security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Misc. Linux ES|QL Rules (#5050)

Browse Source 
* [Rule Tuning] Misc. Linux ES|QL Rules

* update date bump

* ++

* Update persistence_web_server_sus_child_spawned.toml

* Update working directory conditions in TOML file
This commit is contained in:
Ruben Groenewoud
2025-09-02 13:49:22 +02:00
committed by GitHub
parent f2291e0261
commit ef7ff52119
7 changed files with 132 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml
+13 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2025/02/20"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/07/16"
updated_date = "2025/09/02"
[rule]
author = ["Elastic"]
@@ -91,7 +91,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "esql"
query = '''
from logs-endpoint.events.network-*
| where
@@ -103,8 +102,17 @@ from logs-endpoint.events.network-*
process.executable like "/tmp/*" or
process.executable like "/var/tmp/*" or
process.executable like "/dev/shm/*" or
process.name rlike ".*"
) and not (
process.executable like "/var/log/*" or
process.executable like "/sys/*" or
process.executable like "/media/*" or
process.executable like "/proc/*" or
process.executable like "/var/backups/*" or
process.executable like "/var/mail/*" or
process.executable like "/var/spool/*" or
process.executable like "./*" or
process.name like ".*"
) and
not (
cidr_match(destination.ip,
"10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12",
"192.0.0.0/24", "192.0.0.29/32", "192.0.0.8/32", "192.0.0.9/32",
@@ -113,7 +121,6 @@ from logs-endpoint.events.network-*
"224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15",
"198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8"
) or
process.executable like "/nix/store/*" or
process.executable like "/tmp/newroot/*" or
process.executable like "/tmp/.mount*" or
process.executable like "/tmp/go-build*"
@@ -141,17 +148,15 @@ from logs-endpoint.events.network-*
| limit 100
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/discovery_port_scanning_activity_from_compromised_host.toml
+17 -6
View File
@@ -2,7 +2,7 @@
creation_date = "2025/03/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/07/16"
updated_date = "2025/09/02"
[rule]
author = ["Elastic"]
@@ -93,14 +93,27 @@ tags = [
]
timestamp_override = "event.ingested"
type = "esql"
query = '''
from logs-endpoint.events.network-*
| where
@timestamp > now() - 1h and
host.os.type == "linux" and
event.type == "start" and
event.action == "connection_attempted"
event.action == "connection_attempted" and
not (
cidr_match(destination.ip, "127.0.0.0/8", "::1", "FE80::/10", "FF00::/8") or
process.executable in (
"/opt/dbtk/bin/jsvc", "/usr/lib/dotnet/dotnet", "/usr/share/elasticsearch/jdk/bin/java", "/usr/sbin/haproxy",
"/usr/bin/java", "/opt/kaspersky/kesl/libexec/kesl", "/usr/bin/dotnet", "/opt/java/openjdk/bin/java"
) or
process.executable like "/var/opt/kaspersky/kesl/*kesl" or
process.executable like "/usr/lib/jvm/*/java" or
process.executable like "/opt/google/chrome*" or
process.executable like "/var/lib/docker/*/java" or
process.executable like "/usr/lib64/jvm/*/java" or
process.executable like "/snap/*" or
process.executable like "/home/*/.local/share/JetBrains/*"
)
| keep
@timestamp,
host.os.type,
@@ -125,17 +138,15 @@ from logs-endpoint.events.network-*
| limit 100
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml
+12 -6
View File
@@ -2,7 +2,7 @@
creation_date = "2025/03/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/07/16"
updated_date = "2025/09/02"
[rule]
author = ["Elastic"]
@@ -92,7 +92,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "esql"
query = '''
from logs-endpoint.events.network-*
| keep @timestamp, host.os.type, event.type, event.action, process.executable, destination.ip, agent.id, host.name
@@ -100,7 +99,16 @@ from logs-endpoint.events.network-*
@timestamp > now() - 1 hours and
host.os.type == "linux" and
event.type == "start" and
event.action == "connection_attempted"
event.action == "connection_attempted" and
not (
process.executable in ("/usr/local/bin/prometheus", "/app/extra/chrome") or
process.executable like "/usr/local/prometheus/*/prometheus" or
process.executable like "/usr/share/elastic-agent/*" or
process.executable like "/var/lib/docker/overlay*connectord" or
process.executable like "/opt/rumble/bin/rumble-agent*" or
process.executable like "/opt/gitlab/*" or
process.executable like "/opt/google/chrome/chrome*"
)
| stats
Esql.event_count = count(),
Esql.destination_ip_count_distinct = count_distinct(destination.ip),
@@ -115,17 +123,15 @@ from logs-endpoint.events.network-*
| limit 100
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml
+4 -6
View File
@@ -2,7 +2,7 @@
creation_date = "2025/02/21"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/07/16"
updated_date = "2025/09/02"
[rule]
author = ["Elastic"]
@@ -91,10 +91,9 @@ tags = [
]
timestamp_override = "event.ingested"
type = "esql"
query = '''
from logs-endpoint.events.process-*
| keep @timestamp, host.os.type, event.type, event.action, process.name, process.executable, process.parent.executable, process.command_line, agent.id, host.name
| keep @timestamp, host.os.type, event.type, event.action, process.name, process.executable, process.parent.executable, agent.id, host.name
| where
@timestamp > now() - 1 hours and
host.os.type == "linux" and
@@ -106,7 +105,7 @@ from logs-endpoint.events.process-*
Esql.agent_id_count_distinct = count_distinct(agent.id),
Esql.host_name_values = values(host.name),
Esql.agent_id_values = values(agent.id)
by process.executable, process.parent.executable, process.command_line
by process.executable, process.parent.executable
| where
Esql.agent_id_count_distinct == 1 and
Esql.event_count < 5
@@ -114,7 +113,6 @@ from logs-endpoint.events.process-*
| limit 100
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -122,6 +120,7 @@ framework = "MITRE ATT&CK"
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -129,4 +128,3 @@ framework = "MITRE ATT&CK"
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/impact_potential_bruteforce_malware_infection.toml
+15 -9
View File
@@ -2,7 +2,7 @@
creation_date = "2025/02/20"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/07/16"
updated_date = "2025/09/02"
[rule]
author = ["Elastic"]
@@ -95,7 +95,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "esql"
query = '''
from logs-endpoint.events.network-*
| keep @timestamp, host.os.type, event.type, event.action, destination.port, process.executable, destination.ip, agent.id, host.name
@@ -105,7 +104,8 @@ from logs-endpoint.events.network-*
event.type == "start" and
event.action == "connection_attempted" and
destination.port in (22, 222, 2222, 10022, 2022, 2200, 62612, 8022) and
not cidr_match(
not (
cidr_match(
destination.ip,
"10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12",
"192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32",
@@ -113,6 +113,12 @@ from logs-endpoint.events.network-*
"192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24",
"224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15",
"198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8"
) or
process.executable in (
"/usr/bin/rclone", "/usr/bin/sss_ssh_knownhostsproxy", "/usr/sbin/sshd", "/usr/bin/ssh",
"/usr/local/bin/php", "/usr/sbin/apache2", "/usr/sbin/nginx", "/usr/local/bin/argocd-repo-server"
) or
process.executable like "/usr/local/efax/*"
)
| stats
Esql.event_count = count(),
@@ -127,46 +133,46 @@ from logs-endpoint.events.network-*
| limit 100
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1496"
name = "Resource Hijacking"
reference = "https://attack.mitre.org/techniques/T1496/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/persistence_web_server_sus_child_spawned.toml
+49 -14
View File
@@ -2,7 +2,7 @@
creation_date = "2025/03/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/07/16"
updated_date = "2025/09/02"
[rule]
author = ["Elastic"]
@@ -94,7 +94,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "esql"
query = '''
from logs-endpoint.events.process-*
| keep
@@ -117,23 +116,59 @@ from logs-endpoint.events.process-*
host.os.type == "linux" and
event.type == "start" and
event.action == "exec" and (
(
process.parent.name in (
"apache", "nginx", "apache2", "httpd", "lighttpd", "caddy", "node", "mongrel_rails", "java", "gunicorn",
"uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "tornado", "hypercorn",
"daphne", "twistd", "yaws", "webfsd", "httpd.worker", "flask", "rails", "mongrel"
) or
process.parent.name like "php-*" or
process.parent.name like "python*" or
process.parent.name like "ruby*" or
process.parent.name like "perl*" or
user.name in (
"apache", "www-data", "httpd", "nginx", "lighttpd", "tomcat", "tomcat8", "tomcat9", "ftp", "ftpuser", "ftpd"
) or
user.id in ("99", "33", "498", "48") or
process.working_directory like "/var/www/*"
) and not (
) or
(
(
process.parent.name like "php-*" or
process.parent.name like "python*" or
process.parent.name like "ruby*" or
process.parent.name like "perl*"
) and (
process.working_directory like "/var/www/*" or
process.working_directory like "/srv/www/*" or
process.working_directory like "/usr/share/nginx/*"
)
)
) and (
process.name in (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat", "openssl", "busybox",
"nc", "ncat", "netcat", "nc.openbsd", "nc.traditional", "nohup", "setsid", "mkfifo", "mknod",
"node", "socket"
) or
process.name like "python*" or
process.name like "php*" or
process.name like "perl" or
process.name like "ruby*" or
process.name like "lua*" or
process.executable like "/tmp/*" or
process.executable like "/var/tmp/*" or
process.executable like "/dev/shm/*" or
process.executable like "/var/log/*" or
process.executable like "/sys/*" or
process.executable like "/media/*" or
process.executable like "/proc/*" or
process.executable like "/var/backups/*" or
process.executable like "/var/mail/*" or
process.executable like "/var/spool/*" or
process.executable like "/var/www/*" or
process.executable like "./*" or
process.name like ".*"
) and
not (
process.working_directory like "/home/*" or
process.working_directory == "/" or
process.working_directory like "/var/www/*.ch" or
process.parent.executable like "/vscode/vscode-server/*"
)
| stats
@@ -149,51 +184,51 @@ from logs-endpoint.events.process-*
| limit 100
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1505"
name = "Server Software Component"
reference = "https://attack.mitre.org/techniques/T1505/"
[[rule.threat.technique.subtechnique]]
id = "T1505.003"
name = "Web Shell"
reference = "https://attack.mitre.org/techniques/T1505/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/persistence_web_server_sus_command_execution.toml
+22 -13
View File
@@ -2,7 +2,7 @@
creation_date = "2025/03/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/07/16"
updated_date = "2025/09/02"
[rule]
author = ["Elastic"]
@@ -101,7 +101,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "esql"
query = '''
from logs-endpoint.events.process-*
| keep
@@ -123,20 +122,30 @@ from logs-endpoint.events.process-*
host.os.type == "linux" and
event.type == "start" and
event.action == "exec" and (
(
process.parent.name in (
"apache", "nginx", "apache2", "httpd", "lighttpd", "caddy", "node", "mongrel_rails", "java", "gunicorn",
"uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "tornado", "hypercorn",
"daphne", "twistd", "yaws", "webfsd", "httpd.worker", "flask", "rails", "mongrel"
) or
process.parent.name like "php-*" or
process.parent.name like "python*" or
process.parent.name like "ruby*" or
process.parent.name like "perl*" or
user.name in (
"apache", "www-data", "httpd", "nginx", "lighttpd", "tomcat", "tomcat8", "tomcat9", "ftp", "ftpuser", "ftpd"
) or
user.id in ("99", "33", "498", "48") or
process.working_directory like "/var/www/*"
) or
(
(
process.parent.name like "php-*" or
process.parent.name like "python*" or
process.parent.name like "ruby*" or
process.parent.name like "perl*"
) and (
process.working_directory like "/var/www/*" or
process.working_directory like "/srv/www/*" or
process.working_directory like "/usr/share/nginx/*"
)
)
) and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
process.command_line like "* -c *" and not (
@@ -159,51 +168,51 @@ from logs-endpoint.events.process-*
| limit 100
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1505"
name = "Server Software Component"
reference = "https://attack.mitre.org/techniques/T1505/"
[[rule.threat.technique.subtechnique]]
id = "T1505.003"
name = "Web Shell"
reference = "https://attack.mitre.org/techniques/T1505/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"