From e6db511ac7c52f281812adc56fcaf2ab5f3ae323 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 6 Mar 2024 14:49:42 +0100 Subject: [PATCH] [BBR Promotion] Linux BBR --> DR Promotion (#3472) * [BBR Promotion] Linux BBR --> DR Promotion * [BBR Promotion] Linux BBR --> DR Promotion --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 5a804230033cc36aaed8cb7c186dc6383197882b) --- ...nd_control_linux_proxychains_activity.toml | 16 ++++++------- ...tial_access_gdb_init_process_hooking.toml} | 0 ...credential_access_gdb_process_hooking.toml | 24 ++++++++++++------- ...s_utility_executed_via_tmux_or_screen.toml | 18 ++++++++------ ...ry_suspicious_which_command_execution.toml | 16 ++++++------- .../persistence_kernel_driver_load.toml | 8 ++----- ...suspicious_file_opened_through_editor.toml | 17 ++++++++----- ...ersistence_tainted_kernel_module_load.toml | 8 ++----- ...ainted_kernel_module_out_of_tree_load.toml | 8 ++----- .../persistence_udev_rule_creation.toml | 8 ++----- 10 files changed, 60 insertions(+), 63 deletions(-) rename {rules_building_block => rules/linux}/command_and_control_linux_proxychains_activity.toml (94%) rename rules/linux/{credential_access_gdb_init_memory_dump.toml => credential_access_gdb_init_process_hooking.toml} (100%) rename rules_building_block/credential_access_gdb_memory_dump.toml => rules/linux/credential_access_gdb_process_hooking.toml (67%) rename {rules_building_block => rules/linux}/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml (77%) rename {rules_building_block => rules/linux}/discovery_suspicious_which_command_execution.toml (83%) rename {rules_building_block => rules/linux}/persistence_kernel_driver_load.toml (96%) rename {rules_building_block => rules/linux}/persistence_suspicious_file_opened_through_editor.toml (92%) rename {rules_building_block => rules/linux}/persistence_tainted_kernel_module_load.toml (96%) rename {rules_building_block => rules/linux}/persistence_tainted_kernel_module_out_of_tree_load.toml (96%) rename {rules_building_block => rules/linux}/persistence_udev_rule_creation.toml (96%) diff --git a/rules_building_block/command_and_control_linux_proxychains_activity.toml b/rules/linux/command_and_control_linux_proxychains_activity.toml similarity index 94% rename from rules_building_block/command_and_control_linux_proxychains_activity.toml rename to rules/linux/command_and_control_linux_proxychains_activity.toml index 4102e9dac..8c625c8e1 100644 --- a/rules_building_block/command_and_control_linux_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_proxychains_activity.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/08/23" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2024/02/22" [transform] [[transform.osquery]] @@ -33,16 +33,14 @@ query = "SELECT name, cmdline, parent, path, uid FROM processes" [rule] author = ["Elastic"] -building_block_type = "default" description = """ This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. """ -from = "now-119m" -interval = "60m" -index = ["logs-endpoint.events.*"] +from = "now-9m" +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "ProxyChains Activity" @@ -119,12 +117,14 @@ tags = [ "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", - "Rule Type: BBR" + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "proxychains" +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and process.name == "proxychains" ''' [[rule.threat]] diff --git a/rules/linux/credential_access_gdb_init_memory_dump.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml similarity index 100% rename from rules/linux/credential_access_gdb_init_memory_dump.toml rename to rules/linux/credential_access_gdb_init_process_hooking.toml diff --git a/rules_building_block/credential_access_gdb_memory_dump.toml b/rules/linux/credential_access_gdb_process_hooking.toml similarity index 67% rename from rules_building_block/credential_access_gdb_memory_dump.toml rename to rules/linux/credential_access_gdb_process_hooking.toml index c0068c1d1..9f2f82292 100644 --- a/rules_building_block/credential_access_gdb_memory_dump.toml +++ b/rules/linux/credential_access_gdb_process_hooking.toml @@ -1,25 +1,23 @@ [metadata] creation_date = "2023/08/30" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/30" -bypass_bbr_timing = true +updated_date = "2024/02/22" [rule] author = ["Elastic"] -building_block_type = "default" description = """ This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" -name = "Linux Secret Dumping via GDB" +name = "Linux Process Hooking via GDB" references = [ "https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump" @@ -27,12 +25,20 @@ references = [ risk_score = 21 rule_id = "66c058f3-99f4-4d18-952b-43348f2577a0" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and -process.name == "gdb" and process.args in ("--pid", "-p") and +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and process.name == "gdb" and process.args in ("--pid", "-p") and /* Covered by d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f */ process.args != "1" ''' diff --git a/rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml similarity index 77% rename from rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml rename to rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index 24243198e..0ca8aba89 100644 --- a/rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -4,8 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/22" -bypass_bbr_timing = true +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -15,20 +14,25 @@ directly, the commands will be executed in the background via its parent process to execute commands while attempting to evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potentially Suspicious Process Started via tmux or screen" risk_score = 21 rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" - query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and process.parent.name in ("screen", "tmux") and process.name : ( "nmap", "nc", "ncat", "netcat", "socat", "nc.openbsd", "ngrok", "ping", "java", "python*", "php*", "perl", "ruby", "lua*", "openssl", "telnet", "awk", "wget", "curl", "id" diff --git a/rules_building_block/discovery_suspicious_which_command_execution.toml b/rules/linux/discovery_suspicious_which_command_execution.toml similarity index 83% rename from rules_building_block/discovery_suspicious_which_command_execution.toml rename to rules/linux/discovery_suspicious_which_command_execution.toml index 25c1d6c0e..3d1f84082 100644 --- a/rules_building_block/discovery_suspicious_which_command_execution.toml +++ b/rules/linux/discovery_suspicious_which_command_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/22" +updated_date = "2024/02/22" [rule] author = ["Elastic"] @@ -13,9 +13,8 @@ This rule monitors for the usage of the which command with an unusual amount of the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network. """ -from = "now-119m" -interval = "60m" -index = ["logs-endpoint.events.*"] +from = "now-9m" +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious which Enumeration" @@ -28,15 +27,14 @@ tags = [ "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", - "Rule Type: BBR" + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" - query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and -process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" and +not process.args == "--tty-only" /* potential tuning if rule would turn out to be noisy and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and diff --git a/rules_building_block/persistence_kernel_driver_load.toml b/rules/linux/persistence_kernel_driver_load.toml similarity index 96% rename from rules_building_block/persistence_kernel_driver_load.toml rename to rules/linux/persistence_kernel_driver_load.toml index 686e222df..e727ca8e0 100644 --- a/rules_building_block/persistence_kernel_driver_load.toml +++ b/rules/linux/persistence_kernel_driver_load.toml @@ -1,15 +1,13 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/26" integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/02/19" +updated_date = "2024/02/22" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other @@ -51,8 +49,7 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Tactic: Defense Evasion", - "Rule Type: BBR" + "Tactic: Defense Evasion" ] timestamp_override = "event.ingested" type = "eql" @@ -91,4 +88,3 @@ reference = "https://attack.mitre.org/tactics/TA0005/" name = "Rootkit" id = "T1014" reference = "https://attack.mitre.org/techniques/T1014/" - diff --git a/rules_building_block/persistence_suspicious_file_opened_through_editor.toml b/rules/linux/persistence_suspicious_file_opened_through_editor.toml similarity index 92% rename from rules_building_block/persistence_suspicious_file_opened_through_editor.toml rename to rules/linux/persistence_suspicious_file_opened_through_editor.toml index 3ba36c01c..834f1c28b 100644 --- a/rules_building_block/persistence_suspicious_file_opened_through_editor.toml +++ b/rules/linux/persistence_suspicious_file_opened_through_editor.toml @@ -3,7 +3,7 @@ creation_date = "2023/07/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/26" +updated_date = "2024/02/22" integration = ["endpoint"] [rule] @@ -15,8 +15,7 @@ suspicious files. The execution of this rule is not a clear sign of the file bei through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish persistence, escalate privileges or perform reconnaisance on the system. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" @@ -25,11 +24,17 @@ name = "Potential Suspicious File Edit" risk_score = 21 rule_id = "3728c08d-9b70-456b-b6b8-007c7d246128" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" - query = ''' file where event.action in ("creation", "file_create_event") and file.extension == "swp" and file.path : ( diff --git a/rules_building_block/persistence_tainted_kernel_module_load.toml b/rules/linux/persistence_tainted_kernel_module_load.toml similarity index 96% rename from rules_building_block/persistence_tainted_kernel_module_load.toml rename to rules/linux/persistence_tainted_kernel_module_load.toml index 2a9802ebe..7adbf37d4 100644 --- a/rules_building_block/persistence_tainted_kernel_module_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_load.toml @@ -1,15 +1,13 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/23" integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/26" +updated_date = "2024/02/22" [rule] author = ["Elastic"] -building_block_type = "default" description = """ This rule monitors the syslog log file for messages related to instances of a tainted kernel module load. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for @@ -51,8 +49,7 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Tactic: Defense Evasion", - "Rule Type: BBR" + "Tactic: Defense Evasion" ] timestamp_override = "event.ingested" type = "query" @@ -91,4 +88,3 @@ reference = "https://attack.mitre.org/tactics/TA0005/" name = "Rootkit" id = "T1014" reference = "https://attack.mitre.org/techniques/T1014/" - diff --git a/rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml similarity index 96% rename from rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml rename to rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml index fc19d1b21..784a655fa 100644 --- a/rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml @@ -1,15 +1,13 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/26" integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/26" +updated_date = "2024/02/22" [rule] author = ["Elastic"] -building_block_type = "default" description = """ This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating the taining of the kernel. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting @@ -50,8 +48,7 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Tactic: Defense Evasion", - "Rule Type: BBR" + "Tactic: Defense Evasion" ] timestamp_override = "event.ingested" type = "query" @@ -90,4 +87,3 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/persistence_udev_rule_creation.toml b/rules/linux/persistence_udev_rule_creation.toml similarity index 96% rename from rules_building_block/persistence_udev_rule_creation.toml rename to rules/linux/persistence_udev_rule_creation.toml index 9ef5c8a1b..219dc0dc5 100644 --- a/rules_building_block/persistence_udev_rule_creation.toml +++ b/rules/linux/persistence_udev_rule_creation.toml @@ -1,15 +1,13 @@ [metadata] -bypass_bbr_timing = true creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2024/01/05" +updated_date = "2024/02/22" [rule] author = ["Elastic"] -building_block_type = "default" description = """ Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating @@ -56,8 +54,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Rule Type: BBR" + "Data Source: Elastic Defend" ] type = "new_terms" timestamp_override = "event.ingested" @@ -90,4 +87,3 @@ value = ["host.id", "process.executable", "file.path"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" -