From ef66c57030655e47c99dc3f8333afd623aba656e Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 7 Mar 2024 12:20:31 +0100 Subject: [PATCH] [Tuning] Linux DR Tuning - Part 11 (#3463) * [Tuning] Linux DR Tuning - Part 11 * Update persistence_message_of_the_day_creation.toml * Update persistence_message_of_the_day_execution.toml * Update rules/linux/persistence_message_of_the_day_execution.toml * Update persistence_linux_user_added_to_privileged_group.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> --- ...e_linux_shell_activity_via_web_server.toml | 24 +++++++++++---- ..._linux_user_added_to_privileged_group.toml | 29 ++++++++++++------- ...rsistence_message_of_the_day_creation.toml | 11 ++++--- ...sistence_message_of_the_day_execution.toml | 8 +++-- ...sistence_setuid_setgid_capability_set.toml | 12 ++++---- 5 files changed, 57 insertions(+), 27 deletions(-) diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index dd391a757..93bda1093 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -132,7 +132,17 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -148,9 +158,13 @@ event.action in ("exec", "exec_event") and process.parent.executable : ( "/usr/local/lsws/bin/lswsctrl", "*/bin/catalina.sh" ) and -process.name : ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "tmux") and -process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") and -not process.name == "phpquery" +process.name : ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", + "netcat", "ncat", "telnet", "awk", "socat" + ) and process.args : ( + "whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd", "ls", "cd", "python*", "php*", "perl", + "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "socat" + ) and not process.name == "phpquery" ''' [[rule.threat]] diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index 98475a809..3ffaac7d6 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/02/13" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -30,7 +30,7 @@ Identifies attempts to add a user to a privileged group. Attackers may add users establish persistence on a system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Linux User Added to Privileged Group" @@ -81,7 +81,7 @@ This rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -risk_score = 47 +risk_score = 21 rule_id = "43d6ec12-2b1c-47b5-8f35-e9de65551d3b" setup = """ @@ -109,15 +109,24 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and -process.parent.name == "sudo" and -process.args in ("root", "admin", "wheel", "staff", "sudo", - "disk", "video", "shadow", "lxc", "lxd") and +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and +event.type == "start" and process.args in ( + "root", "admin", "wheel", "staff", "sudo","disk", "video", "shadow", "lxc", "lxd" +) and ( process.name in ("usermod", "adduser") or process.name == "gpasswd" and diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index d4924d182..e44a6f99f 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2024/01/05" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -160,10 +160,13 @@ tags = [ type = "new_terms" timestamp_override = "event.ingested" query = ''' -host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and +host.os.type :linux and event.action:(creation or file_create_event or rename or file_rename_event) and file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : ( - dpkg or dockerd or rpm or executor or dnf or podman or ln -) and not file.extension : ("swp" or "swpx") + dpkg or dockerd or rpm or executor or dnf or podman or ln or yum +) and not ( + (process.name:mv and file.extension:dpkg-remove) or + (file.extension:(swp or swpx)) +) ''' [[rule.threat]] diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index 15633b3e5..3dd1a535e 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -181,7 +181,11 @@ process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/* (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or (process.name in ("openssl", "telnet")) ) and -not (process.parent.args : "--force" or process.args : ("/usr/games/lolcat", "/usr/bin/screenfetch")) +not ( + (process.parent.args : "--force") or + (process.args : ("/usr/games/lolcat", "/usr/bin/screenfetch")) or + (process.parent.name == "system-crash-notification") +) ''' [[rule.threat]] diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index 7701652b2..3f182244b 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/12/19" +updated_date = "2024/02/21" [transform] [[transform.osquery]] @@ -40,7 +40,7 @@ file owner or group. Threat actors can exploit these attributes to achieve persi allowing them to maintain control over a compromised system with elevated permissions. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Setcap setuid/setgid Capability Set" @@ -138,13 +138,14 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and -process.name == "setcap" and process.args : "cap_set?id+ep" and not process.parent.name : "jem" +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name == "setcap" and process.args : "cap_set?id+ep" and not process.parent.name in ("jem", "vzctl") ''' [[rule.threat]] @@ -172,4 +173,3 @@ reference = "https://attack.mitre.org/techniques/T1548/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -