security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Linux BBR Tuning - Part 2 (#3470)

Browse Source 
* [Tuning] Linux BBR Tuning - Part 2

* Update discovery_of_accounts_or_groups_via_builtin_tools.toml

* Update discovery_process_discovery_via_builtin_tools.toml

* Update discovery_hosts_file_access.toml

* Update discovery_system_network_connections.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 7a0967924c)
This commit is contained in:
Ruben Groenewoud
2024-03-07 12:35:33 +01:00
committed by github-actions[bot]
parent 3c1ecce6dc
commit c62e3fdc02
13 changed files with 195 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules_building_block/discovery_hosts_file_access.toml
+17 -9
View File
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2023/07/11"
integration = ["endpoint"]
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/11"
updated_date = "2024/02/22"
[rule]
author = ["Elastic"]
@@ -15,31 +15,39 @@ to discover remote machines in an environment that may be used for Lateral Movem
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "System Hosts File Access"
risk_score = 21
rule_id = "f75f65cf-ed04-48df-a7ff-b02a8bfe636e"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type == "start" and event.action == "exec" and
(process.name:("vi", "nano", "cat", "more", "less") and process.args : "/etc/hosts")
process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and
process.name in ("vi", "nano", "cat", "more", "less") and process.args == "/etc/hosts"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1018"
name = "Remote System Discovery"
reference = "https://attack.mitre.org/techniques/T1018/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml
+3 -3
View File
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2024/02/19"
updated_date = "2024/02/22"
[rule]
author = ["Elastic"]
@@ -57,7 +57,8 @@ timestamp_override = "event.ingested"
type = "new_terms"
building_block_type = "default"
query = '''
host.os.type:linux and event.category:file and event.action:"opened-file" and file.path:"/proc/modules"
host.os.type:linux and event.category:file and event.action:"opened-file" and file.path:"/proc/modules" and
not process.name:(grep or python* or chef-client)
'''
[[rule.threat]]
@@ -73,7 +74,6 @@ id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable"]
rules_building_block/discovery_linux_modprobe_enumeration.toml
+7 -5
View File
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2024/02/19"
updated_date = "2024/02/22"
[rule]
author = ["Elastic"]
@@ -57,8 +57,10 @@ type = "new_terms"
building_block_type = "default"
query = '''
host.os.type:linux and event.category:file and event.action:"opened-file" and
file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) and
not process.name:(cp or dpkg or dockerd or lynis or mkinitramfs or snapd)
file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) and not process.name:(
cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or grep or borg or auditbeat or lspci or
aide or modprobe or python*
)
'''
[[rule.threat]]
@@ -76,8 +78,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "file.path"]
value = ["host.id", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
value = "now-14d"
rules_building_block/discovery_linux_sysctl_enumeration.toml
+6 -5
View File
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2024/12/19"
updated_date = "2024/02/22"
[rule]
author = ["Elastic"]
@@ -57,8 +57,9 @@ type = "new_terms"
building_block_type = "default"
query = '''
host.os.type:linux and event.category:file and event.action:("opened-file" or "read-file" or "wrote-to-file") and
file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and
not process.name:(dpkg or dockerd or unattended-upg)
file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and not process.name:(
dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or grep or pool*
)
'''
[[rule.threat]]
@@ -76,8 +77,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "file.path"]
value = ["host.id", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
value = "now-14d"
rules_building_block/discovery_linux_system_information_discovery.toml
+18 -9
View File
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2023/07/10"
integration = ["endpoint"]
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/10"
updated_date = "2024/02/22"
[rule]
author = ["Elastic"]
@@ -12,27 +12,36 @@ building_block_type = "default"
description = "Enrich process events with uname and other command lines that imply Linux system information discovery."
from = "now-119m"
interval = "60m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Linux System Information Discovery"
risk_score = 21
rule_id = "b81bd314-db5b-4d97-82e8-88e3e5fc9de5"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type == "start" and
(
process.name: "uname" or
(process.name: ("cat", "more", "less") and
process.args: ("*issue*", "*version*", "*profile*", "*services*", "*cpuinfo*"))
process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and (
process.name: "uname" or (
process.name: ("cat", "more", "less") and process.args: ("*issue*", "*version*", "*profile*", "*services*", "*cpuinfo*")
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
rules_building_block/discovery_linux_system_owner_user_discovery.toml
+21 -8
View File
@@ -1,39 +1,52 @@
[metadata]
creation_date = "2023/07/10"
integration = ["endpoint"]
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/10"
updated_date = "2024/02/22"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = "Identifies the use of built-in tools which adversaries may use to enumerate the system owner/user of a compromised system."
description = """
Identifies the use of built-in tools which adversaries may use to enumerate the system owner/user of a compromised
system.
"""
from = "now-119m"
interval = "60m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "System Owner/User Discovery Linux"
risk_score = 21
rule_id = "bf8c007c-7dee-4842-8e9a-ee534c09d205"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type == "start" and
process.name : ("whoami", "w", "who", "users", "id")
process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and
process.name : ("whoami", "w", "who", "users", "id")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1033"
name = "System Owner/User Discovery"
reference = "https://attack.mitre.org/techniques/T1033/"
[[rule.threat.technique]]
id = "T1069"
name = "Permission Groups Discovery"
rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml
+26 -14
View File
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2023/07/11"
integration = ["endpoint"]
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/11"
updated_date = "2024/02/22"
[rule]
author = ["Elastic"]
@@ -14,38 +14,49 @@ Adversaries may use built-in applications to get a listing of local system or do
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Account or Group Discovery via Built-In Tools"
risk_score = 21
rule_id = "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type== "start" and event.action == "exec" and
( (process.name: ("groups","id"))
or (process.name : "dscl" and process.args : ("/Active Directory/*", "/Users*", "/Groups*"))
or (process.name: "dscacheutil" and process.args:("user", "group"))
or process.args:("/etc/passwd", "/etc/master.passwd", "/etc/sudoers")
or (process.name: "getent" and process.args:("passwd", "group"))
)
process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and (
(process.name in ("groups", "id")) or
(process.name == "dscl" and process.args : ("/Active Directory/*", "/Users*", "/Groups*")) or
(process.name == "dscacheutil" and process.args in ("user", "group")) or
(process.args in ("/etc/passwd", "/etc/master.passwd", "/etc/sudoers")) or
(process.name == "getent" and process.args in ("passwd", "group"))
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1069"
name = "Permission Groups Discovery"
reference = "https://attack.mitre.org/techniques/T1069/"
[[rule.threat.technique.subtechnique]]
id = "T1069.001"
name = "Local Groups"
reference = "https://attack.mitre.org/techniques/T1069/001/"
[[rule.threat.technique.subtechnique]]
id = "T1069.002"
name = "Domain Groups"
@@ -55,16 +66,17 @@ reference = "https://attack.mitre.org/techniques/T1069/002/"
id = "T1087"
name = "Account Discovery"
reference = "https://attack.mitre.org/techniques/T1087/"
[[rule.threat.technique.subtechnique]]
id = "T1087.001"
name = "Local Account"
reference = "https://attack.mitre.org/techniques/T1087/001/"
[[rule.threat.technique.subtechnique]]
id = "T1087.002"
name = "Domain Account"
reference = "https://attack.mitre.org/techniques/T1087/002/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
rules_building_block/discovery_of_domain_groups.toml
+21 -11
View File
@@ -1,38 +1,49 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint"]
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/23"
updated_date = "2024/02/22"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies the execution of Linux built-in commands related to account or group enumeration.
Adversaries may use account and group information to orient themselves before deciding how to act."""
Identifies the execution of Linux built-in commands related to account or group enumeration. Adversaries may use account
and group information to orient themselves before deciding how to act.
"""
from = "now-119m"
interval = "60m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Discovery of Domain Groups"
risk_score = 21
rule_id = "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type : ("start", "process_started") and host.os.type == "linux" and
( process.name : ("ldapsearch", "dscacheutil") or
(process.name : "dscl" and process.args : "*-list*")
)
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
event.type == "start" and (
process.name in ("ldapsearch", "dscacheutil") or (process.name == "dscl" and process.args : "*-list*")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1069"
name = "Permission Groups Discovery"
@@ -42,4 +53,3 @@ reference = "https://attack.mitre.org/techniques/T1069/"
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules_building_block/discovery_process_discovery_via_builtin_tools.toml
+18 -9
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/11"
updated_date = "2024/02/22"
[rule]
author = ["Elastic"]
@@ -12,26 +12,35 @@ building_block_type = "default"
description = "Identifies the use of built-in tools attackers can use to discover running processes on an endpoint."
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Process Discovery via Built-In Applications"
risk_score = 21
rule_id = "3f4d7734-2151-4481-b394-09d7c6c91f75"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type == "start" and event.action == "exec" and
process.name :("ps", "pstree", "htop", "pgrep") and
not (event.action == "exec" and process.parent.name in ("amazon-ssm-agent", "snap"))
process where event.action in ("exec", "exec_event") and event.type == "start" and process.name in (
"ps", "pstree", "htop", "pgrep"
) and
not process.parent.name in ("amazon-ssm-agent", "snap")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1057"
name = "Process Discovery"
@@ -41,12 +50,12 @@ reference = "https://attack.mitre.org/techniques/T1057/"
id = "T1518"
name = "Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/"
[[rule.threat.technique.subtechnique]]
id = "T1518.001"
name = "Security Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/001/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
rules_building_block/discovery_system_network_connections.toml
+17 -8
View File
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2023/07/11"
integration = ["endpoint"]
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/11"
updated_date = "2024/02/22"
[rule]
author = ["Elastic"]
@@ -12,30 +12,39 @@ building_block_type = "default"
description = "Adversaries may attempt to get a listing of network connections to or from a compromised system."
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "System Network Connections Discovery"
risk_score = 21
rule_id = "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type == "start" and
process.name : ("netstat", "lsof", "who", "w")
process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
process.name in ("netstat", "lsof", "who", "w")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1049"
name = "System Network Connections Discovery"
reference = "https://attack.mitre.org/techniques/T1049/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
rules_building_block/execution_unix_socket_communication.toml
+15 -5
View File
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2023/09/04"
integration = ["endpoint"]
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/04"
updated_date = "2024/02/22"
bypass_bbr_timing = true
[rule]
@@ -16,19 +16,29 @@ privileges or set up malicious communication channels via Unix sockets for inter
evade detection.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Unix Socket Connection"
risk_score = 21
rule_id = "41284ba3-ed1a-4598-bfba-a97f75d9aba2"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Rule Type: BBR",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
event.type == "start" and (
(process.name in ("nc", "ncat", "netcat", "nc.openbsd") and
process.args == "-U" and process.args : ("/usr/local/*", "/run/*", "/var/run/*")) or
(process.name == "socat" and
rules_building_block/persistence_creation_of_kernel_module.toml
+9 -8
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/18"
updated_date = "2024/02/22"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ Identifies activity related to loading kernel modules on Linux via creation of n
"""
from = "now-119m"
interval = "60m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Creation of Kernel Module"
@@ -27,18 +27,21 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Persistence",
"Rule Type: BBR",
"Data Source: Elastic Defend"
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where event.type in ("change", "creation") and host.os.type == "linux" and
file.path : "/lib/modules/*" and file.name : "*.ko" and
not process.name : ("dpkg", "systemd", "falcon-sensor*", "dnf", "yum", "rpm")
file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and
file.extension == "ko" and not process.name : (
"dpkg", "systemd", "falcon-sensor*", "dnf", "yum", "rpm", "cp"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1547"
name = "Boot or Logon Autostart Execution"
@@ -49,9 +52,7 @@ id = "T1547.006"
name = "Kernel Modules and Extensions"
reference = "https://attack.mitre.org/techniques/T1547/006/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules_building_block/privilege_escalation_trap_execution.toml
+17 -7
View File
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2023/08/24"
integration = ["endpoint"]
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/24"
updated_date = "2024/02/22"
[rule]
author = ["Elastic"]
@@ -15,23 +15,34 @@ commands that will be executed upon receiving interrupt signals.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Trap Signals Execution"
risk_score = 21
rule_id = "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Rule Type: BBR",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type : ("start", "process_started") and process.name : "trap" and process.args : "SIG*"
process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
process.name == "trap" and process.args : "SIG*"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
@@ -42,7 +53,6 @@ id = "T1546.005"
name = "Trap"
reference = "https://attack.mitre.org/techniques/T1546/005/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"