From f7d8d4752a4555b45c3e3e15f4aeb2fdd27eb894 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Thu, 31 Aug 2023 17:41:22 +0200
Subject: [PATCH] [New Rules] GDB Secret Dumping (#3060)

* [New Rules] GDB Secret Dumping

* Added references to BBR

* Update rules/linux/credential_access_gdb_init_memory_dump.toml

* Update rules_building_block/credential_access_gdb_memory_dump.toml

* Update rules_building_block/credential_access_gdb_memory_dump.toml

* Update rules_building_block/credential_access_gdb_memory_dump.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
---
 ...redential_access_gdb_init_memory_dump.toml | 52 +++++++++++++++++
 .../credential_access_gdb_memory_dump.toml    | 56 +++++++++++++++++++
 2 files changed, 108 insertions(+)
 create mode 100644 rules/linux/credential_access_gdb_init_memory_dump.toml
 create mode 100644 rules_building_block/credential_access_gdb_memory_dump.toml

diff --git a/rules/linux/credential_access_gdb_init_memory_dump.toml b/rules/linux/credential_access_gdb_init_memory_dump.toml
new file mode 100644
index 000000000..c1d71fc94
--- /dev/null
+++ b/rules/linux/credential_access_gdb_init_memory_dump.toml
@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2023/08/30"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/30"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory 
+dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include
+"truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Linux init (PID 1) Secret Dump via GDB"
+references = [
+    "https://github.com/controlplaneio/truffleproc",
+    "https://github.com/hajzer/bash-memory-dump"
+]
+risk_score = 47
+rule_id = "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+process.name == "gdb" and process.args in ("--pid", "-p") and process.args == "1"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1003.007"
+name = "Proc Filesystem"
+reference = "https://attack.mitre.org/techniques/T1003/007/"
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
diff --git a/rules_building_block/credential_access_gdb_memory_dump.toml b/rules_building_block/credential_access_gdb_memory_dump.toml
new file mode 100644
index 000000000..c0068c1d1
--- /dev/null
+++ b/rules_building_block/credential_access_gdb_memory_dump.toml
@@ -0,0 +1,56 @@
+[metadata]
+creation_date = "2023/08/30"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/30"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt
+secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and 
+"bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Linux Secret Dumping via GDB"
+references = [
+    "https://github.com/controlplaneio/truffleproc",
+    "https://github.com/hajzer/bash-memory-dump"
+]
+risk_score = 21
+rule_id = "66c058f3-99f4-4d18-952b-43348f2577a0"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+process.name == "gdb" and process.args in ("--pid", "-p") and 
+/* Covered by d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f */
+process.args != "1"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1003.007"
+name = "Proc Filesystem"
+reference = "https://attack.mitre.org/techniques/T1003/007/"
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"