[Tuning] Linux DR Tuning - Part 5 (#3456)
* [Tuning] Linux DR Tuning - Part 6 * Update discovery_dynamic_linker_via_od.toml * Update discovery_esxi_software_via_find.toml * Update discovery_esxi_software_via_grep.toml * Update discovery_linux_hping_activity.toml * Update discovery_linux_nping_activity.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
@@ -1,10 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2024/02/01"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/02/01"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -15,7 +15,7 @@ for examining and debugging binary files or data streams. Attackers can leverage
|
||||
identifying injection points and craft exploits based on the observed behaviors and structures within these files.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious Dynamic Linker Discovery via od"
|
||||
@@ -55,13 +55,14 @@ tags = [
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Discovery",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame"
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
|
||||
process.name == "od" and process.args in (
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
|
||||
event.type == "start" and process.name == "od" and process.args in (
|
||||
"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2",
|
||||
"/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2"
|
||||
)
|
||||
|
||||
@@ -1,28 +1,25 @@
|
||||
[metadata]
|
||||
creation_date = "2023/04/11"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.5.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies instances where the 'find' command is started on a Linux system with arguments targeting
|
||||
specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*".
|
||||
These paths are associated with VMware virtualization software, and their presence in the find command arguments
|
||||
may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files
|
||||
and configurations on the system.
|
||||
Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related
|
||||
paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization
|
||||
software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for,
|
||||
analyze, or manipulate VM-related files and configurations on the system.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "ESXI Discovery via Find"
|
||||
references = [
|
||||
"https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
|
||||
]
|
||||
references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"]
|
||||
risk_score = 47
|
||||
rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f"
|
||||
setup = """
|
||||
@@ -52,24 +49,31 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Discovery",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and process.name : "find" and
|
||||
process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
|
||||
event.type == "start" and process.name == "find" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1518"
|
||||
name = "Software Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1518/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0007"
|
||||
name = "Discovery"
|
||||
reference = "https://attack.mitre.org/tactics/TA0007/"
|
||||
reference = "https://attack.mitre.org/tactics/TA0007/"
|
||||
|
||||
@@ -1,27 +1,25 @@
|
||||
[metadata]
|
||||
creation_date = "2023/04/11"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.5.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments
|
||||
related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram",
|
||||
or "vmem". These file extensions are associated with VM-related file formats, and their presence in grep command
|
||||
arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.
|
||||
Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments
|
||||
related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", or
|
||||
"vmem". These file extensions are associated with VM-related file formats, and their presence in grep command arguments
|
||||
may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "ESXI Discovery via Grep"
|
||||
references = [
|
||||
"https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
|
||||
]
|
||||
references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"]
|
||||
risk_score = 47
|
||||
rule_id = "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4"
|
||||
setup = """
|
||||
@@ -51,25 +49,33 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Discovery",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
|
||||
process.name in ("grep", "egrep", "pgrep") and
|
||||
process.args in ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem")
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
|
||||
event.type == "start" and process.name in ("grep", "egrep", "pgrep") and process.args in (
|
||||
"vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem"
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1518"
|
||||
name = "Software Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1518/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0007"
|
||||
name = "Discovery"
|
||||
reference = "https://attack.mitre.org/tactics/TA0007/"
|
||||
reference = "https://attack.mitre.org/tactics/TA0007/"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/12/13"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -20,7 +20,7 @@ false_positives = [
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Enumeration of Kernel Modules"
|
||||
@@ -58,23 +58,25 @@ tags = [
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Discovery",
|
||||
"Data Source: Elastic Defend"
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
query = '''
|
||||
event.category:process and host.os.type:linux and event.type:start and (
|
||||
event.category:process and host.os.type:linux and event.action:(exec or exec_event) and event.type:start and (
|
||||
(process.name:(lsmod or modinfo)) or
|
||||
(process.name:kmod and process.args:list) or
|
||||
(process.name:depmod and process.args:(--all or -a))
|
||||
) and not process.parent.name:(mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools
|
||||
or readykernel or lvm2 or vz-start or iscsi or mdadm)
|
||||
or readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or
|
||||
weak-modules or zfs)
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1082"
|
||||
name = "System Information Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1082/"
|
||||
@@ -86,7 +88,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/"
|
||||
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["process.parent.command_line", "process.command_line", "process.parent.executable"]
|
||||
value = ["process.parent.command_line", "process.command_line", "host.id"]
|
||||
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/20/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -19,7 +19,7 @@ false_positives = [
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Hping Process Activity"
|
||||
@@ -65,26 +65,31 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Discovery",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start"
|
||||
and process.name in ("hping", "hping2", "hping3")
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
|
||||
event.type == "start" and process.name in ("hping", "hping2", "hping3")
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1082"
|
||||
name = "System Information Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1082/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0007"
|
||||
name = "Discovery"
|
||||
reference = "https://attack.mitre.org/tactics/TA0007/"
|
||||
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -19,7 +19,7 @@ false_positives = [
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Nping Process Activity"
|
||||
@@ -65,25 +65,31 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Discovery",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and process.name == "nping"
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
|
||||
event.type == "start" and process.name == "nping"
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1046"
|
||||
name = "Network Service Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1046/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0007"
|
||||
name = "Discovery"
|
||||
reference = "https://attack.mitre.org/tactics/TA0007/"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user