From ef49709c7d0085f01b0a4acb58b3daa6c795a482 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 4 Aug 2023 16:32:34 +0200 Subject: [PATCH] [New Rules] Linux Wildcard Injection (#2973) * [New Rules] Linux Wildcard Injection * Update rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml * Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> --- ...on_chown_chmod_unauthorized_file_read.toml | 63 +++++++++++++++++++ ...lation_potential_wildcard_shell_spawn.toml | 63 +++++++++++++++++++ 2 files changed, 126 insertions(+) create mode 100644 rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml create mode 100644 rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml new file mode 100644 index 000000000..90d70f15d --- /dev/null +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2023/07/28" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/28" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the execution of the "chown" and "chmod" commands with command line flags that could indicate a +wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate +commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by +tricking the system into interpreting the wildcard characters in unexpected ways. +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Unauthorized Access via Wildcard Injection Detected" +references = ["https://www.exploit-db.com/papers/33930"] +risk_score = 21 +rule_id = "4a99ac6f-9a54-4ba5-a64f-6eb65695841b" +severity = "low" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml new file mode 100644 index 000000000..0583442e0 --- /dev/null +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2023/07/28" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/28" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, +with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security +vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended +operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Shell via Wildcard Injection Detected" +references = ["https://www.exploit-db.com/papers/33930"] +risk_score = 47 +rule_id = "0b803267-74c5-444d-ae29-32b5db2d562a" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution"] +type = "eql" +query = ''' +sequence by host.id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( + (process.name == "tar" and process.args : "--checkpoint=*" and process.args : "--checkpoint-action=*") or + (process.name == "rsync" and process.args : "-e*") or + (process.name == "zip" and process.args == "--unzip-command") )] by process.entity_id + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.parent.name : ("tar", "rsync", "zip") and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/"