[Tuning] Linux DR Tuning - Part 11 (#3463)
* [Tuning] Linux DR Tuning - Part 11 * Update persistence_message_of_the_day_creation.toml * Update persistence_message_of_the_day_execution.toml * Update rules/linux/persistence_message_of_the_day_execution.toml * Update persistence_linux_user_added_to_privileged_group.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -132,7 +132,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
|
||||
"""
|
||||
severity = "high"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Persistence",
|
||||
"Tactic: Initial Access",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Use Case: Vulnerability",
|
||||
"Resources: Investigation Guide",
|
||||
"Data Source: Elastic Defend"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
@@ -148,9 +158,13 @@ event.action in ("exec", "exec_event") and process.parent.executable : (
|
||||
"/usr/local/lsws/bin/lswsctrl",
|
||||
"*/bin/catalina.sh"
|
||||
) and
|
||||
process.name : ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "tmux") and
|
||||
process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") and
|
||||
not process.name == "phpquery"
|
||||
process.name : (
|
||||
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc",
|
||||
"netcat", "ncat", "telnet", "awk", "socat"
|
||||
) and process.args : (
|
||||
"whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd", "ls", "cd", "python*", "php*", "perl",
|
||||
"ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "socat"
|
||||
) and not process.name == "phpquery"
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2023/02/13"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -30,7 +30,7 @@ Identifies attempts to add a user to a privileged group. Attackers may add users
|
||||
establish persistence on a system.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Linux User Added to Privileged Group"
|
||||
@@ -81,7 +81,7 @@ This rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
|
||||
|
||||
"""
|
||||
risk_score = 47
|
||||
risk_score = 21
|
||||
rule_id = "43d6ec12-2b1c-47b5-8f35-e9de65551d3b"
|
||||
setup = """
|
||||
|
||||
@@ -109,15 +109,24 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Persistence",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Resources: Investigation Guide",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Auditd Manager"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and
|
||||
process.parent.name == "sudo" and
|
||||
process.args in ("root", "admin", "wheel", "staff", "sudo",
|
||||
"disk", "video", "shadow", "lxc", "lxd") and
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
|
||||
event.type == "start" and process.args in (
|
||||
"root", "admin", "wheel", "staff", "sudo","disk", "video", "shadow", "lxc", "lxd"
|
||||
) and
|
||||
(
|
||||
process.name in ("usermod", "adduser") or
|
||||
process.name == "gpasswd" and
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2024/01/05"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -160,10 +160,13 @@ tags = [
|
||||
type = "new_terms"
|
||||
timestamp_override = "event.ingested"
|
||||
query = '''
|
||||
host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and
|
||||
host.os.type :linux and event.action:(creation or file_create_event or rename or file_rename_event) and
|
||||
file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : (
|
||||
dpkg or dockerd or rpm or executor or dnf or podman or ln
|
||||
) and not file.extension : ("swp" or "swpx")
|
||||
dpkg or dockerd or rpm or executor or dnf or podman or ln or yum
|
||||
) and not (
|
||||
(process.name:mv and file.extension:dpkg-remove) or
|
||||
(file.extension:(swp or swpx))
|
||||
)
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/11/02"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -181,7 +181,11 @@ process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*
|
||||
(process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or
|
||||
(process.name in ("openssl", "telnet"))
|
||||
) and
|
||||
not (process.parent.args : "--force" or process.args : ("/usr/games/lolcat", "/usr/bin/screenfetch"))
|
||||
not (
|
||||
(process.parent.args : "--force") or
|
||||
(process.args : ("/usr/games/lolcat", "/usr/bin/screenfetch")) or
|
||||
(process.parent.name == "system-crash-notification")
|
||||
)
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/12/19"
|
||||
updated_date = "2024/02/21"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -40,7 +40,7 @@ file owner or group. Threat actors can exploit these attributes to achieve persi
|
||||
allowing them to maintain control over a compromised system with elevated permissions.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Setcap setuid/setgid Capability Set"
|
||||
@@ -138,13 +138,14 @@ tags = [
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Persistence",
|
||||
"Data Source: Elastic Defend"
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Endgame"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
|
||||
process.name == "setcap" and process.args : "cap_set?id+ep" and not process.parent.name : "jem"
|
||||
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
|
||||
process.name == "setcap" and process.args : "cap_set?id+ep" and not process.parent.name in ("jem", "vzctl")
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
@@ -172,4 +173,3 @@ reference = "https://attack.mitre.org/techniques/T1548/001/"
|
||||
id = "TA0004"
|
||||
name = "Privilege Escalation"
|
||||
reference = "https://attack.mitre.org/tactics/TA0004/"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user