From b6d29a6775c73c8600f31be151a161e7fc7f4933 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 11 Jun 2024 11:40:54 +0200 Subject: [PATCH] [Rule Tuning] Systemd-udevd Rule File Creation (#3738) * [Rule Tuning] Systemd-udevd Rule File Creation * Incompatible endgame field * Update rules/linux/persistence_udev_rule_creation.toml * Update rules/linux/persistence_udev_rule_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/persistence_udev_rule_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update persistence_udev_rule_creation.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit 4cf0c2b9af5e74ddf1022c269055b6bf72a07025) --- .../linux/persistence_udev_rule_creation.toml | 53 ++++++++++--------- 1 file changed, 29 insertions(+), 24 deletions(-) diff --git a/rules/linux/persistence_udev_rule_creation.toml b/rules/linux/persistence_udev_rule_creation.toml index bcd0e28ad..07f2e2644 100644 --- a/rules/linux/persistence_udev_rule_creation.toml +++ b/rules/linux/persistence_udev_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/03" [rule] author = ["Elastic"] @@ -13,10 +13,10 @@ malicious udev rules that trigger on specific events, executing arbitrary comman is plugged in or recognized by the system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] -language = "kuery" +index = ["logs-endpoint.events.file*"] +language = "eql" license = "Elastic License v2" -name = "Potential Persistence Through Systemd-udevd" +name = "Systemd-udevd Rule File Creation" risk_score = 21 rule_id = "054db96b-fd34-43b3-9af2-587b3bd33964" setup = """## Setup @@ -51,40 +51,45 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" -type = "new_terms" - +type = "eql" query = ''' -host.os.type:"linux" and event.category:"file" and -event.type:("change" or "file_modify_event" or "creation" or "file_create_event") and -file.path:/lib/udev/* and process.executable:* and not ( - process.name:("dockerd" or "docker" or "dpkg" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "systemd-hwdb" or - "podman" or "buildah") or file.extension : ("swp" or "swpx") +file where host.os.type == "linux" and event.action in ("rename", "creation") and +process.executable != null and +file.path : ( + "/lib/udev/*", "/etc/udev/rules.d/*", "/usr/lib/udev/rules.d/*", "/run/udev/rules.d/*" +) and not ( + process.executable in ( + "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", + "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", + "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", + "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", + "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/libexec/netplan/generate" + ) or + file.extension in ("swp", "swpx", "swx", "dpkg-remove") or + file.Ext.original.extension == "dpkg-new" or + process.executable : ( + "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/*", "/usr/libexec/*" + ) or + (process.name == "sed" and file.name : "sed*") or + (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "process.executable", "file.path"] -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-14d" - -