[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read (#2283)

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

rules/linux/privilege_escalation_shadow_file_read.toml

@@ -0,0 +1,47 @@
+[metadata]
+creation_date = "2022/09/01"
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2022/09/01"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the manual reading of the /etc/shadow file via the commandline using standard system utilities.
+Threat actors will attempt to read this file, after elevating their privileges to root,
+in order to gain valid credentials they can utilize to move laterally undetected and access additional resources.
+"""
+from = "now-9m"
+index = ["auditbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Shadow File Read via Command Line Utilities"
+risk_score = 47
+rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and event.action == "exec" and user.name == "root" and
+process.args : "/etc/shadow" and
+not process.executable: ("/usr/bin/find", "/usr/bin/cmp", "/bin/ls", "/usr/sbin/restorecon", "/usr/bin/uniq") and
+not process.parent.executable: "/bin/dracut"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1068"
+name = "Exploitation for Privilege Escalation"
+reference = "https://attack.mitre.org/techniques/T1068/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+

rules/linux/privilege_escalation_unshare_namesapce_manipulation.toml

@@ -0,0 +1,51 @@
+[metadata]
+creation_date = "2022/08/30"
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2022/08/30"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies  suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges
+or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the
+host and access other resources or escalate privileges.
+"""
+from = "now-9m"
+index = ["auditbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Namespace Manipulation Using Unshare"
+references = [
+    "https://man7.org/linux/man-pages/man1/unshare.1.html",
+    "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/"
+]
+risk_score = 47
+rule_id = "d00f33e7-b57d-4023-9952-2db91b1767c4"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and event.action == "exec" and
+process.executable: "/usr/bin/unshare" and
+not process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd", "/usr/bin/unshare") and
+not process.args : "/usr/bin/snap"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1543"
+name = "Create or Modify System Process"
+reference = "https://attack.mitre.org/techniques/T1543/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+