[Tuning] Linux BBR Tuning - Part 1 (#3469)

* [Tuning] Linux BBR Tuning - Part 1

* [Tuning] Linux BBR Tuning - Part 1

* Update defense_evasion_processes_with_trailing_spaces.toml

* Update defense_evasion_processes_with_trailing_spaces.toml

* One more tuning

* Update collection_linux_suspicious_clipboard_activity.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 3fd0358b73)

rules/_deprecated/command_and_control_linux_port_knocking_reverse_connection.toml

@@ -1,11 +1,12 @@
 [metadata]
 bypass_bbr_timing = true
 creation_date = "2023/10/24"
+deprecation_date = "2024/02/22"
 integration = ["endpoint", "network_traffic"]
-maturity = "production"
+maturity = "deprecated"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/24"
+updated_date = "2024/02/22"
 
 [rule]
 author = ["Elastic"]
@@ -26,14 +27,15 @@ risk_score = 21
 rule_id = "86c3157c-a951-4a4f-989b-2f0d0f1f9518"
 severity = "low"
 tags = [
-        "Domain: Endpoint",
-        "OS: Linux",
-        "Use Case: Threat Detection",
-        "Tactic: Command and Control",
-        "Data Source: Elastic Defend",
-        "Rule Type: BBR"
-        ]
+    "Domain: Endpoint",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+    "Rule Type: BBR",
+]
 type = "eql"
+
 query = '''
 sequence by host.id with maxspan=10s
   [network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and 
@@ -75,29 +77,29 @@ sequence by host.id with maxspan=10s
   ] by source.ip
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1205"
+name = "Traffic Signaling"
+reference = "https://attack.mitre.org/techniques/T1205/"
+[[rule.threat.technique.subtechnique]]
+id = "T1205.001"
+name = "Port Knocking"
+reference = "https://attack.mitre.org/techniques/T1205/001/"
 
-[rule.threat.tactic]
-id = "TA0011"
-name = "Command and Control"
-reference = "https://attack.mitre.org/tactics/TA0011/"
 
 [[rule.threat.technique]]
 id = "T1571"
 name = "Non-Standard Port"
 reference = "https://attack.mitre.org/techniques/T1571/"
 
-[[rule.threat.technique]]
-id = "T1205"
-name = "Traffic Signaling"
-reference = "https://attack.mitre.org/techniques/T1205/"
-
-[[rule.threat.technique.subtechnique]]
-id = "T1205.001"
-name = "Port Knocking"
-reference = "https://attack.mitre.org/techniques/T1205/001/"
 
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 

rules_building_block/collection_common_compressed_archived_file.toml

@@ -5,7 +5,7 @@ integration = "endpoint"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/10"
+updated_date = "2024/02/22"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,6 @@ severity = "low"
 tags = [
     "Data Source: Elastic Defend",
     "Domain: Endpoint",
-    "OS: Linux",
     "OS: macOS",
     "OS: Windows",
     "Tactic: Collection",
@@ -35,7 +34,6 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 file where event.type in ("creation", "change") and process.executable != null and not user.id : "S-1-5-18" and
  file.Ext.header_bytes : (
@@ -131,7 +129,6 @@ reference = "https://attack.mitre.org/tactics/TA0009/"
         name = "Local Data Staging"
         reference = "https://attack.mitre.org/techniques/T1074/001/"
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
@@ -150,7 +147,6 @@ reference = "https://attack.mitre.org/tactics/TA0011/"
         name = "Standard Encoding"
         reference = "https://attack.mitre.org/techniques/T1132/001/"
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 

rules_building_block/collection_linux_suspicious_clipboard_activity.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/07/27"
-integration = ["endpoint"]
+integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2024/01/05"
+updated_date = "2024/02/22"
 
 [rule]
 author = ["Elastic"]
@@ -15,19 +15,29 @@ applications.
 """
 from = "now-119m"
 interval = "60m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Suspicious Clipboard Activity Detected"
 risk_score = 21
 rule_id = "884e87cc-c67b-4c90-a4ed-e1e24a940c82"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Rule Type: BBR", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Collection",
+        "Rule Type: BBR",
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame",
+        "Data Source: Auditd Manager"
+        ]
 type = "new_terms"
 timestamp_override = "event.ingested"
 building_block_type = "default"
 query = '''
-event.category:process and host.os.type:"linux" and event.action:"exec" and event.type:"start" and
+event.category:process and host.os.type:"linux" and
+event.action:("exec" or "exec_event" or "executed" or "process_started") and event.type:"start" and
 process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq")
 '''
 

rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/23"
+updated_date = "2024/02/22"
 
 [transform]
 [[transform.osquery]]
@@ -42,7 +42,7 @@ communication channels, enabling lateral movement and facilitating remote contro
 """
 from = "now-119m"
 interval = "60m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Linux SSH X11 Forwarding"
@@ -115,12 +115,13 @@ tags = [
         "Use Case: Threat Detection",
         "Tactic: Command and Control",
         "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame",
         "Rule Type: BBR"
         ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
+process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
 process.name in ("ssh", "sshd") and process.args in ("-X", "-Y") and process.args_count >= 3 and 
 process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
 '''

rules_building_block/command_and_control_non_standard_http_port.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/26"
+updated_date = "2024/02/22"
 
 [transform]
 [[transform.osquery]]
@@ -42,7 +42,7 @@ muddle analysis/parsing of network data.
 """
 from = "now-119m"
 interval = "60m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Non-Standard Port HTTP/HTTPS connection"
@@ -114,18 +114,17 @@ tags = [
         "Use Case: Threat Detection",
         "Tactic: Command and Control",
         "Rule Type: BBR",
-        "Data Source: Elastic Defend"
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame"
         ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-network where process.name : ("http", "https")
-  and destination.port not in (80, 443)
-  and event.action in ("connection_attempted", "connection_accepted")
-  and destination.ip != "127.0.0.1"
+network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in (
+  "connection_attempted", "ipv4_connection_attempt_event", "connection_accepted", "ipv4_connection_accept_event"
+) and destination.ip != "127.0.0.1"
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
@@ -138,6 +137,7 @@ reference = "https://attack.mitre.org/techniques/T1571/"
 id = "T1071"
 name = "Application Layer Protocol"
 reference = "https://attack.mitre.org/techniques/T1071/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1071.001"
 name = "Web Protocols"
@@ -147,17 +147,17 @@ reference = "https://attack.mitre.org/techniques/T1071/001/"
 id = "T1573"
 name = "Encrypted Channel"
 reference = "https://attack.mitre.org/techniques/T1573/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1573.001"
 name = "Symmetric Cryptography"
 reference = "https://attack.mitre.org/techniques/T1573/001/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1573.002"
 name = "Asymmetric Cryptography"
 reference = "https://attack.mitre.org/techniques/T1573/002/"
 
-
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"

rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/08/23"
-integration = ["endpoint"]
+integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/23"
+updated_date = "2024/02/22"
 
 [rule]
 author = ["Elastic"]
@@ -15,23 +15,33 @@ them from the user in an attempt to evade detection.
 """
 from = "now-119m"
 interval = "60m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Hidden Files and Directories via Hidden Flag"
 risk_score = 21
 rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "OS: macOS",
+        "Use Case: Threat Detection",
+        "Tactic: Defense Evasion",
+        "Rule Type: BBR",
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame",
+        "Data Source: Auditd Manager"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-file where event.type : "creation" and process.name : "chflags"
+file where event.type == "creation" and process.name == "chflags"
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1564"
 name = "Hide Artifacts"
@@ -42,7 +52,6 @@ id = "T1564.001"
 name = "Hidden Files and Directories"
 reference = "https://attack.mitre.org/techniques/T1564/001/"
 
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"

rules_building_block/defense_evasion_processes_with_trailing_spaces.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/08/24"
-integration = ["endpoint"]
+integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/24"
+updated_date = "2024/02/22"
 
 [rule]
 author = ["Elastic"]
@@ -15,23 +15,34 @@ activity to evade default file handling mechanisms.
 """
 from = "now-119m"
 interval = "60m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Processes with Trailing Spaces"
 risk_score = 21
 rule_id = "0c093569-dff9-42b6-87b1-0242d9f7d9b4"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "OS: macOS",
+        "Use Case: Threat Detection",
+        "Tactic: Defense Evasion",
+        "Rule Type: BBR",
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame",
+        "Data Source: Auditd Manager"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where  event.type in ("start", "process_started") and process.name : "* "
+process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
+process.name : "* "
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1036"
 name = "Masquerading"
@@ -42,7 +53,6 @@ id = "T1036.006"
 name = "Space after Filename"
 reference = "https://attack.mitre.org/techniques/T1036/006/"
 
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"