From ae3f4737ab9b3aa8a5c839c9633638dfeeca56b0 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 7 Mar 2024 09:53:46 +0100 Subject: [PATCH] [Tuning] Linux DR Tuning - Part 5 (#3456) * [Tuning] Linux DR Tuning - Part 6 * Update discovery_dynamic_linker_via_od.toml * Update discovery_esxi_software_via_find.toml * Update discovery_esxi_software_via_grep.toml * Update discovery_linux_hping_activity.toml * Update discovery_linux_nping_activity.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> --- .../discovery_dynamic_linker_via_od.toml | 13 +++--- .../discovery_esxi_software_via_find.toml | 38 ++++++++++-------- .../discovery_esxi_software_via_grep.toml | 40 +++++++++++-------- .../discovery_kernel_module_enumeration.toml | 16 ++++---- .../linux/discovery_linux_hping_activity.toml | 25 +++++++----- .../linux/discovery_linux_nping_activity.toml | 24 ++++++----- 6 files changed, 90 insertions(+), 66 deletions(-) diff --git a/rules/linux/discovery_dynamic_linker_via_od.toml b/rules/linux/discovery_dynamic_linker_via_od.toml index c0ef1f0af..e89f5d726 100644 --- a/rules/linux/discovery_dynamic_linker_via_od.toml +++ b/rules/linux/discovery_dynamic_linker_via_od.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2024/02/01" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/01" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ for examining and debugging binary files or data streams. Attackers can leverage identifying injection points and craft exploits based on the observed behaviors and structures within these files. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Dynamic Linker Discovery via od" @@ -55,13 +55,14 @@ tags = [ "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and -process.name == "od" and process.args in ( +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and process.name == "od" and process.args in ( "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2", "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2" ) diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index 7257d2f97..a3529aad5 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -1,28 +1,25 @@ [metadata] creation_date = "2023/04/11" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" [rule] author = ["Elastic"] description = """ -Identifies instances where the 'find' command is started on a Linux system with arguments targeting -specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". -These paths are associated with VMware virtualization software, and their presence in the find command arguments -may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files -and configurations on the system. +Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related +paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization +software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, +analyze, or manipulate VM-related files and configurations on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Find" -references = [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", -] +references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"] risk_score = 47 rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f" setup = """ @@ -52,24 +49,31 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and process.name : "find" and -process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and process.name == "find" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index 780bf18a0..0e103587e 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -1,27 +1,25 @@ [metadata] creation_date = "2023/04/11" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" [rule] author = ["Elastic"] description = """ -Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments -related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", -or "vmem". These file extensions are associated with VM-related file formats, and their presence in grep command -arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. +Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments +related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", or +"vmem". These file extensions are associated with VM-related file formats, and their presence in grep command arguments +may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Grep" -references = [ - "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", -] +references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"] risk_score = 47 rule_id = "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4" setup = """ @@ -51,25 +49,33 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and -process.name in ("grep", "egrep", "pgrep") and -process.args in ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem") +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and process.name in ("grep", "egrep", "pgrep") and process.args in ( + "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem" +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 5c722981e..60b1a0a8c 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/12/13" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Enumeration of Kernel Modules" @@ -58,23 +58,25 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.category:process and host.os.type:linux and event.type:start and ( +event.category:process and host.os.type:linux and event.action:(exec or exec_event) and event.type:start and ( (process.name:(lsmod or modinfo)) or (process.name:kmod and process.args:list) or (process.name:depmod and process.args:(--all or -a)) ) and not process.parent.name:(mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools -or readykernel or lvm2 or vz-start or iscsi or mdadm) +or readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or +weak-modules or zfs) ''' [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] +[[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" @@ -86,7 +88,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["process.parent.command_line", "process.command_line", "process.parent.executable"] +value = ["process.parent.command_line", "process.command_line", "host.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 05b256ac9..fa65290f7 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/20/02" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Hping Process Activity" @@ -65,26 +65,31 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type == "linux" and event.type == "start" -and process.name in ("hping", "hping2", "hping3") +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and process.name in ("hping", "hping2", "hping3") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 1242b8c6d..4759b6da7 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Nping Process Activity" @@ -65,25 +65,31 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type == "linux" and event.type == "start" and process.name == "nping" +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and process.name == "nping" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" -