[New Rules] LiteLLM & Trivy TeamPCP Compromise (#5885)

* [New Rules] LiteLLM & Trivy TeamPCP Compromise * ++ * Apply suggestion from @Samirbous Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Apply suggestion from @Samirbous Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * ++ * ++ * Update rules/cross-platform/collection_data_encrypted_via_openssl.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/cross-platform/collection_data_encrypted_via_openssl.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * ++ * ++ * ++ * ++ * Update rules/cross-platform/execution_suspicious_python_command_execution.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/cross-platform/execution_suspicious_python_command_execution.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/cross-platform/defense_evasion_data_encrypted_via_openssl.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update rules/cross-platform/defense_evasion_data_encrypted_via_openssl.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * ++ * ++ * ++ * ++ --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
2026-03-26 17:16:30 +01:00
parent a8033e14aa
commit c6f843ef9d
5 changed files with 320 additions and 2 deletions
@@ -0,0 +1,90 @@
+[metadata]
+creation_date = "2026/03/26"
+integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager", "windows", "system"]
+maturity = "production"
+updated_date = "2026/03/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of the OpenSSL utility to encrypt data. Adversaries may use OpenSSL to encrypt data to
+disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the
+purposes of extortion.
+"""
+from = "now-9m"
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "auditbeat-*",
+    "logs-auditd_manager.auditd-*", 
+    "logs-system.security*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*"
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Data Encrypted via OpenSSL Utility"
+risk_score = 21
+rule_id = "feba48f6-40ca-4d04-b41f-5dfa327de865"
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: Windows",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Tactic: Collection",
+    "Data Source: Elastic Defend",
+    "Data Source: Elastic Endgame",
+    "Data Source: Crowdstrike",
+    "Data Source: SentinelOne",
+    "Data Source: Auditd Manager",
+    "Data Source: Windows Security Event Logs",
+    "Data Source: Sysmon",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where event.type == "start" and event.action in ("start", "exec", "executed", "exec_event", "ProcessRollup2") and
+process.name : "openssl*" and process.args : "enc" and process.args : "-in" and process.args : "-out"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1027"
+name = "Obfuscated Files or Information"
+reference = "https://attack.mitre.org/techniques/T1027/"
+[[rule.threat.technique.subtechnique]]
+id = "T1027.013"
+name = "Encrypted/Encoded File"
+reference = "https://attack.mitre.org/techniques/T1027/013/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+  [rule.threat.tactic]
+  name = "Collection"
+  id = "TA0009"
+  reference = "https://attack.mitre.org/tactics/TA0009/"
+
+  [[rule.threat.technique]]
+  name = "Data Staged"
+  id = "T1074"
+  reference = "https://attack.mitre.org/techniques/T1074/"
+
+    [[rule.threat.technique.subtechnique]]
+    name = "Local Data Staging"
+    id = "T1074.001"
+    reference = "https://attack.mitre.org/techniques/T1074/001/"
@@ -0,0 +1,102 @@
+[metadata]
+creation_date = "2026/03/26"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2026/03/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the execution of suspicious shell commands via the Python interpreter. Attackers 
+may use Python to execute shell commands to gain access to the system or to perform other
+malicious activities, such as credential access, data exfiltration, or lateral movement.
+"""
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "Suspicious Python Shell Command Execution"
+risk_score = 47
+rule_id = "b42e4b88-fc4a-417b-a45e-4d4a3db9fd41"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Data Source: Elastic Defend",
+]
+type = "esql"
+query = '''
+FROM logs-endpoint.events.process-* METADATA _id, _version, _index
+
+| WHERE host.os.type in ("linux", "macos") and event.type == "start" and TO_LOWER(process.parent.name) like "python*" and
+  process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
+  KQL("""event.action:"exec" and process.args:("-c" or "-cl" or "-lc")""")
+
+// truncate timestamp to 1-minute window
+| EVAL Esql.time_window_date_trunc = DATE_TRUNC(1 minutes, @timestamp)
+
+| EVAL Esql.process_command_line_patterns = CASE(
+  process.command_line like "*grep*", "grep",
+  process.command_line like "*find*", "find",
+  process.command_line like "*curl*", "curl",
+  process.command_line like "*env *", "environment_enumeration",
+  process.command_line like "*wget*", "wget",
+  process.command_line like "*whoami*" or process.command_line like "*uname*" or process.command_line like "*hostname*", "discovery", "other"
+)
+
+| KEEP
+    @timestamp,
+    _id,
+    _index,
+    _version,
+    Esql.process_command_line_patterns,
+    Esql.time_window_date_trunc,
+    host.os.type,
+    event.type,
+    event.action,
+    process.parent.name,
+    process.working_directory,
+    process.parent.working_directory,
+    process.name,
+    process.executable,
+    process.command_line,
+    process.parent.executable,
+    process.parent.entity_id,
+    agent.id,
+    host.name,
+    event.dataset,
+    data_stream.namespace
+
+| STATS
+  Esql.process_command_line_count_distinct = COUNT_DISTINCT(process.command_line),
+  Esql.patterns_count_distinct = COUNT_DISTINCT(Esql.process_command_line_patterns),
+  Esql.process_command_line_values = VALUES(process.command_line),
+  Esql.host_name_values = values(host.name),
+  Esql.agent_id_values = values(agent.id),
+  Esql.event_dataset_values = values(event.dataset),
+  Esql.data_stream_namespace_values = values(data_stream.namespace)
+  BY process.parent.entity_id, agent.id, host.name, Esql.time_window_date_trunc
+
+| SORT Esql.process_command_line_count_distinct DESC
+| WHERE Esql.process_command_line_count_distinct >= 5 AND Esql.patterns_count_distinct >= 4
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1059.006"
+name = "Python"
+reference = "https://attack.mitre.org/techniques/T1059/006/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
@@ -4,7 +4,7 @@ integration = ["cloud_defend"]
 maturity = "production"
 min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
 min_stack_version = "9.3.0"
-updated_date = "2026/03/05"
+updated_date = "2026/03/26"

 [rule]
 author = ["Elastic"]
@@ -88,7 +88,7 @@ any where event.category in ("file", "process") and event.type in ("change", "cr
      "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man"
    )
  )
-) and process.args in ("4755", "755", "777", "0777", "444", "+x", "a+x") and
+) and process.args in ("4755", "755", "0755", "777", "0777", "444", "+x", "a+x", "700", "0700") and
 container.id like "?*" and not process.args == "-x"
 '''

@@ -0,0 +1,67 @@
+[metadata]
+creation_date = "2026/03/26"
+integration = ["cloud_defend"]
+maturity = "production"
+min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
+min_stack_version = "9.3.0"
+updated_date = "2026/03/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects when chroot is executed inside a container. Chroot is a Linux utility that allows a user to
+run a command in a different directory. This can be used to escape a container and gain access to the host system.
+"""
+from = "now-6m"
+index = ["logs-cloud_defend.process*"]
+interval = "5m"
+language = "eql"
+license = "Elastic License v2"
+name = "Chroot Execution Detected via Defend for Containers"
+references = [
+    "https://some-natalie.dev/container-escapes-chroot/",
+]
+risk_score = 21
+rule_id = "47661529-15ed-4848-93da-9fbded7a3a0e"
+severity = "low"
+tags = [
+    "Data Source: Elastic Defend for Containers",
+    "Domain: Container",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Privilege Escalation",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
+  process.name == "chroot" or
+  (
+    /* account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */
+    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
+    process.args in (
+      "chroot", "/bin/chroot", "/usr/bin/chroot", "/usr/local/bin/chroot"
+    ) and
+    /* default exclusion list to not FP on default multi-process commands */
+    not process.args in (
+      "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which",
+      "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
+      "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
+      "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
+    )
+  )
+) and container.id like "?*"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1611"
+name = "Escape to Host"
+reference = "https://attack.mitre.org/techniques/T1611/"
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
@@ -0,0 +1,59 @@
+[metadata]
+creation_date = "2026/03/26"
+integration = ["kubernetes"]
+maturity = "production"
+updated_date = "2026/03/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects when secrets are accessed via an unusual user agent, user name and source IP. Attackers
+may attempt to access secrets in a Kubernetes cluster to gain access to sensitive information after gaining
+access to the cluster.
+"""
+index = ["logs-kubernetes.audit_logs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Kubernetes Secret Access via Unusual User Agent"
+risk_score = 21
+rule_id = "cbda9a0e-2be4-4eaa-9571-8d6a503e9828"
+severity = "low"
+tags = [
+    "Data Source: Kubernetes",
+    "Domain: Kubernetes",
+    "Domain: Cloud",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+query = '''
+event.dataset:"kubernetes.audit_logs" and kubernetes.audit.objectRef.resource:"secrets" and
+kubernetes.audit.verb:("get" or "list") and user_agent.original:(* and not (*kubernetes/$Format))
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1552"
+name = "Unsecured Credentials"
+reference = "https://attack.mitre.org/techniques/T1552/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1552.007"
+name = "Container API"
+reference = "https://attack.mitre.org/techniques/T1552/007/"
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["source.ip", "user.name", "user_agent.original"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"