[Tuning] Linux DR Tuning - Part 3 (#3454)
(cherry picked from commit 5e6e4a359b)
This commit is contained in:
Ruben Groenewoud
committed by
github-actions[bot]
github-actions[bot]
parent
aefebccc06
commit
bfe1fd6b20
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -13,7 +13,7 @@ Adversaries may attempt to disable the iptables or firewall service in an attemp
|
||||
receive or send network traffic.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Attempt to Disable IPTables or Firewall"
|
||||
@@ -46,11 +46,19 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "low"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Defense Evasion",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame"
|
||||
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
|
||||
(
|
||||
/* disable FW */
|
||||
(
|
||||
@@ -68,22 +76,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
name = "Impair Defenses"
|
||||
id = "T1562"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
name = "Disable or Modify Tools"
|
||||
id = "T1562.001"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/001/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
name = "Defense Evasion"
|
||||
id = "TA0005"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2023/08/28"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -14,7 +14,7 @@ fine-grained access control policies to restrict the actions and resources that
|
||||
access. Adversaries may disable security tools to avoid possible detection of their tools and activities.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Disabling of AppArmor"
|
||||
@@ -47,13 +47,22 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "low"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Defense Evasion",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed") and event.type == "start"
|
||||
and (
|
||||
(process.name == "systemctl" and process.args == "disable" and process.args == "apparmor") or
|
||||
(process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args : "/etc/apparmor.d/disable/")
|
||||
(process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args == "/etc/apparmor.d/disable/")
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2020/04/22"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -14,8 +14,8 @@ support access control policies. Adversaries may disable security tools to avoid
|
||||
activities.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
|
||||
language = "kuery"
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Disabling of SELinux"
|
||||
risk_score = 47
|
||||
@@ -59,30 +59,36 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Defense Evasion",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
type = "eql"
|
||||
query = '''
|
||||
event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0
|
||||
process where host.os.type == "linux" and event.type in ("start", "process_started") and
|
||||
process.name == "setenforce" and process.args == "0"
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1562"
|
||||
name = "Impair Defenses"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1562.001"
|
||||
name = "Disable or Modify Tools"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/001/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2023/04/11"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.5.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -16,7 +16,7 @@ software, and their presence in the touch command arguments may indicate that a
|
||||
tamper with timestamps of VM-related files and configurations on the system.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "ESXI Timestomping using Touch Command"
|
||||
@@ -52,29 +52,36 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Defense Evasion",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
|
||||
process.name : "touch" and process.args : "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed")
|
||||
and process.name : "touch" and process.args : "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1070"
|
||||
name = "Indicator Removal"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1070.006"
|
||||
name = "Timestomp"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/006/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -14,8 +14,8 @@ a network and how. Adversaries may remove these files over the course of an intr
|
||||
remove them at the end as part of the post-intrusion cleanup process.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
language = "kuery"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "File Deletion via Shred"
|
||||
risk_score = 21
|
||||
@@ -47,31 +47,37 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "low"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Defense Evasion",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
event.category:process and host.os.type:linux and event.type:start and process.name:shred and
|
||||
process.args:("-u" or "--remove" or "-z" or "--zero") and not process.parent.name:logrotate
|
||||
process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in (
|
||||
"-u", "--remove", "-z", "--zero"
|
||||
) and not process.parent.name == "logrotate"
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1070"
|
||||
name = "Indicator Removal"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1070.004"
|
||||
name = "File Deletion"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/004/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user