From d3e2f70ce2820290ba7cdccc2605c9371a5b9993 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 6 Jun 2024 12:44:31 +0200 Subject: [PATCH] [New Rule] Process Capability Set via setcap Utility (#3744) * [New Rule] Process Capability Set via setcap Utility * ++ * Update rules/linux/persistence_process_capability_set_via_setcap.toml --- ...nce_process_capability_set_via_setcap.toml | 83 +++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 rules/linux/persistence_process_capability_set_via_setcap.toml diff --git a/rules/linux/persistence_process_capability_set_via_setcap.toml b/rules/linux/persistence_process_capability_set_via_setcap.toml new file mode 100644 index 000000000..8da24d32d --- /dev/null +++ b/rules/linux/persistence_process_capability_set_via_setcap.toml @@ -0,0 +1,83 @@ +[metadata] +creation_date = "2024/06/03" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/06/03" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the use of the setcap utility to set capabilities on a process. The setcap utility is used to set the +capabilities of a binary to allow it to perform privileged operations without needing to run as root. This can be used +by attackers to establish persistence by creating a backdoor, or escalate privileges by abusing a misconfiguration on a +system. +""" +from = "now-9m" +index = ["logs-endpoint.events.process*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Process Capability Set via setcap Utility" +risk_score = 21 +rule_id = "f18a474c-3632-427f-bcf5-363c994309ee" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process.name == "setcap" and not ( + process.parent.executable == null or + process.parent.executable : ("/var/lib/dpkg/*", "/var/lib/docker/*", "/tmp/newroot/*", "/var/tmp/newroot/*") or + process.parent.name in ("jem", "vzctl") +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/"