[BBR Promotion] Linux BBR --> DR Promotion (#3472)

* [BBR Promotion] Linux BBR --> DR Promotion

* [BBR Promotion] Linux BBR --> DR Promotion

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 5a80423003)

rules/linux/command_and_control_linux_proxychains_activity.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/08/23"
-integration = ["endpoint"]
+integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/23"
+updated_date = "2024/02/22"
 
 [transform]
 [[transform.osquery]]
@@ -33,16 +33,14 @@ query = "SELECT name, cmdline, parent, path, uid FROM processes"
 
 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
 This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the 
 routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted 
 resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and 
 perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
 """
-from = "now-119m"
-interval = "60m"
-index = ["logs-endpoint.events.*"]
+from = "now-9m"
+index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "ProxyChains Activity"
@@ -119,12 +117,14 @@ tags = [
         "Use Case: Threat Detection",
         "Tactic: Command and Control",
         "Data Source: Elastic Defend",
-        "Rule Type: BBR"
+        "Data Source: Elastic Endgame",
+        "Data Source: Auditd Manager"
         ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "proxychains"
+process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
+event.type == "start" and process.name == "proxychains"
 '''
 
 [[rule.threat]]

rules/linux/credential_access_gdb_process_hooking.toml

@@ -1,25 +1,23 @@
 [metadata]
 creation_date = "2023/08/30"
-integration = ["endpoint"]
+integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/30"
-bypass_bbr_timing = true
+updated_date = "2024/02/22"
 
 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
 This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt
 secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and 
 "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Linux Secret Dumping via GDB"
+name = "Linux Process Hooking via GDB"
 references = [
     "https://github.com/controlplaneio/truffleproc",
     "https://github.com/hajzer/bash-memory-dump"
@@ -27,12 +25,20 @@ references = [
 risk_score = 21
 rule_id = "66c058f3-99f4-4d18-952b-43348f2577a0"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Credential Access",
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame",
+        "Data Source: Auditd Manager"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
-process.name == "gdb" and process.args in ("--pid", "-p") and 
+process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
+event.type == "start" and process.name == "gdb" and process.args in ("--pid", "-p") and 
 /* Covered by d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f */
 process.args != "1"
 '''

rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml

@@ -4,8 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/22"
-bypass_bbr_timing = true
+updated_date = "2024/02/22"
 
 [rule]
 author = ["Elastic"]
@@ -15,20 +14,25 @@ directly, the commands will be executed in the background via its parent process
 to execute commands while attempting to evade detection.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potentially Suspicious Process Started via tmux or screen"
 risk_score = 21
 rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Defense Evasion",
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame"
+        ]
 timestamp_override = "event.ingested"
-building_block_type = "default"
 type = "eql"
-
 query = '''
-process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and 
 process.parent.name in ("screen", "tmux") and process.name : (
   "nmap", "nc", "ncat", "netcat", "socat", "nc.openbsd", "ngrok", "ping", "java", "python*", "php*", "perl", "ruby",
   "lua*", "openssl", "telnet", "awk", "wget", "curl", "id"

rules/linux/discovery_suspicious_which_command_execution.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/22"
+updated_date = "2024/02/22"
 
 [rule]
 author = ["Elastic"]
@@ -13,9 +13,8 @@ This rule monitors for the usage of the which command with an unusual amount of
 the which command to enumerate the system for useful installed utilities that may be used after compromising a system to
 escalate privileges or move latteraly across the network. 
 """
-from = "now-119m"
-interval = "60m"
-index = ["logs-endpoint.events.*"]
+from = "now-9m"
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious which Enumeration"
@@ -28,15 +27,14 @@ tags = [
         "Use Case: Threat Detection",
         "Tactic: Discovery",
         "Data Source: Elastic Defend",
-        "Rule Type: BBR"
+        "Data Source: Elastic Endgame"
         ]
 timestamp_override = "event.ingested"
 type = "eql"
-building_block_type = "default"
-
 query = '''
-process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
-process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem"
+process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and 
+process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" and 
+not process.args == "--tty-only"
 
 /* potential tuning if rule would turn out to be noisy
 and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and 

rules/linux/persistence_kernel_driver_load.toml

@@ -1,15 +1,13 @@
 [metadata]
-bypass_bbr_timing = true
 creation_date = "2023/10/26"
 integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/19"
+updated_date = "2024/02/22"
 
 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
 Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to 
 load a rootkit on a system providing them with complete control and the ability to hide from security products. As other
@@ -51,8 +49,7 @@ tags = [
         "OS: Linux",
         "Use Case: Threat Detection",
         "Tactic: Persistence",
-        "Tactic: Defense Evasion",
-        "Rule Type: BBR"
+        "Tactic: Defense Evasion"
         ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -91,4 +88,3 @@ reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Rootkit"
 id = "T1014"
 reference = "https://attack.mitre.org/techniques/T1014/"
-

rules/linux/persistence_suspicious_file_opened_through_editor.toml

@@ -3,7 +3,7 @@ creation_date = "2023/07/25"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/26"
+updated_date = "2024/02/22"
 integration = ["endpoint"]
 
 [rule]
@@ -15,8 +15,7 @@ suspicious files. The execution of this rule is not a clear sign of the file bei
 through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish
 persistence, escalate privileges or perform reconnaisance on the system. 
 """
-from = "now-119m"
-interval = "60m"
+from = "now-9m"
 index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
@@ -25,11 +24,17 @@ name = "Potential Suspicious File Edit"
 risk_score = 21
 rule_id = "3728c08d-9b70-456b-b6b8-007c7d246128"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Persistence",
+        "Tactic: Privilege Escalation",
+        "Data Source: Elastic Endgame",
+        "Data Source: Elastic Defend"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
-building_block_type = "default"
-
 query = '''
 file where event.action in ("creation", "file_create_event") and file.extension == "swp" and 
 file.path : (

rules/linux/persistence_tainted_kernel_module_load.toml

@@ -1,15 +1,13 @@
 [metadata]
-bypass_bbr_timing = true
 creation_date = "2023/10/23"
 integration = ["system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/26"
+updated_date = "2024/02/22"
 
 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
 This rule monitors the syslog log file for messages related to instances of a tainted kernel module load. Rootkits often
 leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for
@@ -51,8 +49,7 @@ tags = [
         "OS: Linux",
         "Use Case: Threat Detection",
         "Tactic: Persistence",
-        "Tactic: Defense Evasion",
-        "Rule Type: BBR"
+        "Tactic: Defense Evasion"
         ]
 timestamp_override = "event.ingested"
 type = "query"
@@ -91,4 +88,3 @@ reference = "https://attack.mitre.org/tactics/TA0005/"
 name = "Rootkit"
 id = "T1014"
 reference = "https://attack.mitre.org/techniques/T1014/"
-

rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml

@@ -1,15 +1,13 @@
 [metadata]
-bypass_bbr_timing = true
 creation_date = "2023/10/26"
 integration = ["system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/26"
+updated_date = "2024/02/22"
 
 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
 This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating 
 the taining of the kernel. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting
@@ -50,8 +48,7 @@ tags = [
         "OS: Linux",
         "Use Case: Threat Detection",
         "Tactic: Persistence",
-        "Tactic: Defense Evasion",
-        "Rule Type: BBR"
+        "Tactic: Defense Evasion"
         ]
 timestamp_override = "event.ingested"
 type = "query"
@@ -90,4 +87,3 @@ reference = "https://attack.mitre.org/techniques/T1014/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/linux/persistence_udev_rule_creation.toml

@@ -1,15 +1,13 @@
 [metadata]
-bypass_bbr_timing = true
 creation_date = "2023/10/26"
 integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2024/01/05"
+updated_date = "2024/02/22"
 
 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
 Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device
 events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating
@@ -56,8 +54,7 @@ tags = [
         "Use Case: Threat Detection",
         "Tactic: Persistence",
         "Data Source: Elastic Endgame",
-        "Data Source: Elastic Defend",
-        "Rule Type: BBR"
+        "Data Source: Elastic Defend"
         ]
 type = "new_terms"
 timestamp_override = "event.ingested"
@@ -90,4 +87,3 @@ value = ["host.id", "process.executable", "file.path"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-14d"
-