From e18bf4353291ceee3a4d293f7b31709e665bf574 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 7 Mar 2024 17:19:12 +0100 Subject: [PATCH] [Tuning] Linux BBR Tuning - Part 1 (#3469) * [Tuning] Linux BBR Tuning - Part 1 * [Tuning] Linux BBR Tuning - Part 1 * Update defense_evasion_processes_with_trailing_spaces.toml * Update defense_evasion_processes_with_trailing_spaces.toml * One more tuning * Update collection_linux_suspicious_clipboard_activity.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 3fd0358b73389c131bc163627a4b523d267c7857) --- ...inux_port_knocking_reverse_connection.toml | 46 ++++++++++--------- ...ction_common_compressed_archived_file.toml | 6 +-- ...n_linux_suspicious_clipboard_activity.toml | 20 ++++++-- ..._and_control_linux_ssh_x11_forwarding.toml | 7 +-- ...nd_and_control_non_standard_http_port.toml | 20 ++++---- ..._creation_of_hidden_files_directories.toml | 23 +++++++--- ...vasion_processes_with_trailing_spaces.toml | 24 +++++++--- 7 files changed, 87 insertions(+), 59 deletions(-) rename {rules_building_block => rules/_deprecated}/command_and_control_linux_port_knocking_reverse_connection.toml (95%) diff --git a/rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml b/rules/_deprecated/command_and_control_linux_port_knocking_reverse_connection.toml similarity index 95% rename from rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml rename to rules/_deprecated/command_and_control_linux_port_knocking_reverse_connection.toml index d77219877..754b669b3 100644 --- a/rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml +++ b/rules/_deprecated/command_and_control_linux_port_knocking_reverse_connection.toml @@ -1,11 +1,12 @@ [metadata] bypass_bbr_timing = true creation_date = "2023/10/24" +deprecation_date = "2024/02/22" integration = ["endpoint", "network_traffic"] -maturity = "production" +maturity = "deprecated" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/24" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -26,14 +27,15 @@ risk_score = 21 rule_id = "86c3157c-a951-4a4f-989b-2f0d0f1f9518" severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Rule Type: BBR" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] type = "eql" + query = ''' sequence by host.id with maxspan=10s [network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and @@ -75,29 +77,29 @@ sequence by host.id with maxspan=10s ] by source.ip ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1205" +name = "Traffic Signaling" +reference = "https://attack.mitre.org/techniques/T1205/" +[[rule.threat.technique.subtechnique]] +id = "T1205.001" +name = "Port Knocking" +reference = "https://attack.mitre.org/techniques/T1205/001/" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat.technique]] id = "T1571" name = "Non-Standard Port" reference = "https://attack.mitre.org/techniques/T1571/" -[[rule.threat.technique]] -id = "T1205" -name = "Traffic Signaling" -reference = "https://attack.mitre.org/techniques/T1205/" - -[[rule.threat.technique.subtechnique]] -id = "T1205.001" -name = "Port Knocking" -reference = "https://attack.mitre.org/techniques/T1205/001/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules_building_block/collection_common_compressed_archived_file.toml b/rules_building_block/collection_common_compressed_archived_file.toml index 6ffa4ffaf..5aa76ab58 100644 --- a/rules_building_block/collection_common_compressed_archived_file.toml +++ b/rules_building_block/collection_common_compressed_archived_file.toml @@ -5,7 +5,7 @@ integration = "endpoint" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/10" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -27,7 +27,6 @@ severity = "low" tags = [ "Data Source: Elastic Defend", "Domain: Endpoint", - "OS: Linux", "OS: macOS", "OS: Windows", "Tactic: Collection", @@ -35,7 +34,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where event.type in ("creation", "change") and process.executable != null and not user.id : "S-1-5-18" and file.Ext.header_bytes : ( @@ -131,7 +129,6 @@ reference = "https://attack.mitre.org/tactics/TA0009/" name = "Local Data Staging" reference = "https://attack.mitre.org/techniques/T1074/001/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -150,7 +147,6 @@ reference = "https://attack.mitre.org/tactics/TA0011/" name = "Standard Encoding" reference = "https://attack.mitre.org/techniques/T1132/001/" - [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml index a6968d7c6..c19f21e59 100644 --- a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml +++ b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/07/27" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2024/01/05" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -15,19 +15,29 @@ applications. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Potential Suspicious Clipboard Activity Detected" risk_score = 21 rule_id = "884e87cc-c67b-4c90-a4ed-e1e24a940c82" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] type = "new_terms" timestamp_override = "event.ingested" building_block_type = "default" query = ''' -event.category:process and host.os.type:"linux" and event.action:"exec" and event.type:"start" and +event.category:process and host.os.type:"linux" and +event.action:("exec" or "exec_event" or "executed" or "process_started") and event.type:"start" and process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq") ''' diff --git a/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml index 90053a120..0d22a5bcc 100644 --- a/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml +++ b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2024/02/22" [transform] [[transform.osquery]] @@ -42,7 +42,7 @@ communication channels, enabling lateral movement and facilitating remote contro """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Linux SSH X11 Forwarding" @@ -115,12 +115,13 @@ tags = [ "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", "Rule Type: BBR" ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and process.name in ("ssh", "sshd") and process.args in ("-X", "-Y") and process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' diff --git a/rules_building_block/command_and_control_non_standard_http_port.toml b/rules_building_block/command_and_control_non_standard_http_port.toml index 02aa24f06..db386d382 100644 --- a/rules_building_block/command_and_control_non_standard_http_port.toml +++ b/rules_building_block/command_and_control_non_standard_http_port.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/26" +updated_date = "2024/02/22" [transform] [[transform.osquery]] @@ -42,7 +42,7 @@ muddle analysis/parsing of network data. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Non-Standard Port HTTP/HTTPS connection" @@ -114,18 +114,17 @@ tags = [ "Use Case: Threat Detection", "Tactic: Command and Control", "Rule Type: BBR", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" query = ''' -network where process.name : ("http", "https") - and destination.port not in (80, 443) - and event.action in ("connection_attempted", "connection_accepted") - and destination.ip != "127.0.0.1" +network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( + "connection_attempted", "ipv4_connection_attempt_event", "connection_accepted", "ipv4_connection_accept_event" +) and destination.ip != "127.0.0.1" ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -138,6 +137,7 @@ reference = "https://attack.mitre.org/techniques/T1571/" id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" @@ -147,17 +147,17 @@ reference = "https://attack.mitre.org/techniques/T1071/001/" id = "T1573" name = "Encrypted Channel" reference = "https://attack.mitre.org/techniques/T1573/" + [[rule.threat.technique.subtechnique]] id = "T1573.001" name = "Symmetric Cryptography" reference = "https://attack.mitre.org/techniques/T1573/001/" + [[rule.threat.technique.subtechnique]] id = "T1573.002" name = "Asymmetric Cryptography" reference = "https://attack.mitre.org/techniques/T1573/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml b/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml index fc4249ec2..0e918df36 100644 --- a/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml +++ b/rules_building_block/defense_evasion_creation_of_hidden_files_directories.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/08/23" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -15,23 +15,33 @@ them from the user in an attempt to evade detection. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Hidden Files and Directories via Hidden Flag" risk_score = 21 rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type : "creation" and process.name : "chflags" +file where event.type == "creation" and process.name == "chflags" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" @@ -42,7 +52,6 @@ id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml index 7db55da31..044aefe67 100644 --- a/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml +++ b/rules_building_block/defense_evasion_processes_with_trailing_spaces.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/08/24" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -15,23 +15,34 @@ activity to evade default file handling mechanisms. """ from = "now-119m" interval = "60m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Processes with Trailing Spaces" risk_score = 21 rule_id = "0c093569-dff9-42b6-87b1-0242d9f7d9b4" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS","Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and process.name : "* " +process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and +process.name : "* " ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" @@ -42,7 +53,6 @@ id = "T1036.006" name = "Space after Filename" reference = "https://attack.mitre.org/techniques/T1036/006/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion"