[Tuning] Linux DR Tuning - Part 7 (#3458)
* [Tuning] Linux DR Tuning - Part 7 * Update execution_potential_hack_tool_executed.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/30"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -21,7 +21,7 @@ false_positives = [
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Netcat Listener Established via rlwrap"
|
||||
@@ -59,15 +59,15 @@ tags = ["Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Execution",
|
||||
"Data Source: Elastic Defend"
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
|
||||
process.name == "rlwrap" and process.args in (
|
||||
"nc", "ncat", "netcat", "nc.openbsd", "socat"
|
||||
) and process.args : "*l*" and process.args_count >= 4
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
|
||||
process.name == "rlwrap" and process.args in ("nc", "ncat", "netcat", "nc.openbsd", "socat") and
|
||||
process.args : "*l*" and process.args_count >= 4
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
[metadata]
|
||||
creation_date = "2023/09/22"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
updated_date = "2023/10/30"
|
||||
updated_date = "2024/02/20"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
|
||||
@@ -14,7 +14,7 @@ this rule should be investigated further, as hack tools are commonly used by blu
|
||||
well.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Linux Hack Tool Launched"
|
||||
@@ -49,17 +49,19 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
"""
|
||||
severity = "medium"
|
||||
timestamp_override = "event.ingested"
|
||||
tags = ["Domain: Endpoint",
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Execution",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend"
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
|
||||
process.name in (
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
|
||||
event.type == "start" and process.name in (
|
||||
// exploitation frameworks
|
||||
"crackmapexec", "msfconsole", "msfvenom", "sliver-client", "sliver-server", "havoc",
|
||||
// network scanners (nmap left out to reduce noise)
|
||||
@@ -84,4 +86,3 @@ framework = "MITRE ATT&CK"
|
||||
id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2022/05/11"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -21,7 +21,7 @@ false_positives = [
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Process Started from Process ID (PID) File"
|
||||
@@ -69,7 +69,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "high"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Execution",
|
||||
"Threat: BPFDoor",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
@@ -78,17 +87,15 @@ process where host.os.type == "linux" and event.type == "start" and user.id == "
|
||||
process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)"""
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1059"
|
||||
name = "Command and Scripting Interpreter"
|
||||
reference = "https://attack.mitre.org/techniques/T1059/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/04/15"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
|
||||
@@ -47,11 +47,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
"""
|
||||
severity = "high"
|
||||
timestamp_override = "event.ingested"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Execution",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend"
|
||||
]
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
|
||||
(
|
||||
(process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh",
|
||||
"fish") and process.parent.args_count >= 3 and process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or
|
||||
@@ -60,18 +67,18 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event")
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1059"
|
||||
name = "Command and Scripting Interpreter"
|
||||
reference = "https://attack.mitre.org/techniques/T1059/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1059.006"
|
||||
name = "Python"
|
||||
reference = "https://attack.mitre.org/techniques/T1059/006/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1059.006"
|
||||
name = "Python"
|
||||
reference = "https://attack.mitre.org/techniques/T1059/006/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -13,7 +13,7 @@ Monitors for the execution of background processes with process arguments capabl
|
||||
channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Reverse Shell via Background Process"
|
||||
@@ -47,10 +47,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
"""
|
||||
severity = "medium"
|
||||
timestamp_override = "event.ingested"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Execution",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame"
|
||||
]
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
|
||||
process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and
|
||||
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
|
||||
'''
|
||||
|
||||
Reference in New Issue
Block a user