Revert "Prep for next release 8.16 (#3914)"
This reverts commit 4245a815d2.
This commit is contained in:
eric-forte-elastic
+9
-9
@@ -2,7 +2,9 @@
|
||||
creation_date = "2023/06/14"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/07/23"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2024/07/18"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -34,10 +36,10 @@ query = "SELECT name, cmdline, parent, path, uid FROM processes"
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious
|
||||
directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of
|
||||
unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a
|
||||
command and control server. Detecting and investigating such behavior can help identify and mitigate potential security
|
||||
threats, protecting the system and its data from potential compromise.
|
||||
directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution
|
||||
of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such
|
||||
as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential
|
||||
security threats, protecting the system and its data from potential compromise.
|
||||
"""
|
||||
from = "now-59m"
|
||||
index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"]
|
||||
@@ -200,15 +202,14 @@ not destination.ip:(
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1071"
|
||||
name = "Application Layer Protocol"
|
||||
reference = "https://attack.mitre.org/techniques/T1071/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0011"
|
||||
name = "Command and Control"
|
||||
@@ -217,8 +218,7 @@ reference = "https://attack.mitre.org/tactics/TA0011/"
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["process.executable"]
|
||||
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
value = "now-20d"
|
||||
|
||||
|
||||
|
||||
@@ -2,20 +2,22 @@
|
||||
creation_date = "2023/06/09"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/07/23"
|
||||
updated_date = "2024/07/18"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
label = "Osquery - Retrieve File Listing Information"
|
||||
query = """
|
||||
SELECT * FROM file WHERE (path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%'
|
||||
OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE '/etc/cron.monthly/%' OR path LIKE
|
||||
'/var/spool/cron/crontabs/%')
|
||||
SELECT * FROM file WHERE (path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE
|
||||
'/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE
|
||||
'/etc/cron.monthly/%' OR path LIKE '/var/spool/cron/crontabs/%')
|
||||
"""
|
||||
|
||||
[[transform.osquery]]
|
||||
label = "Osquery - Retrieve Cron File Information"
|
||||
query = "SELECT * FROM file WHERE (path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab')\n"
|
||||
query = """
|
||||
SELECT * FROM file WHERE (path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab')
|
||||
"""
|
||||
|
||||
[[transform.osquery]]
|
||||
label = "Osquery - Retrieve Additional File Listing Information"
|
||||
@@ -48,7 +50,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}"
|
||||
label = "Osquery - Investigate the Account Authentication Status"
|
||||
query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
|
||||
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
@@ -175,7 +176,6 @@ tags = [
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
file where host.os.type == "linux" and
|
||||
event.action in ("rename", "creation") and file.path : (
|
||||
@@ -207,56 +207,56 @@ event.action in ("rename", "creation") and file.path : (
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1053"
|
||||
name = "Scheduled Task/Job"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1053.003"
|
||||
name = "Cron"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/003/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1053"
|
||||
name = "Scheduled Task/Job"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1053.003"
|
||||
name = "Cron"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/003/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0004"
|
||||
name = "Privilege Escalation"
|
||||
reference = "https://attack.mitre.org/tactics/TA0004/"
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1053"
|
||||
name = "Scheduled Task/Job"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1053.003"
|
||||
name = "Cron"
|
||||
reference = "https://attack.mitre.org/techniques/T1053/003/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
|
||||
|
||||
@@ -2,25 +2,46 @@
|
||||
creation_date = "2024/05/17"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/07/23"
|
||||
min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
|
||||
min_stack_version = "8.4.0"
|
||||
updated_date = "2024/05/17"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
label = "Osquery - Retrieve File Listing Information"
|
||||
query = """
|
||||
SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE
|
||||
'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' )
|
||||
SELECT * FROM file WHERE (
|
||||
path LIKE '/etc/systemd/system/%' OR
|
||||
path LIKE '/usr/local/lib/systemd/system/%' OR
|
||||
path LIKE '/lib/systemd/system/%' OR
|
||||
path LIKE '/usr/lib/systemd/system/%' OR
|
||||
path LIKE '/home/user/.config/systemd/user/%'
|
||||
)
|
||||
"""
|
||||
|
||||
[[transform.osquery]]
|
||||
label = "Osquery - Retrieve Additional File Listing Information"
|
||||
query = """
|
||||
SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS
|
||||
file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS
|
||||
file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT
|
||||
JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE
|
||||
'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path
|
||||
LIKE '/home/{{user.name}}/.config/systemd/user/%' )
|
||||
SELECT
|
||||
f.path,
|
||||
u.username AS file_owner,
|
||||
g.groupname AS group_owner,
|
||||
datetime(f.atime, 'unixepoch') AS file_last_access_time,
|
||||
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
|
||||
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
|
||||
datetime(f.btime, 'unixepoch') AS file_created_time,
|
||||
f.size AS size_bytes
|
||||
FROM
|
||||
file f
|
||||
LEFT JOIN users u ON f.uid = u.uid
|
||||
LEFT JOIN groups g ON f.gid = g.gid
|
||||
WHERE (
|
||||
path LIKE '/etc/systemd/system/%' OR
|
||||
path LIKE '/usr/local/lib/systemd/system/%' OR
|
||||
path LIKE '/lib/systemd/system/%' OR
|
||||
path LIKE '/usr/lib/systemd/system/%' OR
|
||||
path LIKE '/home/{{user.name}}/.config/systemd/user/%'
|
||||
)
|
||||
"""
|
||||
|
||||
[[transform.osquery]]
|
||||
@@ -47,11 +68,10 @@ query = "SELECT * FROM users WHERE username = {{user.name}}"
|
||||
label = "Osquery - Investigate the Account Authentication Status"
|
||||
query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
|
||||
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious
|
||||
Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious
|
||||
actors can leverage systemd services to achieve persistence by creating or modifying service files to execute malicious
|
||||
commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional
|
||||
malicious activities, or evade detection.
|
||||
@@ -134,7 +154,7 @@ This rule monitors the execution of the systemctl binary to start, enable or ree
|
||||
"""
|
||||
references = [
|
||||
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage",
|
||||
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
|
||||
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "b605f262-f7dc-41b5-9ebc-06bafe7a83b6"
|
||||
@@ -165,16 +185,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Persistence",
|
||||
"Tactic: Privilege Escalation",
|
||||
"Data Source: Elastic Defend",
|
||||
]
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Persistence",
|
||||
"Tactic: Privilege Escalation",
|
||||
"Data Source: Elastic Defend"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
host.os.type:linux and event.category:process and event.type:start and event.action:exec and
|
||||
process.executable:/usr/bin/systemctl and process.args:(enable or reenable or start) and
|
||||
@@ -193,37 +212,37 @@ not (
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1543"
|
||||
name = "Create or Modify System Process"
|
||||
reference = "https://attack.mitre.org/techniques/T1543/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1543.002"
|
||||
name = "Systemd Service"
|
||||
reference = "https://attack.mitre.org/techniques/T1543/002/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1543"
|
||||
name = "Create or Modify System Process"
|
||||
reference = "https://attack.mitre.org/techniques/T1543/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1543.002"
|
||||
name = "Systemd Service"
|
||||
reference = "https://attack.mitre.org/techniques/T1543/002/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0004"
|
||||
name = "Privilege Escalation"
|
||||
@@ -232,8 +251,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/"
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["process.parent.executable"]
|
||||
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
value = "now-7d"
|
||||
|
||||
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
creation_date = "2024/03/06"
|
||||
integration = ["auditd_manager"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/07/23"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2024/03/06"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -41,33 +43,32 @@ tags = [
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.category:authentication and host.os.type:linux and event.action:authenticated and event.outcome:success and
|
||||
auditd.data.grantors:(* and not (pam_rootok or *pam_cap* or *pam_permit*))
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1543"
|
||||
name = "Create or Modify System Process"
|
||||
reference = "https://attack.mitre.org/techniques/T1543/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1556"
|
||||
name = "Modify Authentication Process"
|
||||
reference = "https://attack.mitre.org/techniques/T1556/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0006"
|
||||
name = "Credential Access"
|
||||
@@ -76,8 +77,7 @@ reference = "https://attack.mitre.org/tactics/TA0006/"
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["auditd.data.grantors", "agent.id"]
|
||||
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
value = "now-14d"
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user