security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Several rule tunings (#3024)

Browse Source 
* [Rule Tuning] Several rule tunings

* Added 1 more

* optimized ransomware encryption rules

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml

* Added 2 more tunings based on todays telemetry

* Some tunings

* Tuning

* Tuning

* fixed user.id comparison

* Something went wrong with deprecation

* Something went wrong with deprecation

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/discovery_linux_nping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_linux_hping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Dedeprecated the rule to deprecate later

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit a1716bd673)
This commit is contained in:
Ruben Groenewoud
2023-08-25 14:03:29 +02:00
committed by github-actions[bot]
parent 939800bb03
commit ed2daecb25
31 changed files with 186 additions and 179 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/credential_access_potential_linux_local_account_bruteforce.toml
+6 -4
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/26"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -24,9 +24,11 @@ severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
type = "eql"
query = '''
sequence by host.id, process.parent.executable, user.name with maxspan=1s
[ process where host.os.type == "linux" and event.type == "start" and
event.action == "exec" and process.name == "su" ] with runs=10
sequence by host.id, process.parent.executable, user.id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and
not process.parent.name in (
"bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server"
)] with runs=10
'''
[[rule.threat]]
rules/linux/defense_evasion_chattr_immutable_file.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -34,7 +34,7 @@ type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and user.name == "root" and
process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and
not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*")
not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd")
'''
rules/linux/defense_evasion_file_deletion_via_shred.toml
+5 -5
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -14,20 +14,20 @@ a network and how. Adversaries may remove these files over the course of an intr
remove them at the end as part of the post-intrusion cleanup process.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "File Deletion via Shred"
risk_score = 21
rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:shred and
process.args:("-u" or "--remove" or "-z" or "--zero")
event.category:process and host.os.type:linux and event.type:start and process.name:shred and
process.args:("-u" or "--remove" or "-z" or "--zero") and not process.parent.name:logrotate
'''
rules/linux/defense_evasion_hidden_file_dir_tmp.toml
+5 -5
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -37,10 +37,10 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type in ("start", "process_started") and
process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
not process.name in ("ls", "find", "grep")
process where host.os.type == "linux" and event.type == "start" and
process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
not process.name in ("ls", "find", "grep", "git")
'''
rules/linux/defense_evasion_kernel_module_removal.toml
+5 -4
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -25,16 +25,17 @@ language = "eql"
license = "Elastic License v2"
name = "Kernel Module Removal"
references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"]
risk_score = 73
risk_score = 47
rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef"
severity = "high"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and process.name == "rmmod" or
(process.name == "modprobe" and process.args in ("--remove", "-r"))
(process.name == "modprobe" and process.args in ("--remove", "-r")) and
process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
'''
rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml
+44 -38
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "The linux.advanced.capture_env_vars option for Elastic Defend has been introduced in 8.6.0"
min_stack_version = "8.6.0"
updated_date = "2023/06/26"
updated_date = "2023/08/25"
[rule]
author = ["Elastic"]
@@ -18,8 +18,9 @@ from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Process Injection via LD_PRELOAD Environment Variable"
note = """## Setup
name = "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable"
note = """ This rule was deprecated due to the large amount of false positives and the lack of true positives generated by the rule.
## Setup
By default, the `Elastic Defend` integration does not collect environment variable logging. In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the `Elastic Defend` integration.
```
Kibana -->
@@ -34,68 +35,73 @@ linux.advanced.capture_env_vars
After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.
"""
references = ["https://www.getambassador.io/resources/code-injection-on-linux-and-macos"]
risk_score = 47
risk_score = 21
rule_id = "4973e46b-a663-41b8-a875-ced16dda2bb0"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation"]
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Tactic: Persistence",
"Tactic: Privilege Escalation",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and
event.action == "exec" and
process.env_vars : ("LD_PRELOAD=?*", "LD_LIBRARY_PATH=?*")
process where host.os.type == "linux" and event.action == "exec" and process.env_vars : ("LD_PRELOAD=?*", "LD_LIBRARY_PATH=?*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.006"
name = "Dynamic Linker Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[rule.threat.tactic]
name = "Defense Evasion"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat.technique]]
name = "Hijack Execution Flow"
id = "T1574"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
name = "Dynamic Linker Hijacking"
id = "T1574.006"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.006"
name = "Dynamic Linker Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[rule.threat.tactic]
name = "Persistence"
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat.technique]]
name = "Hijack Execution Flow"
id = "T1574"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
name = "Dynamic Linker Hijacking"
id = "T1574.006"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Privilege Escalation"
id = "TA0004"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat.technique]]
name = "Hijack Execution Flow"
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
name = "Dynamic Linker Hijacking"
id = "T1574.006"
name = "Dynamic Linker Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
rules/linux/defense_evasion_mount_execution.toml
+5 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/04/11"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -32,21 +32,19 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where process.name=="mount" and event.action =="exec" and
process.args: ( "/proc") and process.args: ("-o") and process.args:("*hidepid=2*") and
host.os.type == "linux"
process where host.os.type == "linux" and process.name == "mount" and event.action == "exec" and
process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/discovery_esxi_software_via_grep.toml
+3 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.5.0"
updated_date = "2023/04/11"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -30,8 +30,8 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name : ("grep", "egrep", "pgrep") and
process.args : ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem")
process.name in ("grep", "egrep", "pgrep") and
process.args in ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem")
'''
rules/linux/discovery_kernel_module_enumeration.toml
+3 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/07/31"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -35,7 +35,8 @@ event.category:process and host.os.type:linux and event.type:start and (
(process.name:(lsmod or modinfo)) or
(process.name:kmod and process.args:list) or
(process.name:depmod and process.args:(--all or -a))
) and not process.parent.user.id:0
) and process.parent.name:(sudo or bash or dash or ash or sh or tcsh or csh or zsh or ksh or fish) and
not process.parent.user.id:0
'''
[[rule.threat]]
rules/linux/discovery_kernel_module_enumeration_via_proc.toml
-69
View File
@@ -1,69 +0,0 @@
[metadata]
creation_date = "2020/04/12"
integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/31"
[rule]
author = ["Elastic"]
description = """
Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They
extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate
information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as
lsmod and kmod to list the available kernel modules.
"""
false_positives = [
"""
Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs
by ordinary users is uncommon. These can be exempted by process name or username.
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Enumeration of Kernel Modules via Proc"
note = """## Setup
This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.
```
Kibana -->
Management -->
Integrations -->
Auditd Manager -->
Add Auditd Manager
```
`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
For this detection rule to trigger, the following additional audit rules are required to be added to the integration:
```
-w /proc/ -p r -k audit_proc
```
Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
"""
risk_score = 21
rule_id = "80084fa9-8677-4453-8680-b891d3c0c778"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action == "opened-file" and file.path == "/proc/modules" and not
(
process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "SchedulerRunner", "grep") or
process.parent.pid == 1 or process.title : "*grep*"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_linux_hping_activity.toml
+7 -6
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -20,19 +20,20 @@ false_positives = [
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "kuery"
language = "eql"
license = "Elastic License v2"
name = "Hping Process Activity"
references = ["https://en.wikipedia.org/wiki/Hping"]
risk_score = 73
risk_score = 47
rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52"
severity = "high"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "query"
type = "eql"
query = '''
event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)
process where host.os.type == "linux" and event.type == "start"
and process.name in ("hping", "hping2", "hping3")
'''
rules/linux/discovery_linux_modprobe_enumeration.toml
-69
View File
@@ -1,69 +0,0 @@
[metadata]
creation_date = "2023/06/08"
integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/31"
[rule]
author = ["Elastic"]
description = """
Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or
manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized
kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the
system.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Modprobe File Event"
note = """## Setup
This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.
```
Kibana -->
Management -->
Integrations -->
Auditd Manager -->
Add Auditd Manager
```
`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
For this detection rule to trigger, the following additional audit rules are required to be added to the integration:
```
-w /etc/modprobe.conf -p wa -k modprobe
-w /etc/modprobe.d -p wa -k modprobe
```
Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
"""
risk_score = 21
rule_id = "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd"
severity = "low"
tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action == "opened-file" and
file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not
(
process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp") or
process.title : "*grep*" or process.parent.pid == 1
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_linux_nping_activity.toml
+4 -4
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "kuery"
language = "eql"
license = "Elastic License v2"
name = "Nping Process Activity"
references = ["https://en.wikipedia.org/wiki/Nmap"]
@@ -29,10 +29,10 @@ rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "query"
type = "eql"
query = '''
event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:nping
process where host.os.type == "linux" and event.type == "start" and process.name == "nping"
'''
rules/linux/discovery_linux_sysctl_enumeration.toml
-66
View File
@@ -1,66 +0,0 @@
[metadata]
creation_date = "2023/06/08"
integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/31"
[rule]
author = ["Elastic"]
description = """
Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential
unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl
configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Sysctl File Event"
note = """## Setup
This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.
```
Kibana -->
Management -->
Integrations -->
Auditd Manager -->
Add Auditd Manager
```
`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
For this detection rule to trigger, the following additional audit rules are required to be added to the integration:
```
-w /etc/sysctl.conf -p wa -k sysctl
-w /etc/sysctl.d -p wa -k sysctl
```
Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
"""
risk_score = 21
rule_id = "7592c127-89fb-4209-a8f6-f9944dfd7e02"
severity = "low"
tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and
file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and
not process.name in ("auditbeat", "systemd-sysctl")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_suspicious_proc_enumeration.toml
-76
View File
@@ -1,76 +0,0 @@
[metadata]
creation_date = "2023/06/09"
integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/03"
[rule]
author = ["Elastic"]
description = """
This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal
activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about
running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "kuery"
license = "Elastic License v2"
name = "Suspicious Proc Pseudo File System Enumeration"
note = """## Setup
This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.
```
Kibana -->
Management -->
Integrations -->
Auditd Manager -->
Add Auditd Manager
```
`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
For this detection rule to trigger, the following additional audit rules are required to be added to the integration:
```
-w /proc/ -p r -k audit_proc
```
Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
"""
risk_score = 21
rule_id = "0787daa6-f8c5-453b-a4ec-048037f6c1cd"
severity = "low"
tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
host.os.type : "linux" and event.category : "file" and event.action : "opened-file" and
file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : "pidof" and
not process.parent.pid : 1
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1057"
name = "Process Discovery"
reference = "https://attack.mitre.org/techniques/T1057/"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.threshold]
field = ["host.id", "process.pid", "process.name"]
value = 1
[[rule.threshold.cardinality]]
field = "file.path"
value = 100
rules/linux/execution_abnormal_process_id_file_created.toml
+3 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/07/31"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -85,7 +85,8 @@ file.name : ("auditd.pid" or python* or "apport.pid" or "apport.lock" or kworker
"acpid.pid" or "unattended-upgrades.lock" or "unattended-upgrades.pid" or "cmd.pid" or "yum.pid" or "netconfig.pid" or
"docker.pid" or "atd.pid" or "lfd.pid" or "atop.pid" or "nginx.pid" or "dhclient.pid" or "smtpd.pid" or "stunnel.pid" or
"1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid" or "winbindd.pid" or "chronyd.pid") and
not process.name : ("runc" or "ufw" or "snapd" or "snap" or "iptables")
not process.name : ("runc" or "ufw" or "snapd" or "snap" or "iptables" or "libvirtd" or "containerd-shim-runc-v2" or
"ifdown" or "snap-confine" or "ifup" or "dhclient" or "containerd")
'''
[[rule.threat]]
rules/linux/execution_process_started_in_shared_memory_directory.toml
+5 -10
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -38,15 +38,10 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action : ("exec", "exec_event") and user.name == "root" and
process.executable : (
"/dev/shm/*",
"/run/shm/*",
"/var/run/*",
"/var/lock/*"
) and
not process.executable : ( "/var/run/docker/*")
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process.executable : ("/dev/shm/*", "/run/shm/*", "/var/run/*", "/var/lock/*") and
not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/*", "/var/run/cloudera-scm-agent/*") and
user.id == "0"
'''
rules/linux/execution_suspicious_executable_running_system_commands.toml
+8 -12
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4"
min_stack_version = "8.4.0"
updated_date = "2023/06/14"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -28,19 +28,15 @@ timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type : "linux" and event.category : "process" and
event.action : ("exec" or "exec_event" or "fork" or "fork_event") and
process.executable : (
host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and
process.executable:(
/bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or
/etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or
/usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*
) and process.args : (
"whoami" or "id" or "hostname" or "uptime" or "top" or "ifconfig" or "netstat" or "route" or
"ps" or "pwd" or "ls"
) and not process.name : (
"sudo" or "which" or "whoami" or "id" or "hostname" or "uptime" or "top" or "netstat" or "ps" or
"pwd" or "ls" or "apt" or "dpkg" or "yum" or "rpm" or "dnf" or "dockerd" or "snapd" or "snap"
)
/usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*)
and process.args:(whoami or id or hostname or uptime or top or ifconfig or netstat or route or ps or pwd or ls) and
not process.name:(sudo or which or whoami or id or hostname or uptime or top or netstat or ps or pwd or ls or apt or
dpkg or yum or rpm or dnf or dockerd or docker or snapd or snap) and
not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*)
'''
[[rule.threat]]
rules/linux/impact_potential_linux_ransomware_file_encryption.toml
+13 -15
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/02"
updated_date = "2023/08/22"
[rule]
author = ["Elastic"]
@@ -25,20 +25,18 @@ severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
[ file where host.os.type == "linux" and event.type == "change" and
event.action == "rename" and file.extension != "" and
file.path : (
"/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*"
) and not
file.extension : (
"xml", "json", "conf", "dat", "gz", "info", "mod", "final",
"php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old"
) and not
process.name : (
"dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
"conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy"
) ] with runs=100 | tail 1
sequence by host.id, process.entity_id with maxspan=1s
[file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*"
and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or
(process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and
file.path : (
"/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*",
"/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not ((
process.name : (
"dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
"conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
"systemsettings", "vmis-launcher")) or file.path : "/etc/selinux/*" or (file.extension in ("qmlc", "txt")
))] with runs=25
'''
[[rule.threat]]
rules/linux/impact_potential_linux_ransomware_note_detected.toml
+15 -18
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/02"
updated_date = "2023/08/22"
[rule]
author = ["Elastic"]
@@ -27,23 +27,20 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
[ file where host.os.type == "linux" and event.type == "change" and
event.action == "rename" and file.extension != "" and
file.path : (
"/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*"
) and not
file.extension : (
"xml", "json", "conf", "dat", "gz", "info", "mod", "final",
"php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old"
) and not
process.name : (
"dpkg", "yum", "dnf", "rpm", "dockerd"
) ] with runs=100
[ file where host.os.type == "linux" and event.action == "creation" and file.extension == "txt" and
file.name : (
"*crypt*", "*restore*", "*lock*", "*recovery*", "*data*",
"*read*", "*instruction*", "*how_to*", "*ransom*"
) and not process.name : ("go", "java", "pip*", "python*", "node", "containerd") ] | tail 1
[file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*"
and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or
(process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and
file.path : (
"/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*",
"/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not ((
process.name : (
"dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
"conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
"systemsettings", "vmis-launcher")) or (file.path : "/etc/selinux/*") or (file.extension in ("qmlc", "txt")
))] with runs=25
[file where host.os.type == "linux" and event.action == "creation" and file.name : (
"*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*"
)]
'''
[[rule.threat]]
rules/linux/persistence_chkconfig_service_add.toml
+6 -3
View File
@@ -3,13 +3,16 @@ creation_date = "2022/07/22"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/29"
updated_date = "2023/08/24"
integration = ["endpoint"]
[rule]
author = ["Elastic"]
description = """
Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.
Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize
this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has
either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run
providing long-term persistence.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
@@ -36,6 +39,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event")
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
@@ -50,4 +54,3 @@ reference = "https://attack.mitre.org/techniques/T1037/004/"
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/linux/persistence_credential_access_modify_ssh_binaries.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -30,7 +30,7 @@ type = "query"
query = '''
event.category:file and host.os.type:linux and event.type:change and
process.name:(* and not (dnf or dnf-automatic or dpkg or yum)) and
process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron)) and
(file.path:(/usr/bin/scp or
/usr/bin/sftp or
/usr/bin/ssh or
rules/linux/persistence_etc_file_creation.toml
+3 -3
View File
@@ -3,7 +3,7 @@ creation_date = "2022/07/22"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/24"
integration = ["endpoint"]
[rule]
@@ -32,9 +32,9 @@ type = "eql"
query = '''
file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.name == "root" and
file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*",
"/usr//lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd",
"/usr/lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd",
"*/snapd", "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd",
"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension == "swp"
"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension in ("swp", "swpx", "tmp")
'''
[[rule.threat]]
rules/linux/persistence_init_d_file_creation.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/07/31"
updated_date = "2023/08/21"
[transform]
[[transform.osquery]]
@@ -132,7 +132,7 @@ timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and
file.path : /etc/init.d/* and not process.name : ("dpkg" or "dockerd" or "rpm" or "chef-client" or "apk" or "yum" or
file.path : /etc/init.d/* and not process.name : ("dpkg" or "dockerd" or "rpm" or "dnf" or "chef-client" or "apk" or "yum" or
"rpm" or "vmis-launcher" or "exe") and not file.extension : ("swp" or "swx")
'''
rules/linux/persistence_insmod_kernel_module_load.toml
+2 -3
View File
@@ -3,7 +3,7 @@ creation_date = "2022/07/11"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/24"
integration = ["endpoint"]
[rule]
@@ -27,8 +27,7 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
process.executable : "/usr/sbin/insmod" and process.args : "*.ko"
process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko"
'''
[[rule.threat]]
rules/linux/persistence_kde_autostart_modification.toml
+3 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -47,7 +47,8 @@ file where host.os.type == "linux" and event.type != "deletion" and
"/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*",
"/etc/xdg/autostart/*", "/usr/share/autostart/*"
) and
not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic")
not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd",
"rpm")
'''
rules/linux/persistence_linux_shell_activity_via_web_server.toml
+3 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/20"
updated_date = "2023/08/24"
[transform]
[[transform.osquery]]
@@ -122,7 +122,8 @@ event.action in ("exec", "exec_event") and process.parent.executable : (
"*/bin/catalina.sh"
) and
process.name : ("*sh", "python*", "perl", "php*", "tmux") and
process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd")
process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") and
not process.name == "phpquery"
'''
[[rule.threat]]
rules/linux/persistence_message_of_the_day_execution.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/31"
updated_date = "2023/08/21"
[transform]
[[transform.osquery]]
@@ -128,7 +128,7 @@ process where host.os.type == "linux" and
event.type == "start" and event.action : ("exec", "exec_event") and
process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "nc", "ncat",
"netcat", "socat", "lua", "java", "openssl", "ruby", "telnet", "awk")
"netcat", "socat", "lua", "java", "openssl", "ruby", "telnet")
'''
[[rule.threat]]
rules/linux/persistence_rc_script_creation.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/07/31"
updated_date = "2023/08/21"
[transform]
[[transform.osquery]]
@@ -111,7 +111,7 @@ type = "new_terms"
query = '''
host.os.type : "linux" and event.category : "file" and
event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and
file.path : "/etc/rc.local" and not process.name : ("dockerd" or "yum" or "rpm" or "dpkg") and not file.extension : ("swp" or "swx")
file.path : "/etc/rc.local" and not process.name : ("dockerd" or "docker" or "dnf" or "yum" or "rpm" or "dpkg") and not file.extension : ("swp" or "swx")
'''
[[rule.threat]]
rules/linux/persistence_systemd_scheduled_timer_created.toml
+2 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/07/31"
updated_date = "2023/08/21"
[transform]
[[transform.osquery]]
@@ -141,8 +141,7 @@ type = "new_terms"
query = '''
host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and
file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or
/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not
process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm" or "/proc/self/exe" or "/usr/sbin/dockerd")
/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : ("docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor")
'''
[[rule.threat]]
rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml
+3 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/27"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
@@ -44,7 +44,8 @@ event.type == "start" and process.name == "ln" and
(process.args : ("/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.weekly/*", "/etc/cron.monthly/*")) or
(process.args : ("/home/*/.ssh/*", "/root/.ssh/*","/etc/sudoers.d/*", "/dev/shm/*"))
) and
not user.Ext.real.id == "0" and not group.Ext.real.id == "0"
process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
not user.Ext.real.id == "0" and not group.Ext.real.id == "0"
'''
[[rule.threat]]