From f37a3bfd487a92dcbbbb6b77a1372d59cccd634a Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Thu, 7 Mar 2024 10:09:14 +0100
Subject: [PATCH] [Tuning] Linux DR Tuning - Part 6 (#3457)

* [Tuning] Linux DR Tuning - Part 6

* Update discovery_ping_sweep_detected.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
---
 .../linux/discovery_ping_sweep_detected.toml  | 20 +++++++++++++------
 .../linux/discovery_process_capabilities.toml | 15 ++++++++++----
 ...very_sudo_allowed_command_enumeration.toml | 12 ++++++++---
 ...tion_abnormal_process_id_file_created.toml | 11 +++++-----
 ...ion_curl_cve_2023_38545_heap_overflow.toml |  6 +++---
 5 files changed, 43 insertions(+), 21 deletions(-)

diff --git a/rules/linux/discovery_ping_sweep_detected.toml b/rules/linux/discovery_ping_sweep_detected.toml
index a0f919c15..da60a1ad7 100644
--- a/rules/linux/discovery_ping_sweep_detected.toml
+++ b/rules/linux/discovery_ping_sweep_detected.toml
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/09/04"
-integration = ["endpoint"]
+integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/19"
+updated_date = "2024/02/20"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ Adversaries may leverage built-in tools such as ping, netcat or socat to execute
 attempting to evade detection or due to the lack of network mapping tools available on the compromised host. 
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Network Scan Executed From Host"
@@ -48,12 +48,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 
 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Discovery",
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame",
+        "Data Source: Auditd Manager"
+        ]
 timestamp_override = "event.ingested"
 type = "threshold"
 query = '''
-host.os.type:linux and event.action:exec and event.type:start and 
-process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat)
+event.category:process and host.os.type:linux and event.action:(exec or exec_event or executed or process_started) and
+event.type:start and process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat)
 '''
 
 [[rule.threat]]
diff --git a/rules/linux/discovery_process_capabilities.toml b/rules/linux/discovery_process_capabilities.toml
index 4b7e92a49..3bc8dec57 100644
--- a/rules/linux/discovery_process_capabilities.toml
+++ b/rules/linux/discovery_process_capabilities.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0"
 min_stack_version = "8.11.0"
-updated_date = "2024/01/09"
+updated_date = "2024/02/20"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies recursive process capability enumeration of the entire filesystem thr
 Malicious users may manipulate identified capabilities to gain root privileges.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Process Capability Enumeration"
@@ -46,11 +46,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 
 """
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Discovery",
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
+process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
 process.name == "getcap" and process.args == "-r" and process.args == "/" and process.args_count == 3 and
 user.id != "0"
 '''
diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml
index 3730ba69d..53e5d8016 100644
--- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml
+++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/02/20"
 
 [rule]
 author = ["Elastic"]
@@ -47,14 +47,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 
 """
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Discovery",
+        "Data Source: Elastic Defend"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
 process.name == "sudo" and process.args == "-l" and process.args_count == 2 and
 process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and 
-not group.Ext.real.id : "0" and not user.Ext.real.id : "0"
+not group.Ext.real.id : "0" and not user.Ext.real.id : "0" and not process.args == "dpkg"
 '''
 
 [[rule.threat]]
diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml
index bef07a7d0..1f95a17f5 100644
--- a/rules/linux/execution_abnormal_process_id_file_created.toml
+++ b/rules/linux/execution_abnormal_process_id_file_created.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/12/13"
+updated_date = "2024/02/20"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Abnormal Process ID or Lock File Created"
@@ -108,13 +108,14 @@ tags = [
         "Tactic: Execution",
         "Threat: BPFDoor",
         "Resources: Investigation Guide",
-        "Data Source: Elastic Defend"
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame"
         ]
 timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-host.os.type:linux and event.category:file and event.action:creation and
+host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and
 user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (
   (process.name : (
     bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)
@@ -123,7 +124,7 @@ user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* o
     ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*
   ))
 ) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or 
-vzctl or ifup or rpcbind) and
+vzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat) and
 not file.name : (jem.*.pid)
 '''
 
diff --git a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
index 61fdacd25..701ad91cf 100644
--- a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
+++ b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6."
 min_stack_version = "8.6.0"
-updated_date = "2023/12/13"
+updated_date = "2024/02/20"
 
 [rule]
 author = ["Elastic"]
@@ -84,7 +84,8 @@ and (
   process.args : ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or 
   process.env_vars: ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*")
 ) and length(process.command_line) > 255 and 
-not process.parent.name in ("cf-agent", "agent-run", "rudder", "agent-inventory", "cf-execd")
+not process.parent.name in ("cf-agent", "agent-run", "agent-check", "rudder", "agent-inventory", "cf-execd") and
+not process.args == "/opt/rudder/bin/curl"
 '''
 
 [[rule.threat]]
@@ -99,4 +100,3 @@ reference = "https://attack.mitre.org/techniques/T1203/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-