diff --git a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml index 18e98e3d1..41bc6085b 100644 --- a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml +++ b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/09/02" [rule] author = ["Elastic"] @@ -91,7 +91,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "esql" - query = ''' from logs-endpoint.events.network-* | where @@ -103,8 +102,17 @@ from logs-endpoint.events.network-* process.executable like "/tmp/*" or process.executable like "/var/tmp/*" or process.executable like "/dev/shm/*" or - process.name rlike ".*" - ) and not ( + process.executable like "/var/log/*" or + process.executable like "/sys/*" or + process.executable like "/media/*" or + process.executable like "/proc/*" or + process.executable like "/var/backups/*" or + process.executable like "/var/mail/*" or + process.executable like "/var/spool/*" or + process.executable like "./*" or + process.name like ".*" + ) and + not ( cidr_match(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.29/32", "192.0.0.8/32", "192.0.0.9/32", @@ -113,7 +121,6 @@ from logs-endpoint.events.network-* "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8" ) or - process.executable like "/nix/store/*" or process.executable like "/tmp/newroot/*" or process.executable like "/tmp/.mount*" or process.executable like "/tmp/go-build*" @@ -141,17 +148,15 @@ from logs-endpoint.events.network-* | limit 100 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml b/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml index e9867a5ac..432bda77f 100644 --- a/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml +++ b/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/09/02" [rule] author = ["Elastic"] @@ -93,14 +93,27 @@ tags = [ ] timestamp_override = "event.ingested" type = "esql" - query = ''' from logs-endpoint.events.network-* | where @timestamp > now() - 1h and host.os.type == "linux" and event.type == "start" and - event.action == "connection_attempted" + event.action == "connection_attempted" and + not ( + cidr_match(destination.ip, "127.0.0.0/8", "::1", "FE80::/10", "FF00::/8") or + process.executable in ( + "/opt/dbtk/bin/jsvc", "/usr/lib/dotnet/dotnet", "/usr/share/elasticsearch/jdk/bin/java", "/usr/sbin/haproxy", + "/usr/bin/java", "/opt/kaspersky/kesl/libexec/kesl", "/usr/bin/dotnet", "/opt/java/openjdk/bin/java" + ) or + process.executable like "/var/opt/kaspersky/kesl/*kesl" or + process.executable like "/usr/lib/jvm/*/java" or + process.executable like "/opt/google/chrome*" or + process.executable like "/var/lib/docker/*/java" or + process.executable like "/usr/lib64/jvm/*/java" or + process.executable like "/snap/*" or + process.executable like "/home/*/.local/share/JetBrains/*" + ) | keep @timestamp, host.os.type, @@ -125,17 +138,15 @@ from logs-endpoint.events.network-* | limit 100 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml index ae377495d..317592c97 100644 --- a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml +++ b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/09/02" [rule] author = ["Elastic"] @@ -92,7 +92,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "esql" - query = ''' from logs-endpoint.events.network-* | keep @timestamp, host.os.type, event.type, event.action, process.executable, destination.ip, agent.id, host.name @@ -100,7 +99,16 @@ from logs-endpoint.events.network-* @timestamp > now() - 1 hours and host.os.type == "linux" and event.type == "start" and - event.action == "connection_attempted" + event.action == "connection_attempted" and + not ( + process.executable in ("/usr/local/bin/prometheus", "/app/extra/chrome") or + process.executable like "/usr/local/prometheus/*/prometheus" or + process.executable like "/usr/share/elastic-agent/*" or + process.executable like "/var/lib/docker/overlay*connectord" or + process.executable like "/opt/rumble/bin/rumble-agent*" or + process.executable like "/opt/gitlab/*" or + process.executable like "/opt/google/chrome/chrome*" + ) | stats Esql.event_count = count(), Esql.destination_ip_count_distinct = count_distinct(destination.ip), @@ -115,17 +123,15 @@ from logs-endpoint.events.network-* | limit 100 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml index 4fdf884f8..83d604a06 100644 --- a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml +++ b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/09/02" [rule] author = ["Elastic"] @@ -91,10 +91,9 @@ tags = [ ] timestamp_override = "event.ingested" type = "esql" - query = ''' from logs-endpoint.events.process-* -| keep @timestamp, host.os.type, event.type, event.action, process.name, process.executable, process.parent.executable, process.command_line, agent.id, host.name +| keep @timestamp, host.os.type, event.type, event.action, process.name, process.executable, process.parent.executable, agent.id, host.name | where @timestamp > now() - 1 hours and host.os.type == "linux" and @@ -106,7 +105,7 @@ from logs-endpoint.events.process-* Esql.agent_id_count_distinct = count_distinct(agent.id), Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id) - by process.executable, process.parent.executable, process.command_line + by process.executable, process.parent.executable | where Esql.agent_id_count_distinct == 1 and Esql.event_count < 5 @@ -114,7 +113,6 @@ from logs-endpoint.events.process-* | limit 100 ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -122,6 +120,7 @@ framework = "MITRE ATT&CK" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -129,4 +128,3 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/impact_potential_bruteforce_malware_infection.toml b/rules/linux/impact_potential_bruteforce_malware_infection.toml index 71b42747d..b6d7499b4 100644 --- a/rules/linux/impact_potential_bruteforce_malware_infection.toml +++ b/rules/linux/impact_potential_bruteforce_malware_infection.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/09/02" [rule] author = ["Elastic"] @@ -95,7 +95,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "esql" - query = ''' from logs-endpoint.events.network-* | keep @timestamp, host.os.type, event.type, event.action, destination.port, process.executable, destination.ip, agent.id, host.name @@ -105,7 +104,8 @@ from logs-endpoint.events.network-* event.type == "start" and event.action == "connection_attempted" and destination.port in (22, 222, 2222, 10022, 2022, 2200, 62612, 8022) and - not cidr_match( + not ( + cidr_match( destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", @@ -113,6 +113,12 @@ from logs-endpoint.events.network-* "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8" + ) or + process.executable in ( + "/usr/bin/rclone", "/usr/bin/sss_ssh_knownhostsproxy", "/usr/sbin/sshd", "/usr/bin/ssh", + "/usr/local/bin/php", "/usr/sbin/apache2", "/usr/sbin/nginx", "/usr/local/bin/argocd-repo-server" + ) or + process.executable like "/usr/local/efax/*" ) | stats Esql.event_count = count(), @@ -127,46 +133,46 @@ from logs-endpoint.events.network-* | limit 100 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1496" name = "Resource Hijacking" reference = "https://attack.mitre.org/techniques/T1496/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/persistence_web_server_sus_child_spawned.toml b/rules/linux/persistence_web_server_sus_child_spawned.toml index bf3b75fb4..18e0047d0 100644 --- a/rules/linux/persistence_web_server_sus_child_spawned.toml +++ b/rules/linux/persistence_web_server_sus_child_spawned.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/09/02" [rule] author = ["Elastic"] @@ -94,7 +94,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "esql" - query = ''' from logs-endpoint.events.process-* | keep @@ -117,23 +116,59 @@ from logs-endpoint.events.process-* host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + ( process.parent.name in ( "apache", "nginx", "apache2", "httpd", "lighttpd", "caddy", "node", "mongrel_rails", "java", "gunicorn", "uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "tornado", "hypercorn", "daphne", "twistd", "yaws", "webfsd", "httpd.worker", "flask", "rails", "mongrel" ) or - process.parent.name like "php-*" or - process.parent.name like "python*" or - process.parent.name like "ruby*" or - process.parent.name like "perl*" or user.name in ( "apache", "www-data", "httpd", "nginx", "lighttpd", "tomcat", "tomcat8", "tomcat9", "ftp", "ftpuser", "ftpd" ) or user.id in ("99", "33", "498", "48") or process.working_directory like "/var/www/*" - ) and not ( + ) or + ( + ( + process.parent.name like "php-*" or + process.parent.name like "python*" or + process.parent.name like "ruby*" or + process.parent.name like "perl*" + ) and ( + process.working_directory like "/var/www/*" or + process.working_directory like "/srv/www/*" or + process.working_directory like "/usr/share/nginx/*" + ) + ) + ) and ( + process.name in ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat", "openssl", "busybox", + "nc", "ncat", "netcat", "nc.openbsd", "nc.traditional", "nohup", "setsid", "mkfifo", "mknod", + "node", "socket" + ) or + process.name like "python*" or + process.name like "php*" or + process.name like "perl" or + process.name like "ruby*" or + process.name like "lua*" or + process.executable like "/tmp/*" or + process.executable like "/var/tmp/*" or + process.executable like "/dev/shm/*" or + process.executable like "/var/log/*" or + process.executable like "/sys/*" or + process.executable like "/media/*" or + process.executable like "/proc/*" or + process.executable like "/var/backups/*" or + process.executable like "/var/mail/*" or + process.executable like "/var/spool/*" or + process.executable like "/var/www/*" or + process.executable like "./*" or + process.name like ".*" + ) and + not ( process.working_directory like "/home/*" or process.working_directory == "/" or + process.working_directory like "/var/www/*.ch" or process.parent.executable like "/vscode/vscode-server/*" ) | stats @@ -149,51 +184,51 @@ from logs-endpoint.events.process-* | limit 100 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/persistence_web_server_sus_command_execution.toml b/rules/linux/persistence_web_server_sus_command_execution.toml index e75c582d1..1edca97f7 100644 --- a/rules/linux/persistence_web_server_sus_command_execution.toml +++ b/rules/linux/persistence_web_server_sus_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/09/02" [rule] author = ["Elastic"] @@ -101,7 +101,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "esql" - query = ''' from logs-endpoint.events.process-* | keep @@ -123,20 +122,30 @@ from logs-endpoint.events.process-* host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + ( process.parent.name in ( "apache", "nginx", "apache2", "httpd", "lighttpd", "caddy", "node", "mongrel_rails", "java", "gunicorn", "uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "tornado", "hypercorn", "daphne", "twistd", "yaws", "webfsd", "httpd.worker", "flask", "rails", "mongrel" ) or - process.parent.name like "php-*" or - process.parent.name like "python*" or - process.parent.name like "ruby*" or - process.parent.name like "perl*" or user.name in ( "apache", "www-data", "httpd", "nginx", "lighttpd", "tomcat", "tomcat8", "tomcat9", "ftp", "ftpuser", "ftpd" ) or user.id in ("99", "33", "498", "48") or process.working_directory like "/var/www/*" + ) or + ( + ( + process.parent.name like "php-*" or + process.parent.name like "python*" or + process.parent.name like "ruby*" or + process.parent.name like "perl*" + ) and ( + process.working_directory like "/var/www/*" or + process.working_directory like "/srv/www/*" or + process.working_directory like "/usr/share/nginx/*" + ) + ) ) and process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.command_line like "* -c *" and not ( @@ -159,51 +168,51 @@ from logs-endpoint.events.process-* | limit 100 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -