From e459d8c25aea92f177da7209ab62811313b2d0fb Mon Sep 17 00:00:00 2001 From: ailiffa <102322578+ailiffa@users.noreply.github.com> Date: Mon, 19 Jan 2026 06:19:24 -0600 Subject: [PATCH] [Rule Tuning] Potential Disabling of AppArmor - Restore AppArmor service filters (#5574) --- .../defense_evasion_disable_apparmor_attempt.toml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index bb6110202..1b78cba02 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/01/18" [rule] author = ["Elastic"] @@ -104,10 +104,10 @@ query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and ( - (process.name == "service" and process.args == "stop") or - (process.name == "chkconfig" and process.args == "off") or - (process.name == "update-rc.d" and process.args in ("remove", "disable")) or - (process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask")) or + (process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask") and process.args in ("apparmor", "apparmor.service")) or + (process.name == "service" and process.args == "apparmor" and process.args == "stop") or + (process.name == "chkconfig" and process.args == "apparmor" and process.args == "off") or + (process.name == "update-rc.d" and process.args == "apparmor" and process.args in ("remove", "disable")) or (process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args == "/etc/apparmor.d/disable/") ) and not ?process.parent.executable == "/opt/puppetlabs/puppet/bin/ruby"