin/fgrep", "/usr/bin/sudo", "/usr/bin/pkexec", "/usr/lib/cockpit/cockpit-session", "/usr/sbin/suexec" - ) + ) or + process.parent.name in ("update-notifier", "language-options", "osqueryd", "saposcol", "dbus-daemon", "osqueryi", "sdbrun") or + process.command_line like ("sudo*BECOME-SUCCESS*", "/bin/sh*sapsysinfo.sh*", "sudo su", "sudo su -") or + process.name == "sudo" or + process.parent.command_line like "/usr/bin/python*ansible*" )] [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and (process.thread.capabilities.effective : "CAP_SET?ID" or process.thread.capabilities.permitted : "CAP_SET?ID") diff --git a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml index 3e3ebea50..6d8b2ad4a 100644 --- a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml +++ b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/10/17" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or /opt/psa/admin/* or /usr/lib/snapd/snap-confine or /opt/dynatrace/* or /opt/microsoft/* or /var/lib/snapd/snap/bin/node or /opt/gitlab/embedded/sbin/logrotate or /etc/apt/universal-hooks/* or /opt/puppetlabs/puppet/bin/puppet or /opt/cisco/* or /run/k3s/containerd/* or /usr/lib/postfix/sbin/master or - /usr/libexec/postfix/local + /usr/libexec/postfix/local or /var/lib/snapd/snap/bin/postgresql* or /opt/puppetlabs/puppet/bin/ruby ) or process.name:( "bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or "ksh" or "fish" or "sudo" or "su" or "apt" or "apt-get" or