diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index d9fafe68a..189995327 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Adversaries may attempt to disable the iptables or firewall service in an attemp receive or send network traffic. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Attempt to Disable IPTables or Firewall" @@ -46,11 +46,19 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( /* disable FW */ ( @@ -68,22 +76,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] name = "Impair Defenses" id = "T1562" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] name = "Disable or Modify Tools" id = "T1562.001" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] name = "Defense Evasion" id = "TA0005" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index 1a7896e5d..1e85a323f 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/08/28" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ fine-grained access control policies to restrict the actions and resources that access. Adversaries may disable security tools to avoid possible detection of their tools and activities. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Disabling of AppArmor" @@ -47,13 +47,22 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed") and event.type == "start" +and ( (process.name == "systemctl" and process.args == "disable" and process.args == "apparmor") or - (process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args : "/etc/apparmor.d/disable/") + (process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args == "/etc/apparmor.d/disable/") ) ''' diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index a7d4c9760..f415db09f 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/04/22" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -14,8 +14,8 @@ support access control policies. Adversaries may disable security tools to avoid activities. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] -language = "kuery" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +language = "eql" license = "Elastic License v2" name = "Potential Disabling of SELinux" risk_score = 47 @@ -59,30 +59,36 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" -type = "query" - +type = "eql" query = ''' -event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0 +process where host.os.type == "linux" and event.type in ("start", "process_started") and +process.name == "setenforce" and process.args == "0" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index bdd999459..23d555b48 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/04/11" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ software, and their presence in the touch command arguments may indicate that a tamper with timestamps of VM-related files and configurations on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "ESXI Timestomping using Touch Command" @@ -52,29 +52,36 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and -process.name : "touch" and process.args : "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed") +and process.name : "touch" and process.args : "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.006" name = "Timestomp" reference = "https://attack.mitre.org/techniques/T1070/006/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 09ea2aa8f..5990b0993 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -14,8 +14,8 @@ a network and how. Adversaries may remove these files over the course of an intr remove them at the end as part of the post-intrusion cleanup process. """ from = "now-9m" -index = ["logs-endpoint.events.*"] -language = "kuery" +index = ["logs-endpoint.events.*", "endgame-*"] +language = "eql" license = "Elastic License v2" name = "File Deletion via Shred" risk_score = 21 @@ -47,31 +47,37 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" -type = "query" +type = "eql" query = ''' -event.category:process and host.os.type:linux and event.type:start and process.name:shred and -process.args:("-u" or "--remove" or "-z" or "--zero") and not process.parent.name:logrotate +process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in ( + "-u", "--remove", "-z", "--zero" +) and not process.parent.name == "logrotate" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -