From c6f843ef9d1c7775801d23d2fae9c085d45dd093 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 26 Mar 2026 17:16:30 +0100 Subject: [PATCH] [New Rules] LiteLLM & Trivy TeamPCP Compromise (#5885) * [New Rules] LiteLLM & Trivy TeamPCP Compromise * ++ * Apply suggestion from @Samirbous Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Apply suggestion from @Samirbous Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * ++ * ++ * Update rules/cross-platform/collection_data_encrypted_via_openssl.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/cross-platform/collection_data_encrypted_via_openssl.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * ++ * ++ * ++ * ++ * Update rules/cross-platform/execution_suspicious_python_command_execution.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/cross-platform/execution_suspicious_python_command_execution.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/cross-platform/defense_evasion_data_encrypted_via_openssl.toml Co-authored-by: Mika Ayenson, PhD * Update rules/cross-platform/defense_evasion_data_encrypted_via_openssl.toml Co-authored-by: Mika Ayenson, PhD * ++ * ++ * ++ * ++ --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson, PhD --- ...se_evasion_data_encrypted_via_openssl.toml | 90 ++++++++++++++++ ...n_suspicious_python_command_execution.toml | 102 ++++++++++++++++++ ...ecutable_via_chmod_inside_a_container.toml | 4 +- ...t_execution_detected_inside_container.toml | 67 ++++++++++++ .../credential_access_get_secrets_access.toml | 59 ++++++++++ 5 files changed, 320 insertions(+), 2 deletions(-) create mode 100644 rules/cross-platform/defense_evasion_data_encrypted_via_openssl.toml create mode 100644 rules/cross-platform/execution_suspicious_python_command_execution.toml create mode 100644 rules/integrations/cloud_defend/privilege_escalation_chroot_execution_detected_inside_container.toml create mode 100644 rules/integrations/kubernetes/credential_access_get_secrets_access.toml diff --git a/rules/cross-platform/defense_evasion_data_encrypted_via_openssl.toml b/rules/cross-platform/defense_evasion_data_encrypted_via_openssl.toml new file mode 100644 index 000000000..a79ff1b2f --- /dev/null +++ b/rules/cross-platform/defense_evasion_data_encrypted_via_openssl.toml @@ -0,0 +1,90 @@ +[metadata] +creation_date = "2026/03/26" +integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager", "windows", "system"] +maturity = "production" +updated_date = "2026/03/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of the OpenSSL utility to encrypt data. Adversaries may use OpenSSL to encrypt data to +disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the +purposes of extortion. +""" +from = "now-9m" +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-sentinel_one_cloud_funnel.*", + "auditbeat-*", + "logs-auditd_manager.auditd-*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*" +] +language = "eql" +license = "Elastic License v2" +name = "Data Encrypted via OpenSSL Utility" +risk_score = 21 +rule_id = "feba48f6-40ca-4d04-b41f-5dfa327de865" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Collection", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Auditd Manager", + "Data Source: Windows Security Event Logs", + "Data Source: Sysmon", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where event.type == "start" and event.action in ("start", "exec", "executed", "exec_event", "ProcessRollup2") and +process.name : "openssl*" and process.args : "enc" and process.args : "-in" and process.args : "-out" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.013" +name = "Encrypted/Encoded File" +reference = "https://attack.mitre.org/techniques/T1027/013/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Collection" + id = "TA0009" + reference = "https://attack.mitre.org/tactics/TA0009/" + + [[rule.threat.technique]] + name = "Data Staged" + id = "T1074" + reference = "https://attack.mitre.org/techniques/T1074/" + + [[rule.threat.technique.subtechnique]] + name = "Local Data Staging" + id = "T1074.001" + reference = "https://attack.mitre.org/techniques/T1074/001/" diff --git a/rules/cross-platform/execution_suspicious_python_command_execution.toml b/rules/cross-platform/execution_suspicious_python_command_execution.toml new file mode 100644 index 000000000..01335b64b --- /dev/null +++ b/rules/cross-platform/execution_suspicious_python_command_execution.toml @@ -0,0 +1,102 @@ +[metadata] +creation_date = "2026/03/26" +integration = ["endpoint"] +maturity = "production" +updated_date = "2026/03/26" + +[rule] +author = ["Elastic"] +description = """ +Detects the execution of suspicious shell commands via the Python interpreter. Attackers +may use Python to execute shell commands to gain access to the system or to perform other +malicious activities, such as credential access, data exfiltration, or lateral movement. +""" +from = "now-9m" +language = "esql" +license = "Elastic License v2" +name = "Suspicious Python Shell Command Execution" +risk_score = 47 +rule_id = "b42e4b88-fc4a-417b-a45e-4d4a3db9fd41" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] +type = "esql" +query = ''' +FROM logs-endpoint.events.process-* METADATA _id, _version, _index + +| WHERE host.os.type in ("linux", "macos") and event.type == "start" and TO_LOWER(process.parent.name) like "python*" and + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and + KQL("""event.action:"exec" and process.args:("-c" or "-cl" or "-lc")""") + +// truncate timestamp to 1-minute window +| EVAL Esql.time_window_date_trunc = DATE_TRUNC(1 minutes, @timestamp) + +| EVAL Esql.process_command_line_patterns = CASE( + process.command_line like "*grep*", "grep", + process.command_line like "*find*", "find", + process.command_line like "*curl*", "curl", + process.command_line like "*env *", "environment_enumeration", + process.command_line like "*wget*", "wget", + process.command_line like "*whoami*" or process.command_line like "*uname*" or process.command_line like "*hostname*", "discovery", "other" +) + +| KEEP + @timestamp, + _id, + _index, + _version, + Esql.process_command_line_patterns, + Esql.time_window_date_trunc, + host.os.type, + event.type, + event.action, + process.parent.name, + process.working_directory, + process.parent.working_directory, + process.name, + process.executable, + process.command_line, + process.parent.executable, + process.parent.entity_id, + agent.id, + host.name, + event.dataset, + data_stream.namespace + +| STATS + Esql.process_command_line_count_distinct = COUNT_DISTINCT(process.command_line), + Esql.patterns_count_distinct = COUNT_DISTINCT(Esql.process_command_line_patterns), + Esql.process_command_line_values = VALUES(process.command_line), + Esql.host_name_values = values(host.name), + Esql.agent_id_values = values(agent.id), + Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_namespace_values = values(data_stream.namespace) + BY process.parent.entity_id, agent.id, host.name, Esql.time_window_date_trunc + +| SORT Esql.process_command_line_count_distinct DESC +| WHERE Esql.process_command_line_count_distinct >= 5 AND Esql.patterns_count_distinct >= 4 +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml index 37ebcaa3c..064d6451f 100644 --- a/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/26" [rule] author = ["Elastic"] @@ -88,7 +88,7 @@ any where event.category in ("file", "process") and event.type in ("change", "cr "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man" ) ) -) and process.args in ("4755", "755", "777", "0777", "444", "+x", "a+x") and +) and process.args in ("4755", "755", "0755", "777", "0777", "444", "+x", "a+x", "700", "0700") and container.id like "?*" and not process.args == "-x" ''' diff --git a/rules/integrations/cloud_defend/privilege_escalation_chroot_execution_detected_inside_container.toml b/rules/integrations/cloud_defend/privilege_escalation_chroot_execution_detected_inside_container.toml new file mode 100644 index 000000000..ff25de741 --- /dev/null +++ b/rules/integrations/cloud_defend/privilege_escalation_chroot_execution_detected_inside_container.toml @@ -0,0 +1,67 @@ +[metadata] +creation_date = "2026/03/26" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/03/26" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when chroot is executed inside a container. Chroot is a Linux utility that allows a user to +run a command in a different directory. This can be used to escape a container and gain access to the host system. +""" +from = "now-6m" +index = ["logs-cloud_defend.process*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Chroot Execution Detected via Defend for Containers" +references = [ + "https://some-natalie.dev/container-escapes-chroot/", +] +risk_score = 21 +rule_id = "47661529-15ed-4848-93da-9fbded7a3a0e" +severity = "low" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + process.name == "chroot" or + ( + /* account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and + process.args in ( + "chroot", "/bin/chroot", "/usr/bin/chroot", "/usr/local/bin/chroot" + ) and + /* default exclusion list to not FP on default multi-process commands */ + not process.args in ( + "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", + "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", + "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", + "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" + ) + ) +) and container.id like "?*" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/kubernetes/credential_access_get_secrets_access.toml b/rules/integrations/kubernetes/credential_access_get_secrets_access.toml new file mode 100644 index 000000000..fea27e93f --- /dev/null +++ b/rules/integrations/kubernetes/credential_access_get_secrets_access.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2026/03/26" +integration = ["kubernetes"] +maturity = "production" +updated_date = "2026/03/26" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when secrets are accessed via an unusual user agent, user name and source IP. Attackers +may attempt to access secrets in a Kubernetes cluster to gain access to sensitive information after gaining +access to the cluster. +""" +index = ["logs-kubernetes.audit_logs-*"] +language = "kuery" +license = "Elastic License v2" +name = "Kubernetes Secret Access via Unusual User Agent" +risk_score = 21 +rule_id = "cbda9a0e-2be4-4eaa-9571-8d6a503e9828" +severity = "low" +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Credential Access", +] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +event.dataset:"kubernetes.audit_logs" and kubernetes.audit.objectRef.resource:"secrets" and +kubernetes.audit.verb:("get" or "list") and user_agent.original:(* and not (*kubernetes/$Format)) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.007" +name = "Container API" +reference = "https://attack.mitre.org/techniques/T1552/007/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["source.ip", "user.name", "user_agent.original"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d"