diff --git a/rules_building_block/discovery_hosts_file_access.toml b/rules_building_block/discovery_hosts_file_access.toml index cfb7de97c..74bee0709 100644 --- a/rules_building_block/discovery_hosts_file_access.toml +++ b/rules_building_block/discovery_hosts_file_access.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/07/11" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/11" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -15,31 +15,39 @@ to discover remote machines in an environment that may be used for Lateral Movem """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "System Hosts File Access" risk_score = 21 rule_id = "f75f65cf-ed04-48df-a7ff-b02a8bfe636e" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where event.type == "start" and event.action == "exec" and - (process.name:("vi", "nano", "cat", "more", "less") and process.args : "/etc/hosts") +process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and +process.name in ("vi", "nano", "cat", "more", "less") and process.args == "/etc/hosts" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index 774e7d174..c54b74ec3 100644 --- a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2024/02/19" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -57,7 +57,8 @@ timestamp_override = "event.ingested" type = "new_terms" building_block_type = "default" query = ''' -host.os.type:linux and event.category:file and event.action:"opened-file" and file.path:"/proc/modules" +host.os.type:linux and event.category:file and event.action:"opened-file" and file.path:"/proc/modules" and +not process.name:(grep or python* or chef-client) ''' [[rule.threat]] @@ -73,7 +74,6 @@ id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable"] diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index 1fc247dd6..6f4ea6c16 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2024/02/19" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -57,8 +57,10 @@ type = "new_terms" building_block_type = "default" query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and -file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) and -not process.name:(cp or dpkg or dockerd or lynis or mkinitramfs or snapd) +file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) and not process.name:( + cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or grep or borg or auditbeat or lspci or + aide or modprobe or python* +) ''' [[rule.threat]] @@ -76,8 +78,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.executable", "file.path"] +value = ["host.id", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-14d" diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index b94ef5091..64bcb2ef6 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2024/12/19" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -57,8 +57,9 @@ type = "new_terms" building_block_type = "default" query = ''' host.os.type:linux and event.category:file and event.action:("opened-file" or "read-file" or "wrote-to-file") and -file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and -not process.name:(dpkg or dockerd or unattended-upg) +file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and not process.name:( + dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or grep or pool* +) ''' [[rule.threat]] @@ -76,8 +77,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.executable", "file.path"] +value = ["host.id", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-14d" diff --git a/rules_building_block/discovery_linux_system_information_discovery.toml b/rules_building_block/discovery_linux_system_information_discovery.toml index ae859ad87..17d68c119 100644 --- a/rules_building_block/discovery_linux_system_information_discovery.toml +++ b/rules_building_block/discovery_linux_system_information_discovery.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/07/10" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/10" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -12,27 +12,36 @@ building_block_type = "default" description = "Enrich process events with uname and other command lines that imply Linux system information discovery." from = "now-119m" interval = "60m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Linux System Information Discovery" risk_score = 21 rule_id = "b81bd314-db5b-4d97-82e8-88e3e5fc9de5" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and -( - process.name: "uname" or - (process.name: ("cat", "more", "less") and - process.args: ("*issue*", "*version*", "*profile*", "*services*", "*cpuinfo*")) +process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and ( + process.name: "uname" or ( + process.name: ("cat", "more", "less") and process.args: ("*issue*", "*version*", "*profile*", "*services*", "*cpuinfo*") + ) ) ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" diff --git a/rules_building_block/discovery_linux_system_owner_user_discovery.toml b/rules_building_block/discovery_linux_system_owner_user_discovery.toml index e330ef3ab..461660560 100644 --- a/rules_building_block/discovery_linux_system_owner_user_discovery.toml +++ b/rules_building_block/discovery_linux_system_owner_user_discovery.toml @@ -1,39 +1,52 @@ [metadata] creation_date = "2023/07/10" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/10" +updated_date = "2024/02/22" [rule] author = ["Elastic"] building_block_type = "default" -description = "Identifies the use of built-in tools which adversaries may use to enumerate the system owner/user of a compromised system." +description = """ +Identifies the use of built-in tools which adversaries may use to enumerate the system owner/user of a compromised +system. +""" from = "now-119m" interval = "60m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "System Owner/User Discovery Linux" risk_score = 21 rule_id = "bf8c007c-7dee-4842-8e9a-ee534c09d205" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and - process.name : ("whoami", "w", "who", "users", "id") +process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and +process.name : ("whoami", "w", "who", "users", "id") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" diff --git a/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml index 2f31fc519..3e55ae1c9 100644 --- a/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml +++ b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/07/11" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/11" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -14,38 +14,49 @@ Adversaries may use built-in applications to get a listing of local system or do """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Account or Group Discovery via Built-In Tools" risk_score = 21 rule_id = "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where event.type== "start" and event.action == "exec" and - ( (process.name: ("groups","id")) - or (process.name : "dscl" and process.args : ("/Active Directory/*", "/Users*", "/Groups*")) - or (process.name: "dscacheutil" and process.args:("user", "group")) - or process.args:("/etc/passwd", "/etc/master.passwd", "/etc/sudoers") - or (process.name: "getent" and process.args:("passwd", "group")) - ) +process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and ( + (process.name in ("groups", "id")) or + (process.name == "dscl" and process.args : ("/Active Directory/*", "/Users*", "/Groups*")) or + (process.name == "dscacheutil" and process.args in ("user", "group")) or + (process.args in ("/etc/passwd", "/etc/master.passwd", "/etc/sudoers")) or + (process.name == "getent" and process.args in ("passwd", "group")) +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" + [[rule.threat.technique.subtechnique]] id = "T1069.002" name = "Domain Groups" @@ -55,16 +66,17 @@ reference = "https://attack.mitre.org/techniques/T1069/002/" id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" + [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_of_domain_groups.toml b/rules_building_block/discovery_of_domain_groups.toml index a0a019766..2af745be2 100644 --- a/rules_building_block/discovery_of_domain_groups.toml +++ b/rules_building_block/discovery_of_domain_groups.toml @@ -1,38 +1,49 @@ [metadata] creation_date = "2023/08/23" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2024/02/22" [rule] author = ["Elastic"] building_block_type = "default" description = """ -Identifies the execution of Linux built-in commands related to account or group enumeration. -Adversaries may use account and group information to orient themselves before deciding how to act.""" +Identifies the execution of Linux built-in commands related to account or group enumeration. Adversaries may use account +and group information to orient themselves before deciding how to act. +""" from = "now-119m" interval = "60m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Discovery of Domain Groups" risk_score = 21 rule_id = "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type : ("start", "process_started") and host.os.type == "linux" and - ( process.name : ("ldapsearch", "dscacheutil") or - (process.name : "dscl" and process.args : "*-list*") - ) +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and ( + process.name in ("ldapsearch", "dscacheutil") or (process.name == "dscl" and process.args : "*-list*") +) ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" @@ -42,4 +53,3 @@ reference = "https://attack.mitre.org/techniques/T1069/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml index 59386a5c1..1bfb0bcd8 100644 --- a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml +++ b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/11" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -12,26 +12,35 @@ building_block_type = "default" description = "Identifies the use of built-in tools attackers can use to discover running processes on an endpoint." from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Process Discovery via Built-In Applications" risk_score = 21 rule_id = "3f4d7734-2151-4481-b394-09d7c6c91f75" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where event.type == "start" and event.action == "exec" and - process.name :("ps", "pstree", "htop", "pgrep") and - not (event.action == "exec" and process.parent.name in ("amazon-ssm-agent", "snap")) +process where event.action in ("exec", "exec_event") and event.type == "start" and process.name in ( + "ps", "pstree", "htop", "pgrep" +) and +not process.parent.name in ("amazon-ssm-agent", "snap") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" @@ -41,12 +50,12 @@ reference = "https://attack.mitre.org/techniques/T1057/" id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_system_network_connections.toml b/rules_building_block/discovery_system_network_connections.toml index fe33ff968..282da2949 100644 --- a/rules_building_block/discovery_system_network_connections.toml +++ b/rules_building_block/discovery_system_network_connections.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/07/11" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/11" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -12,30 +12,39 @@ building_block_type = "default" description = "Adversaries may attempt to get a listing of network connections to or from a compromised system." from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "System Network Connections Discovery" risk_score = 21 rule_id = "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and - process.name : ("netstat", "lsof", "who", "w") +process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and +process.name in ("netstat", "lsof", "who", "w") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" reference = "https://attack.mitre.org/techniques/T1049/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/execution_unix_socket_communication.toml b/rules_building_block/execution_unix_socket_communication.toml index 6e33fe6a8..8cf153c53 100644 --- a/rules_building_block/execution_unix_socket_communication.toml +++ b/rules_building_block/execution_unix_socket_communication.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/09/04" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/04" +updated_date = "2024/02/22" bypass_bbr_timing = true [rule] @@ -16,19 +16,29 @@ privileges or set up malicious communication channels via Unix sockets for inter evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Unix Socket Connection" risk_score = 21 rule_id = "41284ba3-ed1a-4598-bfba-a97f75d9aba2" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and ( (process.name in ("nc", "ncat", "netcat", "nc.openbsd") and process.args == "-U" and process.args : ("/usr/local/*", "/run/*", "/var/run/*")) or (process.name == "socat" and diff --git a/rules_building_block/persistence_creation_of_kernel_module.toml b/rules_building_block/persistence_creation_of_kernel_module.toml index a732daf84..1a5f88f21 100644 --- a/rules_building_block/persistence_creation_of_kernel_module.toml +++ b/rules_building_block/persistence_creation_of_kernel_module.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/12/18" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ Identifies activity related to loading kernel modules on Linux via creation of n """ from = "now-119m" interval = "60m" -index = ["auditbeat-*", "logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Creation of Kernel Module" @@ -27,18 +27,21 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Rule Type: BBR", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type in ("change", "creation") and host.os.type == "linux" and -file.path : "/lib/modules/*" and file.name : "*.ko" and -not process.name : ("dpkg", "systemd", "falcon-sensor*", "dnf", "yum", "rpm") +file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and +file.extension == "ko" and not process.name : ( + "dpkg", "systemd", "falcon-sensor*", "dnf", "yum", "rpm", "cp" +) ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" @@ -49,9 +52,7 @@ id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/privilege_escalation_trap_execution.toml b/rules_building_block/privilege_escalation_trap_execution.toml index 3a47f22cf..0247335bd 100644 --- a/rules_building_block/privilege_escalation_trap_execution.toml +++ b/rules_building_block/privilege_escalation_trap_execution.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/08/24" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -15,23 +15,34 @@ commands that will be executed upon receiving interrupt signals. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Trap Signals Execution" risk_score = 21 rule_id = "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type : ("start", "process_started") and process.name : "trap" and process.args : "SIG*" +process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and +process.name == "trap" and process.args : "SIG*" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -42,7 +53,6 @@ id = "T1546.005" name = "Trap" reference = "https://attack.mitre.org/techniques/T1546/005/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation"