From b2b5c170dd09b8276edf8caa731be0637b1579b9 Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri, 29 Jul 2022 23:00:18 +0530 Subject: [PATCH] Rule(s) to identify potential mining activities (#2185) --- .../linux/impact_process_kill_threshold.toml | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 rules/linux/impact_process_kill_threshold.toml diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml new file mode 100644 index 000000000..b4b8f0a7a --- /dev/null +++ b/rules/linux/impact_process_kill_threshold.toml @@ -0,0 +1,87 @@ +[metadata] +creation_date = "2022/07/27" +maturity = "production" +updated_date = "2022/07/27" + +[rule] +author = ["Elastic"] +description = """ +This rule identifies a high number (10) of process terminations via pkill from the same host within a +short time period. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License v2" +name = "High Number of Process Terminations" +note = """## Triage and analysis + +### Investigating High Number of Process Terminations + +Attackers can kill processes for a variety of purposes. For example, they can kill process associated +with business applications and databases to release the lock on files used by these applications so they may be +encrypted,or stop security and backup solutions, etc. + +This rule identifies a high number (10) of process terminations via pkill from the same +host within a short time period. + +#### Possible investigation steps + +Detection alerts from this rule indicate High Number of Process Terminations from the same host +Here are some possible avenues of investigation: +- Examine the entry point to the host and user in action via the Analyse View. + - Identify the session entry leader and session user +- Examine the contents of session leading to the process termination(s) via the Session View. + - Examine the command execution pattern in the session, which may lead to suspricous activities +- Examine the process killed during the malicious execution + - Identify imment threat to the system from the process killed + - Take necessary incident response actions to respawn necessary process + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Reimage the host operating system or restore it to the operational state. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look +for ransomware preparation and execution activities. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). +""" +risk_score = 47 +rule_id = "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b" +severity = "medium" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact"] +type = "threshold" + +query = ''' +event.category:process and event.type:start and process.name:"pkill" and process.args:"-f" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[rule.threshold] +field = ["host.id"] +value = 10 +