[Rule Tuning] Linux DR CP Tuning (#5512)

* [Rule Tuning] Linux DR CP Tuning

* Update date bump

* Fix privilege escalation rule for teleport executable

* ++

* Revert "++"

This reverts commit 386dc909b89dfcbe21628585489605fd0206e3c2.

* Update rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/09/18"
 integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
 maturity = "production"
-updated_date = "2025/11/26"
+updated_date = "2025/12/23"
 
 [rule]
 author = ["Elastic"]
@@ -105,17 +105,19 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 process where event.type == "start" and
- event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
- process.parent.name in ("node", "bun", "node.exe", "bun.exe") and (
-  (
-    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "cmd.exe", "bash.exe", "powershell.exe") and
-    process.command_line like~ ("*curl*http*", "*wget*http*")
-  ) or 
-  (
-    process.name in ("curl", "wget", "curl.exe", "wget.exe")
-  )
-) and
- not process.command_line like ("*127.0.0.1*", "*localhost*")
+event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+process.parent.name in ("node", "bun", "node.exe", "bun.exe") and (
+(
+  process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "cmd.exe", "bash.exe", "powershell.exe") and
+  process.command_line like~ ("*curl*http*", "*wget*http*")
+) or 
+(
+  process.name in ("curl", "wget", "curl.exe", "wget.exe")
+)
+) and not (
+  process.command_line like ("*127.0.0.1*", "*localhost*", "*/home/*/.claude/shell-snapshots/*", "*/root/.claude/shell-snapshots/snapshot*") or
+  process.parent.executable like ("/*/.cursor-server/*node", "/root/.nvm/*/node", "/*/.vscode-server/*/node", "/home/*/.nvm/*/node", "/home/*/cursor-agent/*/node") 
+)
 '''
 
 [[rule.threat]]

rules/cross-platform/command_and_control_non_standard_ssh_port.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/10/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/23"
 
 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ from = "now-9m"
 index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Potential Non-Standard Port SSH connection"
+name = "Deprecated - Potential Non-Standard Port SSH connection"
 references = ["https://attack.mitre.org/techniques/T1571/"]
 risk_score = 21
 rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9"
@@ -62,7 +62,7 @@ note = """## Triage and analysis
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Potential Non-Standard Port SSH connection
+### Investigating Deprecated - Potential Non-Standard Port SSH connection
 
 SSH is a protocol used for secure remote access and management of systems. Typically, it operates over port 22. However, adversaries may exploit non-standard ports to evade detection and bypass network filters. The detection rule identifies unusual SSH activity by monitoring processes and network connections on ports other than 22, excluding common benign use cases, to flag potential threats.
 

rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/05/04"
 integration = ["endpoint", "auditd_manager"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/23"
 
 [rule]
 author = ["Elastic"]
@@ -15,46 +15,6 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana
 language = "eql"
 license = "Elastic License v2"
 name = "Tampering of Shell Command-Line History"
-references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"]
-risk_score = 47
-rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
-severity = "medium"
-tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "OS: macOS",
-    "Use Case: Threat Detection",
-    "Tactic: Defense Evasion",
-    "Data Source: Elastic Defend",
-    "Data Source: Elastic Endgame",
-    "Data Source: Auditd Manager",
-    "Resources: Investigation Guide",
-]
-timestamp_override = "event.ingested"
-type = "eql"
-
-query = '''
-process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
- (
-  ((process.args : ("rm", "echo") or
-    (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or
-    (process.args : "truncate" and process.args : "-s0"))
-    and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history",
-                        ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or
-  (process.args : "history" and process.args : "-c") or
-  (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
-  (process.args : "unset" and process.args : "HISTFILE") or
-  (process.args : "set" and process.args : "history" and process.args : "+o")
- )
-'''
 note = """## Triage and analysis
 
 > **Disclaimer**:
@@ -89,23 +49,71 @@ Shell command-line history is a crucial feature in Unix-like systems, recording
 - Implement stricter access controls and monitoring on the affected system to prevent unauthorized users from modifying shell history files in the future.
 - Escalate the incident to the security operations team for further investigation and to determine if additional systems may have been compromised.
 - Review and update endpoint detection and response (EDR) configurations to enhance monitoring for similar tampering attempts, ensuring alerts are generated for any future suspicious command patterns."""
+references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"]
+risk_score = 47
+rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
+setup = """## Setup
 
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
+events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
+Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
+`event.ingested` to @timestamp.
+For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
+"""
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Defend",
+    "Data Source: Elastic Endgame",
+    "Data Source: Auditd Manager",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
+(
+  (
+    (process.args : ("rm", "echo") or
+    (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or
+    (process.args : "truncate" and process.args : "-s0")
+  )
+    and process.args : (
+      ".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history",
+      ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history"
+    )
+  ) or
+  (process.args : "history" and process.args : "-c") or
+  (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
+  (process.args : "unset" and process.args : "HISTFILE") or
+  (process.args : "set" and process.args : "history" and process.args : "+o")
+) and not (
+  process.executable like (
+    "/usr/bin/timeout", "/usr/bin/kubectl", "/usr/bin/psql", "/usr/lib/postgresql/*/bin/psql", "/usr/bin/bazel", "/usr/bin/git",  "/usr/bin/jq", "/bin/grep"
+  ) or
+  process.command_line == "stat -c %s history"
+)
+'''
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1070"
 name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1070.003"
 name = "Clear Command History"
 reference = "https://attack.mitre.org/techniques/T1070/003/"
 
-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/10/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/23"
 
 [rule]
 author = ["Elastic"]
@@ -18,41 +18,6 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Masquerading Space After Filename"
-references = [
-    "https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading",
-]
-risk_score = 47
-rule_id = "f5fb4598-4f10-11ed-bdc3-0242ac120002"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
-severity = "medium"
-tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "OS: macOS",
-    "Use Case: Threat Detection",
-    "Tactic: Defense Evasion",
-    "Data Source: Elastic Defend",
-    "Resources: Investigation Guide",
-]
-timestamp_override = "event.ingested"
-type = "eql"
-query = '''
-process where host.os.type:("linux","macos") and event.type == "start" and
-process.executable regex~ """/[a-z0-9\s_\-\\./]+\s""" and not (
-  process.name in ("ls", "find", "grep", "xkbcomp") or
-  process.executable like ("/opt/nessus_agent/*", "/opt/gitlab/sv/gitlab-exporter/*", "/tmp/ansible-admin/*") or
-  process.parent.args in (
-    "./check_rubrik", "/usr/bin/check_mk_agent", "/etc/rubrik/start_stop_bootstrap.sh", "/etc/rubrik/start_stop_agent.sh"
-  )
-)
-'''
 note = """## Triage and analysis
 
 > **Disclaimer**:
@@ -87,6 +52,42 @@ In Linux and macOS environments, file execution is determined by the file's true
 - Review and update endpoint protection settings to block execution of files with suspicious naming conventions, such as those ending with a space.
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess potential impacts on other systems.
 - Implement additional monitoring for similar masquerading attempts by enhancing logging and alerting mechanisms to detect files with unusual naming patterns."""
+references = [
+    "https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading",
+]
+risk_score = 47
+rule_id = "f5fb4598-4f10-11ed-bdc3-0242ac120002"
+setup = """## Setup
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
+events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
+Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
+`event.ingested` to @timestamp.
+For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
+"""
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type:("linux","macos") and event.type == "start" and
+process.executable regex~ """/[a-z0-9\s_\-\\./]+\s""" and not (
+  process.name in ("ls", "find", "grep", "xkbcomp") or
+  process.executable like ("/opt/nessus_agent/*", "/opt/gitlab/sv/gitlab-exporter/*", "/tmp/ansible-admin/*") or
+  process.parent.args in (
+    "./check_rubrik", "/usr/bin/check_mk_agent", "/etc/rubrik/start_stop_bootstrap.sh", "/etc/rubrik/start_stop_agent.sh"
+  ) or
+  process.args == "runc"
+)
+'''
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"

rules/cross-platform/defense_evasion_timestomp_touch.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/23"
 
 [rule]
 author = ["Elastic"]
@@ -16,37 +16,6 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "Timestomping using Touch Command"
-risk_score = 47
-rule_id = "b0046934-486e-462f-9487-0d4cf9e429c6"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
-severity = "medium"
-tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "OS: macOS",
-    "Use Case: Threat Detection",
-    "Tactic: Defense Evasion",
-    "Data Source: Elastic Defend",
-    "Resources: Investigation Guide",
-]
-timestamp_override = "event.ingested"
-type = "eql"
-
-query = '''
-process where event.type == "start" and
- process.name : "touch" and user.id != "0" and
- process.args : ("-r", "-t", "-a*","-m*") and
- not process.args : (
-   "/usr/lib/go-*/bin/go", "/usr/lib/dracut/dracut-functions.sh", "/tmp/KSInstallAction.*/m/.patch/*"
-) and not process.parent.name in ("pmlogger_daily", "pmlogger_janitor", "systemd")
-'''
 note = """## Triage and analysis
 
 > **Disclaimer**:
@@ -80,23 +49,76 @@ Timestomping is a technique used by adversaries to alter file timestamps, making
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 - Implement enhanced monitoring on the affected system and similar environments to detect any further attempts at timestomping or related suspicious activities.
 - Review and update access controls and permissions to ensure that only authorized users have the ability to modify file timestamps, reducing the risk of future timestomping attempts."""
+risk_score = 47
+rule_id = "b0046934-486e-462f-9487-0d4cf9e429c6"
+setup = """## Setup
 
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
+events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
+Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
+`event.ingested` to @timestamp.
+For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
+"""
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where event.type == "start" and event.action == "exec" and process.name == "touch" and
+process.parent.executable != null and process.args like (
+  "-t*", "-d*", "-a*", "-m*", "-r*", "--date=*", "--reference=*", "--time=*"
+) and not (
+  process.parent.executable in (
+    "/usr/local/bin/manage_omnimesh_logs", "/pro/bin/sys/install/packageUtils.sh", "/bin/dracut",
+    "/usr/libexec/postfix/aliasesdb", "pwsh-preview", "/usr/bin/dracut", "/usr/share/initramfs-tools/hooks/amd64_microcode",
+    "/usr/local/bin/start-mailserver.sh", "/usr/bin/ssm-agent-worker", "/bin/ssm-agent-worker", "/usr/local/cpanel/scripts/restartsrv_bind"
+  ) or
+  process.parent.executable like ("/opt/sw/tomcat/rc_scripts/*", "/tmp/newroot/var/lib/docker/overlay2/*", "/snap/*", "/opt/zeek/*") or
+  process.parent.name in (
+    "xargs", "find", "sudo", "make", "pmlogger_check", "pmlogger_daily", "pmlogger_janitor", "autoupdate", "pmlogctl",
+    "spyglass", "desktop-launch", "pmiectl", "systemd"
+  ) or
+  process.parent.args like (
+    "/home/*/scripts/auto_download_process.py", "/home/*/scripts/perl_python_eagu1p.py", "/var/lib/dpkg/info/*",
+    "bazel-out/k8-dbg/bin/dependencies/thirdparty/libjansson_foreign_cc/build_script.sh", "/usr/lib/portage/python*/ebuild.sh",
+    "/var/tmp/rpm-tmp.*", "/usr/lib/pcp/bin/pmlogger_janitor", "/usr/libexec/pcp/bin/pmlogger_janitor",
+    "/usr/libexec/pcp/bin/pmlogger_daily", "/usr/lib/pcp/bin/pmlogger_daily", "/opt/oracle.ExaWatcher/GetExaWatcherResults.sh"
+  ) or
+  process.args in (
+    "/usr/bin/coreutils", "--no-create", "/etc/opt/lumu/lumud.conf", "/opt/vuso*", "/opt/diff", "/etc/aliases.db", "/opt/cursor/cursor"
+  ) or
+  process.args like (
+    "--checkpoint=*", "/root/.config/envman/*", "/var/tmp/dracut*", "/var/tmp/portage*", "/snap/*", "/var/tmp/pmlogger_*/stamp", "/opt/ubki/*.jar",
+    "/usr/lib/go-*/bin/go", "/usr/lib/dracut/dracut-functions.sh", "/tmp/KSInstallAction.*/m/.patch/*"
+  ) or
+  process.command_line in ("/bin/touch -a /tmp/au_status", "touch -d 2 seconds ago /etc/postfix/main.cf") or
+  process.parent.command_line == "runc init" or
+  process.working_directory in ("/opt/libexec", "/opt/local/src/connectxx/build/src/mdp")
+)
+'''
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1070"
 name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1070.006"
 name = "Timestomp"
 reference = "https://attack.mitre.org/techniques/T1070/006/"
 
-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/cross-platform/persistence_ssh_authorized_keys_modification.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/12/22"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/23"
 
 [rule]
 author = ["Elastic"]
@@ -14,49 +14,13 @@ from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "SSH Authorized Keys File Modification"
-risk_score = 47
-rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f"
-severity = "medium"
-tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "OS: macOS",
-    "Use Case: Threat Detection",
-    "Tactic: Lateral Movement",
-    "Tactic: Persistence",
-    "Data Source: Elastic Defend",
-    "Resources: Investigation Guide",
-]
-timestamp_override = "event.ingested"
-type = "new_terms"
-
-query = '''
-event.category:file and event.type:(change or creation) and
- file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and
- not process.executable:
-             (/Library/Developer/CommandLineTools/usr/bin/git or
-              /usr/local/Cellar/maven/*/libexec/bin/mvn or
-              /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or
-              /usr/bin/vim or
-              /usr/local/Cellar/coreutils/*/bin/gcat or
-              /usr/bin/bsdtar or
-              /usr/bin/nautilus or
-              /usr/bin/scp or
-              /usr/bin/touch or
-              /var/lib/docker/* or
-              /usr/bin/google_guest_agent or
-              /opt/jc/bin/jumpcloud-agent or
-              /opt/puppetlabs/puppet/bin/puppet or
-              /usr/bin/chef-client
-)
-'''
+name = "SSH Authorized Keys File Activity"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating SSH Authorized Keys File Modification
+### Investigating SSH Authorized Keys File Activity
 
 SSH authorized_keys files are crucial for secure, password-less authentication, allowing users to log into servers using public keys. Adversaries exploit this by adding their keys, ensuring persistent access. The detection rule identifies unauthorized changes to these files, excluding benign processes, to flag potential threats, focusing on persistence and lateral movement tactics.
 
@@ -87,48 +51,83 @@ SSH authorized_keys files are crucial for secure, password-less authentication,
 - Restore the affected system from a known good backup if unauthorized changes are extensive or if the integrity of the system is in question.
 - Implement additional monitoring on the affected host and network to detect any further unauthorized access attempts or suspicious activities.
 - Escalate the incident to the security operations team for further investigation and to determine if other systems may be affected."""
-
+risk_score = 47
+rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Lateral Movement",
+    "Tactic: Persistence",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+query = '''
+event.category:file and event.type:(change or creation) and
+ file.name:("authorized_keys" or "authorized_keys2") and
+ not process.executable:
+             (/Library/Developer/CommandLineTools/usr/bin/git or
+              /usr/local/Cellar/maven/*/libexec/bin/mvn or
+              /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or
+              /usr/bin/vim or
+              /usr/local/Cellar/coreutils/*/bin/gcat or
+              /usr/bin/bsdtar or
+              /usr/bin/nautilus or
+              /usr/bin/scp or
+              /usr/bin/touch or
+              /var/lib/docker/* or
+              /usr/bin/google_guest_agent or
+              /opt/jc/bin/jumpcloud-agent or
+              /opt/puppetlabs/puppet/bin/puppet or
+              /usr/bin/chef-client
+)
+'''
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1098"
 name = "Account Manipulation"
 reference = "https://attack.mitre.org/techniques/T1098/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1098.004"
 name = "SSH Authorized Keys"
 reference = "https://attack.mitre.org/techniques/T1098/004/"
 
-
-
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1021"
 name = "Remote Services"
 reference = "https://attack.mitre.org/techniques/T1021/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1021.004"
 name = "SSH"
 reference = "https://attack.mitre.org/techniques/T1021/004/"
 
-
 [[rule.threat.technique]]
 id = "T1563"
 name = "Remote Service Session Hijacking"
 reference = "https://attack.mitre.org/techniques/T1563/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1563.001"
 name = "SSH Hijacking"
 reference = "https://attack.mitre.org/techniques/T1563/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0008"
 name = "Lateral Movement"
@@ -137,8 +136,7 @@ reference = "https://attack.mitre.org/tactics/TA0008/"
 [rule.new_terms]
 field = "new_terms_fields"
 value = ["host.id", "process.executable"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-10d"
-
-
+value = "now-5d"

rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/23"
 
 [rule]
 author = ["Elastic"]
@@ -19,37 +19,6 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "SUID/SGID Bit Set"
-references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
-risk_score = 21
-rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
-severity = "low"
-tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "OS: macOS",
-    "Use Case: Threat Detection",
-    "Tactic: Privilege Escalation",
-    "Data Source: Elastic Defend",
-    "Resources: Investigation Guide",
-]
-timestamp_override = "event.ingested"
-type = "eql"
-
-query = '''
-process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
-  (process.name == "chmod" and (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}")) or
-  (process.name == "install" and process.args : "-m" and
-  (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}"))
-) and not (
-  process.parent.executable : (
-    "/usr/NX/*", "/var/lib/docker/*", "/var/lib/dpkg/info*", "/tmp/newroot/*",
-    "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service"
-  ) or
-  process.args : (
-    "/run/*", "/var/run/*", "/usr/bin/keybase-redirector", "/usr/local/share/fonts", "/usr/bin/ssh-agent"
-  )
-)
-'''
 note = """## Triage and analysis
 
 > **Disclaimer**:
@@ -84,25 +53,57 @@ The SUID/SGID bits in Unix-like systems allow files to execute with the privileg
 - Implement additional monitoring on the affected system to detect any further attempts to exploit SUID/SGID bits, focusing on the specific commands and arguments identified in the detection query.
 - Escalate the incident to the security operations team for a deeper investigation into potential lateral movement or persistence mechanisms that may have been established by the adversary.
 - Apply patches and updates to the affected system and any vulnerable applications to mitigate known vulnerabilities that could be exploited in conjunction with SUID/SGID bit abuse."""
-
+references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
+risk_score = 21
+rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Privilege Escalation",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
+  (process.name == "chmod" and (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}")) or
+  (process.name == "install" and process.args : "-m" and
+  (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}"))
+) and not (
+  process.parent.executable : (
+    "/usr/NX/*", "/var/lib/docker/*", "/var/lib/dpkg/info*", "/tmp/newroot/*", "/usr/bin/find", "/opt/commvault/Base/Galaxy",
+    "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service",
+    "/opt/metallic/Base/Galaxy"
+  ) or
+  process.args : (
+    "/run/*", "/var/run/*", "/usr/bin/keybase-redirector", "/usr/local/share/fonts", "/usr/bin/ssh-agent"
+  ) or
+  process.parent.args like ("/var/lib/dpkg/info/*", "/var/tmp/rpm-tmp*", "/usr/NX/*")
+)
+'''
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1548"
 name = "Abuse Elevation Control Mechanism"
 reference = "https://attack.mitre.org/techniques/T1548/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1548.001"
 name = "Setuid and Setgid"
 reference = "https://attack.mitre.org/techniques/T1548/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
@@ -110,4 +111,3 @@ framework = "MITRE ATT&CK"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-

rules/cross-platform/privilege_escalation_sudoers_file_mod.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/13"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/07/14"
+updated_date = "2025/12/23"
 
 [rule]
 author = ["Elastic"]
@@ -14,35 +14,13 @@ from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Sudoers File Modification"
-references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
-risk_score = 47
-rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
-severity = "medium"
-tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "OS: macOS",
-    "Use Case: Threat Detection",
-    "Tactic: Privilege Escalation",
-    "Data Source: Elastic Defend",
-    "Resources: Investigation Guide",
-]
-timestamp_override = "event.ingested"
-type = "eql"
-query = '''
-file where host.os.type in ("linux", "macos") and event.type in ("creation", "change") and
-file.path like ("/etc/sudoers*", "/private/etc/sudoers*") and not (
-  process.name in ("dpkg", "platform-python", "puppet", "yum", "dnf") or
-  process.executable in ("/opt/chef/embedded/bin/ruby", "/opt/puppetlabs/puppet/bin/ruby", "/usr/bin/dockerd")
-)
-'''
+name = "Sudoers File Activity"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Sudoers File Modification
+### Investigating Sudoers File Activity
 
 The sudoers file is crucial in Unix-like systems, defining user permissions for executing commands with elevated privileges. Adversaries may exploit this by altering the file to gain unauthorized access or escalate privileges. The detection rule identifies suspicious changes to the sudoers file, excluding legitimate processes, to flag potential privilege escalation attempts.
 
@@ -71,6 +49,35 @@ The sudoers file is crucial in Unix-like systems, defining user permissions for
 - Escalate the incident to the security operations team for further investigation and to determine if additional systems have been affected.
 - Implement additional monitoring on the affected system and similar systems to detect any further attempts to modify the sudoers file or other privilege escalation activities.
 - Review and update security policies and configurations to prevent similar incidents, ensuring that only authorized processes can modify the sudoers file."""
+references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
+risk_score = 47
+rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Privilege Escalation",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+file where host.os.type in ("linux", "macos") and event.type in ("creation", "change") and
+file.path like ("/etc/sudoers*", "/private/etc/sudoers*") and not (
+  process.name like ("dpkg", "platform-python*", "puppet", "yum", "dnf", "python*") or
+  process.executable in (
+    "/opt/chef/embedded/bin/ruby", "/opt/puppetlabs/puppet/bin/ruby", "/usr/bin/dockerd",
+    "/usr/bin/podman", "/opt/teleport/system/bin/teleport", "/usr/sbin/dockerd",
+    "/usr/local/bin/dockerd", "/usr/local/bin/teleport", "./usr/bin/podman", "/dev/fd/5",
+    "/usr/bin/rpm", "/usr/bin/microdnf", "/opt/morpheus-node/embedded/bin/chef-client",
+    "/opt/puppetlabs/puppet/bin/ruby", "/usr/bin/salt-minion"
+  ) or
+  process.executable like ("./snap/snapd/*/usr/lib/snapd/snap-update-ns", "/opt/teleport/*/bin/teleport")
+)
+'''
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"