[Tuning] Linux DR Tuning - Part 14 (#3467)
* [Tuning] Linux DR Tuning - Part 14 * Update privilege_escalation_sudo_cve_2019_14287.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
@@ -1,10 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2023/08/30"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -15,7 +15,7 @@ that can be chosen arbitrarily. By using the sudo privileges, the command "sudo
|
||||
representing the root user. This exploit may work for sudo versions prior to v1.28.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Sudo Privilege Escalation via CVE-2019-14287"
|
||||
@@ -49,12 +49,21 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Use Case: Vulnerability"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Privilege Escalation",
|
||||
"Data Source: Elastic Defend",
|
||||
"Use Case: Vulnerability",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
|
||||
process.name == "sudo" and process.args == "-u#-1"
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
|
||||
event.type == "start" and process.name == "sudo" and process.args == "-u#-1"
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -61,7 +61,7 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
query = '''
|
||||
host.os.type:linux and event.category:file and event.type:("creation" or "file_create_event") and
|
||||
file.path:("/usr/bin/sudo" or "/bin/sudo") and not process.name:(docker or dockerd)
|
||||
file.path:("/usr/bin/sudo" or "/bin/sudo") and not process.name:(docker or dockerd or pacman)
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/10/26"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -65,7 +65,8 @@ and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or
|
||||
) or
|
||||
process.name:(
|
||||
"bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or "ksh" or "fish" or "sudo" or "su" or "apt" or "apt-get" or
|
||||
"aptitude" or "squid" or "snap" or "fusermount" or "pkexec" or "umount"
|
||||
"aptitude" or "squid" or "snap" or "fusermount" or "pkexec" or "umount" or "master" or "omsbaseline" or "dzdo" or
|
||||
"sandfly" or "logrotate"
|
||||
) or
|
||||
process.args:/usr/bin/python*
|
||||
)
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/22"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -63,28 +63,32 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Privilege Escalation",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and
|
||||
process.executable: "/usr/bin/unshare" and
|
||||
not process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd", "/usr/bin/unshare") and
|
||||
not process.args : "/usr/bin/snap"
|
||||
not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox-boot", "java")
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1543"
|
||||
name = "Create or Modify System Process"
|
||||
reference = "https://attack.mitre.org/techniques/T1543/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0004"
|
||||
name = "Privilege Escalation"
|
||||
reference = "https://attack.mitre.org/tactics/TA0004/"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user