[Rule Tuning] Linux DR Tuning - 4 (#5484)

* [Rule Tuning] Linux DR Tuning - 4 * Update defense_evasion_file_mod_writable_dir.toml * Update command_and_control_frequent_egress_netcon_from_sus_executable.toml * Remove duplicate host.name entry in TOML file * Fix formatting in defense_evasion_file_mod_writable_dir.toml * Update command_and_control_frequent_egress_netcon_from_sus_executable.toml * Add additional fields to base64 decoding activity rule --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
2026-01-08 10:11:05 +01:00
parent b13afcdeaa
commit c2747b0b29
21 changed files with 261 additions and 231 deletions
@@ -2,7 +2,7 @@
 creation_date = "2025/02/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/09/02"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -92,9 +92,9 @@ tags = [
 timestamp_override = "event.ingested"
 type = "esql"
 query = '''
-from logs-endpoint.events.network-*
+from logs-endpoint.events.network-* metadata _id, _index, _version
+| mv_expand event.action 
 | where
-    @timestamp > now() - 1h and
    host.os.type == "linux" and
    event.type == "start" and
    event.action == "connection_attempted" and
@@ -127,6 +127,9 @@ from logs-endpoint.events.network-*
    )
 | keep
    @timestamp,
+    _id,
+    _index,
+    _version,
    host.os.type,
    event.type,
    event.action,
@@ -134,18 +137,22 @@ from logs-endpoint.events.network-*
    process.executable,
    destination.ip,
    agent.id,
-    host.name
+    host.name,
+    event.dataset,
+    data_stream.namespace
+
 | stats
    Esql.event_count = count(),
    Esql.agent_id_count_distinct = count_distinct(agent.id),
    Esql.host_name_values = values(host.name),
-    Esql.agent_id_values = values(agent.id)
+    Esql.agent_id_values = values(agent.id),
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
    by process.executable
 | where
    Esql.agent_id_count_distinct == 1 and
    Esql.event_count > 15
 | sort Esql.event_count asc
-| limit 100
 '''

 [[rule.threat]]
@@ -2,11 +2,15 @@
 creation_date = "2024/08/23"
 integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
-description = "This rule detects Linux Access Control List (ACL) modification via the setfacl command.\n"
+description = """
+This rule detects Linux Access Control List (ACL) modification via the setfacl command. Attackers may
+use the setfacl utility to modify file and directory permissions in order to evade detection and maintain
+persistence on a compromised system.
+"""
 from = "now-9m"
 index = [
    "auditbeat-*",
@@ -72,34 +76,36 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 process.name == "setfacl" and not (
+  ?process.parent.executable in (
+    "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/dirsrv/ds_systemd_ask_password_acl", "/usr/lib/systemd/systemd-udevd",
+    "/usr/bin/udevadm", "/usr/sbin/ds_systemd_ask_password_acl", "/usr/bin/su", "/bin/su"
+  ) or
  process.command_line == "/bin/setfacl --restore=-" or
  process.args == "/var/log/journal/" or
-  process.parent.name in ("stats.pl", "perl", "find") or
-  process.parent.command_line like~ "/bin/sh -c *ansible*"
+  ?process.parent.name in ("stats.pl", "perl", "find") or
+  ?process.parent.command_line like~ "*ansible*" or
+  ?process.parent.args == "/opt/audit-log-acl.sh"
 )
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1222"
 name = "File and Directory Permissions Modification"
 reference = "https://attack.mitre.org/techniques/T1222/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1222.002"
 name = "Linux and Mac File and Directory Permissions Modification"
 reference = "https://attack.mitre.org/techniques/T1222/002/"

-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -2,7 +2,7 @@
 creation_date = "2024/08/28"
 integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -54,7 +54,7 @@ Auditd is a critical Linux service responsible for system auditing and logging,
 - Apply any necessary security patches or updates to the affected system to address vulnerabilities that may have been exploited by the adversary.
 - Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected.
 - Implement enhanced monitoring and alerting for similar activities across the network to detect and respond to future attempts to disable critical security services."""
-risk_score = 21
+risk_score = 47
 rule_id = "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf"
 setup = """## Setup

@@ -81,7 +81,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Linux",
@@ -95,33 +95,31 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and (
  (process.name == "service" and process.args == "stop") or
  (process.name == "chkconfig" and process.args == "off") or
-  (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))
+  (process.name == "update-rc.d" and process.args in ("remove", "disable")) or
+  (process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask"))
 ) and
 process.args in ("auditd", "auditd.service") and 
-not process.parent.name == "auditd.prerm"
+not ?process.parent.name == "auditd.prerm"
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
 name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"

-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -2,7 +2,7 @@
 creation_date = "2023/02/22"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -51,7 +51,7 @@ Firewalls like IPTables on Linux systems are crucial for controlling network tra
 - Implement additional monitoring and alerting for similar activities across the network to detect and respond to future attempts to disable firewall services promptly.
 - Review and update firewall policies and configurations to enhance security measures and prevent similar defense evasion tactics in the future."""
 references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"]
-risk_score = 21
+risk_score = 47
 rule_id = "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f"
 setup = """## Setup

@@ -78,7 +78,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Linux",
@@ -91,43 +91,43 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and
-  (
+(
   /* disable FW */
-   (
-     (process.name == "ufw" and process.args == "disable") or
-     (process.name == "iptables" and process.args in ("-F", "--flush", "-X", "--delete-chain") and process.args_count == 2) or
-     (process.name in ("iptables", "ip6tables") and process.parent.args == "force-stop")
-   ) or
+  (
+    (process.name == "ufw" and process.args == "disable") or
+    (process.name == "iptables" and process.args in ("-F", "--flush", "-X", "--delete-chain") and process.args_count == 2) or
+    (process.name in ("iptables", "ip6tables") and process.parent.args == "force-stop")
+  ) or

   /* stop FW service */
-   (
-     ((process.name == "service" and process.args == "stop") or
-       (process.name == "chkconfig" and process.args == "off") or
-       (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))) and
+  (
+    (
+      (process.name == "service" and process.args == "stop") or
+      (process.name == "chkconfig" and process.args == "off") or
+      (process.name == "update-rc.d" and process.args in ("remove", "disable")) or
+      (process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask"))
+    ) and
    process.args in ("firewalld", "ip6tables", "iptables", "firewalld.service", "ip6tables.service", "iptables.service")
-    )
  )
+)
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
 name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"

-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -2,13 +2,13 @@
 creation_date = "2020/04/27"
 integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/09/29"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
 description = """
-Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade
-detection by security controls.
+Syslog is a critical component in Linux environments, responsible for logging system events and activities. Adversaries
+may attempt to disable the syslog service to disrupt event logging and evade detection by security controls.
 """
 from = "now-9m"
 index = [
@@ -110,11 +110,14 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
- ( (process.name == "service" and process.args == "stop") or
-   (process.name == "chkconfig" and process.args == "off") or
-   (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))
- ) and process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service") and
+process where host.os.type == "linux" and event.type == "start" and
+event.action in ("exec", "exec_event", "start", "ProcessRollup2") and (
+  (process.name == "service" and process.args == "stop") or
+  (process.name == "chkconfig" and process.args == "off") or
+  (process.name == "update-rc.d" and process.args in ("remove", "disable")) or
+  (process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask"))
+) and
+process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service") and
 not (
  process.parent.name == "rsyslog-rotate" or
  process.args == "HUP"
@@ -2,7 +2,7 @@
 creation_date = "2025/02/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/05/15"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -96,7 +96,8 @@ not (
  process.executable in (
    "/usr/bin/google_guest_agent", "/usr/bin/dockerd", "/bin/dockerd", "/usr/bin/containerd"
  ) or
-  process.executable like~ "/nix/store/*"
+  process.executable like~ "/nix/store/*" or
+  file.path like~ ("*backup*", "*ansible*", "*puppet*")
 )
 '''

@@ -2,11 +2,15 @@
 creation_date = "2020/04/17"
 integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
-description = "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls."
+description = """
+Base16 and Base32 are encoding schemes that convert binary data into text, making it easier to transmit and store. This rule
+monitors for Base16 or Base32 encoding and decoding activity on Linux systems. Attackers may use these encoding schemes to
+obfuscate malicious payloads, evade detection, and facilitate data exfiltration. 
+"""
 false_positives = [
    """
    Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be
@@ -60,7 +64,7 @@ Base16 and Base32 are encoding schemes used to convert binary data into text, fa
 - Restore any affected files or systems from known good backups to ensure system integrity and data accuracy.
 - Update and patch the affected system to close any vulnerabilities that may have been exploited by the adversary.
 - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected."""
-risk_score = 21
+risk_score = 47
 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795"
 setup = """## Setup

@@ -99,7 +103,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
 - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
 - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Linux",
@@ -114,17 +118,16 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
- event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
- process.name in ("base16", "base32", "base32plain", "base32hex") and
+event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+process.name in ("base16", "base32", "base32plain", "base32hex") and
 not process.args in ("--help", "--version")
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1027"
 name = "Obfuscated Files or Information"
@@ -135,9 +138,7 @@ id = "T1140"
 name = "Deobfuscate/Decode Files or Information"
 reference = "https://attack.mitre.org/techniques/T1140/"

-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -2,7 +2,7 @@
 creation_date = "2025/02/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -92,11 +92,10 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "esql"
-
 query = '''
-from logs-endpoint.events.process-*
+from logs-endpoint.events.process-* metadata _id, _index, _version
+| mv_expand event.action 
 | where
-    @timestamp > now() - 1h and
    host.os.type == "linux" and
    event.type == "start" and
    event.action == "exec" and (
@@ -134,30 +133,40 @@ from logs-endpoint.events.process-*
    )
 | keep
    @timestamp,
+    _id,
+    _index,
+    _version,
    host.os.type,
    event.type,
    event.action,
    process.name,
    process.args,
    process.command_line,
+    process.parent.name,
+    process.parent.command_line,
    agent.id,
-    host.name
+    host.name,
+    event.dataset,
+    data_stream.namespace
 | stats
    Esql.event_count = count(),
+    Esql.process_parent_name_values = values(process.parent.name),
+    Esql.process_parent_command_line_values = values(process.parent.command_line),
    Esql.agent_id_count_distinct = count_distinct(agent.id),
    Esql.host_name_values = values(host.name),
-    Esql.agent_id_values = values(agent.id)
+    Esql.agent_id_values = values(agent.id),
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
    by process.name, process.command_line
 | where
    Esql.agent_id_count_distinct == 1 and
    Esql.event_count < 15
 | sort Esql.event_count asc
-| limit 100
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1027"
 name = "Obfuscated Files or Information"
@@ -168,36 +177,35 @@ id = "T1140"
 name = "Deobfuscate/Decode Files or Information"
 reference = "https://attack.mitre.org/techniques/T1140/"

-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1059.004"
 name = "Unix Shell"
 reference = "https://attack.mitre.org/techniques/T1059/004/"

-
 [[rule.threat.technique]]
 id = "T1204"
 name = "User Execution"
 reference = "https://attack.mitre.org/techniques/T1204/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1204.002"
 name = "Malicious File"
 reference = "https://attack.mitre.org/techniques/T1204/002/"

-
-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
@@ -2,7 +2,7 @@
 creation_date = "2023/08/29"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/05/05"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -58,43 +58,17 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
-file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and process.name != null and
+file where host.os.type == "linux" and event.action in ("rename", "creation") and process.name in ("cp", "mv") and
 file.Ext.original.path : (
  "/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/sbin/*", "/usr/sbin/*", "/usr/local/sbin/*"
 ) and not (
-  process.executable in (
-    "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
-    "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum",
-    "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic",
-    "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk",
-    "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet",
-    "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
-    "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*",  "/usr/bin/pamac-daemon",
-    "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/libexec/netplan/generate",
-    "/usr/bin/update-alternatives", "/bin/update-alternatives", "/usr/sbin/update-alternatives",
-    "/sbin/update-alternatives", "/usr/bin/pip3", "/bin/pip3", "/usr/local/bin/pip3", "/usr/local/bin/node",
-    "/bin/node", "/usr/bin/node", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/pip", "/bin/pip",
-    "/usr/local/bin/pip", "/usr/libexec/platform-python", "/usr/bin/platform-python", "/bin/platform-python",
-    "/usr/lib/systemd/systemd", "/usr/sbin/sshd", "/sbin/sshd", "/usr/local/sbin/sshd", "/usr/sbin/crond", "/sbin/crond",
-    "/usr/local/sbin/crond", "/usr/sbin/gdm"
-  ) or
-  process.name like (
-    "python*", "packagekitd", "systemd", "ln", "platform-python", "dnf_install", "runc", "apt-get", "ssm-agent-worker",
-    "convert-usrmerge", "updatenow.static-cpanelsync", "apk", "exe", "php", "containerd-shim-runc-v2", "dpkg", "sed",
-    "platform-python*", "gedit", "crond", "sshd", "ruby", "sudo", "chainctl", "update-alternatives", "pip*", "microdnf",
-    "rsync", "convert2rhel", "convert-usr-merge"
-  ) or
  file.Ext.original.path : (
    "/bin/*.tmp", "/usr/bin/*.tmp", "/usr/local/bin/*.tmp", "/sbin/*.tmp", "/usr/sbin/*.tmp", "/usr/local/sbin/*.tmp"
  ) or
  file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
  file.Ext.original.extension == "dpkg-new" or
-  process.executable : ("/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*") or
-  process.executable == null or
-  (process.name == "sed" and file.name : "sed*") or
-  (process.name == "perl" and file.name : "e2scrub_all.tmp*")
+  process.executable : ("/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/tmp/newroot/*")
 )
 '''
 note = """## Triage and analysis
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2022/07/22"
-integration = ["endpoint", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "sentinel_one_cloud_funnel", "auditd_manager", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,14 @@ opened in write mode. Threat actors will commonly utilize this to prevent tamper
 files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).
 """
 from = "now-9m"
-index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
+index = [
+    "auditbeat-*",
+    "endgame-*",
+    "logs-auditd_manager.auditd-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process*",
+    "logs-sentinel_one_cloud_funnel.*",
+]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 33
@@ -103,38 +110,44 @@ tags = [
    "Data Source: Elastic Endgame",
    "Data Source: Elastic Defend",
    "Data Source: SentinelOne",
+    "Data Source: Auditd Manager",
+    "Data Source: Crowdstrike",
    "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
-process where host.os.type == "linux" and event.type == "start" and process.parent.executable != null and
-process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and not (
-  process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd") or
-  process.parent.name in (
+process where host.os.type == "linux" and event.type == "start" and
+event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+?process.parent.executable != null and
+process.name == "chattr" and process.args : ("-*i*", "+*i*") and
+not (
+  ?process.parent.executable: (
+    "/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd", "/usr/local/emps/sbin/php-fpm",
+    "/usr/local/emps/bin/php"
+  ) or
+  ?process.parent.name in (
    "systemd", "cf-agent", "ntpdate", "xargs", "px", "preinst", "auth", "cf-agent", "dcservice", "dcagentupgrader",
    "sudo", "ephemeral-disk-warning"
-  )
+  ) or
+  process.args like "/opt/ai-bolit/*"
 )
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1222"
 name = "File and Directory Permissions Modification"
 reference = "https://attack.mitre.org/techniques/T1222/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1222.002"
 name = "Linux and Mac File and Directory Permissions Modification"
 reference = "https://attack.mitre.org/techniques/T1222/002/"

-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -2,13 +2,14 @@
 creation_date = "2023/10/24"
 integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
 description = """
 Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events
-to evade detection after installing a Linux kernel module (LKM).
+to evade detection after installing a Linux kernel module (LKM). This activity is commonly observed by intrusions that
+leverage kernel-level rootkits to maintain persistence on a compromised host.
 """
 from = "now-9m"
 index = [
@@ -55,7 +56,7 @@ The kernel ring buffer logs system messages, crucial for diagnosing issues. Adve
 - Implement enhanced monitoring and logging for the affected system to detect any future attempts to clear the kernel ring buffer or similar evasion tactics.
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 - Conduct a post-incident review to identify gaps in detection and response, and update security policies and procedures to prevent recurrence."""
-risk_score = 21
+risk_score = 73
 rule_id = "2724808c-ba5d-48b2-86d2-0002103df753"
 setup = """## Setup

@@ -82,7 +83,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "high"
 tags = [
    "Domain: Endpoint",
    "OS: Linux",
@@ -97,38 +98,36 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
-process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started")
- and process.name == "dmesg" and process.args in ("-c", "--clear")
+process where host.os.type == "linux" and event.type == "start" and
+event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+process.name == "dmesg" and process.args in ("-c", "--clear")
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1070"
 name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1070.002"
 name = "Clear Linux or Mac System Logs"
 reference = "https://attack.mitre.org/techniques/T1070/002/"

-
 [[rule.threat.technique]]
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
 name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"

-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -2,13 +2,14 @@
 creation_date = "2023/08/23"
 integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
 description = """
 Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt
-to evade detection.
+to evade detection. This behavior is often observed in attempts to conceal malicious files or maintain persistence on
+a compromised system.
 """
 from = "now-9m"
 index = [
@@ -56,9 +57,9 @@ In Unix-like systems, the 'hidden' flag can be set on files to conceal them from
 - Implement file integrity monitoring to detect unauthorized changes to file attributes, including the hidden flag, on critical systems.
 - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
 - Update and enhance endpoint detection and response (EDR) solutions to improve detection capabilities for similar threats in the future."""
-risk_score = 21
+risk_score = 47
 rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97"
-severity = "low"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Linux",
@@ -73,27 +74,24 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags"
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1564"
 name = "Hide Artifacts"
 reference = "https://attack.mitre.org/techniques/T1564/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1564.001"
 name = "Hidden Files and Directories"
 reference = "https://attack.mitre.org/techniques/T1564/001/"

-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -2,7 +2,7 @@
 creation_date = "2024/11/01"
 integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -97,32 +97,32 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
-  event.action in ("exec", "start", "ProcessRollup2", "exec_event") and process.name == "mkdir" and
-  process.args like ("/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/sbin/*", "/usr/sbin/*", "/usr/local/sbin/*") and
-not process.args in ("/bin/mkdir", "/usr/bin/mkdir", "/usr/local/bin/mkdir")
+event.action in ("exec", "start", "ProcessRollup2", "exec_event") and process.name == "mkdir" and
+process.args like ("/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/sbin/*", "/usr/sbin/*", "/usr/local/sbin/*") and
+not process.args in ("/bin/mkdir", "/usr/bin/mkdir", "/usr/local/bin/mkdir", "/usr/local/bin/cursor", "/usr/bin/coreutils") and
+not process.parent.executable in ("/usr/bin/make", "/bin/make")
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1564"
 name = "Hide Artifacts"
 reference = "https://attack.mitre.org/techniques/T1564/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1564.001"
 name = "Hidden Files and Directories"
 reference = "https://attack.mitre.org/techniques/T1564/001/"

-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"

@@ -130,4 +130,3 @@ framework = "MITRE ATT&CK"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
@@ -2,7 +2,7 @@
 creation_date = "2023/08/28"
 integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -58,7 +58,7 @@ AppArmor is a Linux security module that enforces strict access controls, limiti
 - Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected.
 - Implement enhanced monitoring on the affected system and similar environments to detect any future attempts to disable AppArmor or other security controls.
 - Review and update access controls and permissions to ensure that only authorized personnel can modify security settings, reducing the risk of similar incidents."""
-risk_score = 21
+risk_score = 73
 rule_id = "fac52c69-2646-4e79-89c0-fd7653461010"
 setup = """## Setup

@@ -85,7 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "high"
 tags = [
    "Domain: Endpoint",
    "OS: Linux",
@@ -100,34 +100,33 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
- event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
- (
-  (process.name == "systemctl" and process.args in ("stop", "disable", "kill") and process.args in ("apparmor", "apparmor.service")) or
-  (process.name == "service" and process.args == "apparmor" and process.args == "stop") or
-  (process.name == "chkconfig" and process.args == "apparmor" and process.args == "off") or
+event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+(
+  (process.name == "service" and process.args == "stop") or
+  (process.name == "chkconfig" and process.args == "off") or
+  (process.name == "update-rc.d" and process.args in ("remove", "disable")) or
+  (process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask")) or
  (process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args == "/etc/apparmor.d/disable/")
-)
+) and
+not ?process.parent.executable == "/opt/puppetlabs/puppet/bin/ruby"
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
 name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"

-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -2,7 +2,7 @@
 creation_date = "2020/04/22"
 integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -57,7 +57,7 @@ SELinux is a critical security feature in Linux environments, enforcing access c
 - Scan the affected system for malware or unauthorized software installations using a trusted antivirus or endpoint detection and response (EDR) tool.
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
 - Implement additional monitoring and alerting for similar SELinux-related events to enhance detection capabilities and prevent recurrence."""
-risk_score = 47
+risk_score = 73
 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e"
 setup = """## Setup

@@ -96,7 +96,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
 - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
 - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
 """
-severity = "medium"
+severity = "high"
 tags = [
    "Domain: Endpoint",
    "OS: Linux",
@@ -111,29 +111,26 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
- event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
- process.name == "setenforce" and process.args == "0"
+event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+process.name == "setenforce" and process.args == "0"
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
 name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"

-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -2,7 +2,7 @@
 creation_date = "2024/08/28"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -51,7 +51,7 @@ Doas is a command-line utility on Linux systems that allows users to execute com
 - Apply patches and updates to the affected system to address any vulnerabilities that may have been exploited by the adversary.
 - Review and enhance access controls and authentication mechanisms to prevent unauthorized privilege escalation attempts in the future."""
 references = ["https://wiki.archlinux.org/title/Doas"]
-risk_score = 21
+risk_score = 47
 rule_id = "26a726d7-126e-4267-b43d-e9a70bfdee1e"
 setup = """## Setup

@@ -78,7 +78,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Linux",
@@ -91,27 +91,24 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 file where host.os.type == "linux" and event.type != "deletion" and file.path == "/etc/doas.conf"
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1548"
 name = "Abuse Elevation Control Mechanism"
 reference = "https://attack.mitre.org/techniques/T1548/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1548.003"
 name = "Sudo and Sudo Caching"
 reference = "https://attack.mitre.org/techniques/T1548/003/"

-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
@@ -2,21 +2,21 @@
 creation_date = "2024/08/08"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/09/29"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
 description = """
-Detects the creation or modification of files related to the configuration of the dynamic linker on Linux systems.
-The dynamic linker is a shared library that is used by the Linux kernel to load and execute programs. Attackers may
-attempt to hijack the execution flow of a program by modifying the dynamic linker configuration files. This technique
-is often observed by userland rootkits that leverage shared objects to maintain persistence on a compromised host.
+Detects the creation of files related to the configuration of the dynamic linker on Linux systems. The dynamic linker
+is a shared library that is used by the Linux kernel to load and execute programs. Attackers may attempt to hijack
+the execution flow of a program by modifying the dynamic linker configuration files. This technique is often observed
+by userland rootkits that leverage shared objects to maintain persistence on a compromised host.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.file*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Dynamic Linker Creation or Modification"
+name = "Dynamic Linker Creation"
 risk_score = 47
 rule_id = "640f79d1-571d-4f96-a9af-1194fc8cf763"
 setup = """## Setup
@@ -57,8 +57,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-file where host.os.type == "linux" and event.action in ("creation", "rename") and
-file.path : ("/etc/ld.so.preload", "/etc/ld.so.conf.d/*", "/etc/ld.so.conf") and
+file where host.os.type == "linux" and event.action == "creation" and
+file.path like ("/etc/ld.so.preload", "/etc/ld.so.conf.d/*", "/etc/ld.so.conf") and
 not (
  process.executable in (
    "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
@@ -2,7 +2,7 @@
 creation_date = "2020/04/27"
 integration = ["auditd_manager", "crowdstrike", "endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -57,7 +57,7 @@ The `shred` command in Linux is used to securely delete files by overwriting the
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 - Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized use of `shred` or similar file deletion tools.
 - Review and update endpoint security configurations to prevent unauthorized execution of file deletion commands by non-administrative users."""
-risk_score = 21
+risk_score = 47
 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4"
 setup = """## Setup

@@ -84,7 +84,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
    "Domain: Endpoint",
    "OS: Linux",
@@ -99,7 +99,6 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 process.name == "shred" and (
@@ -110,20 +109,19 @@ process.args in ("--remove", "--zero")
 not process.parent.name == "logrotate"
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1070"
 name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1070.004"
 name = "File Deletion"
 reference = "https://attack.mitre.org/techniques/T1070/004/"

-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
@@ -2,7 +2,7 @@
 creation_date = "2020/04/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/24"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ index = ["logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "File Permission Modification in Writable Directory"
-risk_score = 21
+risk_score = 73
 rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4"
 setup = """## Setup

@@ -60,7 +60,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
 - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
 - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
 """
-severity = "low"
+severity = "high"
 tags = [
    "Domain: Endpoint",
    "OS: Linux",
@@ -71,12 +71,21 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"
-
 query = '''
-host.os.type:linux and event.category:process and event.type:start and
-process.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and
-not process.parent.name:(
-  apt-key or update-motd-updates-available or apt-get or java or pilot or PassengerAgent or nginx
+host.os.type:"linux" and event.category:process and event.type:"start" and event.action:"exec" and
+process.name:("chattr" or "chgrp" or "chmod") and process.working_directory:("/dev/shm" or "/tmp" or "/var/tmp") and
+not (
+  process.args:(
+    "+r" or "640" or /tmp/apt-key-gpghome* or "/usr/bin/coreutils" or "/opt/eset/eei/uninstall.sh" or /tmp/era.repository.*.bin
+  ) or
+  process.parent.args:"/var/illumio_pce/illumio/scripts/consul" or
+  process.parent.name:(
+    apt-key or update-motd-updates-available or apt-get or java or pilot or PassengerAgent or nginx
+  ) or
+  process.parent.executable:(
+    "/usr/local/bin/afb-ssh-setup-keys.sh" or "/usr/local/bin/afb-ssh-setup-keys.sh" or "/opt/puppetlabs/puppet/bin/ruby" or
+    "/usr/sbin/update-exim4.conf" or "/bin/dracut"
+  )
 )
 '''
 note = """## Triage and analysis
@@ -114,15 +123,14 @@ In Linux environments, writable directories like /tmp or /var/tmp are often used
 - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
 - Implement enhanced monitoring and logging for file permission changes in writable directories to detect similar threats in the future."""

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1222"
 name = "File and Directory Permissions Modification"
 reference = "https://attack.mitre.org/techniques/T1222/"

-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
@@ -131,8 +139,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/"
 [rule.new_terms]
 field = "new_terms_fields"
 value = ["host.id", "process.parent.executable", "process.command_line"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
-
-
+value = "now-5d"
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/04/29"
-integration = ["endpoint", "crowdstrike"]
+integration = ["auditd_manager", "crowdstrike", "endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,14 @@ This rule detects when a process executes a command line containing hexadecimal
 hexadecimal encoding to obfuscate their payload and evade detection.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
+index = [
+    "auditbeat-*",
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-auditd_manager.auditd-*",
+]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Hex Payload Execution via Command-Line"
@@ -83,17 +90,22 @@ tags = [
  "Use Case: Threat Detection",
  "Tactic: Defense Evasion",
  "Tactic: Execution",
+  "Data Source: Auditd Manager",
  "Data Source: Elastic Defend",
-  "Resources: Investigation Guide",
+  "Data Source: Elastic Endgame",
  "Data Source: Crowdstrike",
+  "Data Source: SentinelOne",
+  "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and
+process where host.os.type == "linux" and event.type == "start" and
+event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 ?process.parent.executable != null and
 process.command_line : "*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*" and
-length(process.command_line) > 50
+length(process.command_line) > 50 and
+not process.name in ("snap", "printf", "sed")
 '''

 [[rule.threat]]
@@ -2,7 +2,7 @@
 creation_date = "2024/11/04"
 integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/04/29"
+updated_date = "2025/12/17"

 [rule]
 author = ["Elastic"]
@@ -97,23 +97,37 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
-  event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
-  (
-    (process.name == "xxd" and process.args like ("-r*", "-p*")) or
-    (process.name like "python*" and process.command_line like "*fromhex*" and process.command_line like ("*decode*", "*encode*")) or
-    (process.name like "php*" and process.command_line like "*hex2bin*") or
-    (process.name like "ruby*" and process.command_line like "*].pack(\"H*\")*") or
-    (process.name like "perl*" and process.command_line like "*pack(\"H*\",*") or
-    (process.name like "lua*" and process.command_line like "*tonumber(cc, 16)*")
+event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
+(
+  (process.name == "xxd" and process.args like ("-r*", "-p*")) or
+  (process.name like "python*" and process.command_line like "*fromhex*" and process.command_line like ("*decode*", "*encode*")) or
+  (process.name like "php*" and process.command_line like "*hex2bin*") or
+  (process.name like "ruby*" and process.command_line like "*].pack(\"H*\")*") or
+  (process.name like "perl*" and process.command_line like "*pack(\"H*\",*") or
+  (process.name like "lua*" and process.command_line like "*tonumber(cc, 16)*")
+) and
+not (
+  // Vulnerability scanning tools scanning for xz-backdoor
+  process.command_line like ("*liblzma*", "*xz*") or
+  ?process.parent.args like (
+    "/srv/acme/acme.sh", "/home/*/.acme.sh/acme.sh", "/opt/custom-nagios-plugins/check_rad_eap",
+    "/usr/bin/testssl", "./testssl.sh", "/root/.acme.sh/acme.sh"
+  ) or
+  ?process.parent.args like "printf*" or
+  ?process.working_directory in (
+    "/home/prtg-ssh",
+    "/home/svc-acas-lnx",
+    "/tmp/newroot/home/svc-acas-lnx",
+    "/var/prtg/scriptsxml"
  )
+)
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1027"
 name = "Obfuscated Files or Information"
@@ -124,36 +138,35 @@ id = "T1140"
 name = "Deobfuscate/Decode Files or Information"
 reference = "https://attack.mitre.org/techniques/T1140/"

-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1059.004"
 name = "Unix Shell"
 reference = "https://attack.mitre.org/techniques/T1059/004/"

-
 [[rule.threat.technique]]
 id = "T1204"
 name = "User Execution"
 reference = "https://attack.mitre.org/techniques/T1204/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1204.002"
 name = "Malicious File"
 reference = "https://attack.mitre.org/techniques/T1204/002/"

-
-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-