New Linux BBR Rules (#2917)

rules_building_block/command_and_control_non_standard_http_port.toml

@@ -0,0 +1,87 @@
+[metadata]
+creation_date = "2023/07/10"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/10"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS.
+For example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443.
+Adversaries may make changes to the standard port a protocol uses to bypass filtering or
+muddle analysis/parsing of network data.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Non-Standard Port HTTP/HTTPS connection"
+risk_score = 21
+rule_id = "62b68eb2-1e47-4da7-85b6-8f478db5b272"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+network where process.name : ("http", "https")
+  and destination.port not in (80, 443)
+  and event.action in ("connection_attempted", "connection_accepted")
+  and destination.ip != "127.0.0.1"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1571"
+name = "Non-Standard Port"
+reference = "https://attack.mitre.org/techniques/T1571/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+[[rule.threat.technique.subtechnique]]
+id = "T1071.001"
+name = "Web Protocols"
+reference = "https://attack.mitre.org/techniques/T1071/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1573"
+name = "Encrypted Channel"
+reference = "https://attack.mitre.org/techniques/T1573/"
+[[rule.threat.technique.subtechnique]]
+id = "T1573.001"
+name = "Symmetric Cryptography"
+reference = "https://attack.mitre.org/techniques/T1573/001/"
+[[rule.threat.technique.subtechnique]]
+id = "T1573.001"
+name = "Asymmetric Cryptography"
+reference = "https://attack.mitre.org/techniques/T1573/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"

rules_building_block/discovery_linux_system_information_discovery.toml

@@ -0,0 +1,44 @@
+[metadata]
+creation_date = "2023/07/10"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/10"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = "Enrich process events with uname and other command lines that imply Linux system information discovery."
+from = "now-119m"
+interval = "60m"
+index = ["auditbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Linux System Information Discovery"
+risk_score = 21
+rule_id = "b81bd314-db5b-4d97-82e8-88e3e5fc9de5"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where event.type == "start" and
+(
+  process.name: "uname" or
+  (process.name: ("cat", "more", "less") and
+  process.args: ("*issue*", "*version*", "*profile*", "*services*", "*cpuinfo*"))
+)
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1082"
+name = "System Information Discovery"
+reference = "https://attack.mitre.org/techniques/T1082/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"

rules_building_block/discovery_linux_system_owner_user_discovery.toml

@@ -0,0 +1,45 @@
+[metadata]
+creation_date = "2023/07/10"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/10"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = "Identifies the use of built-in tools which adversaries may use to enumerate the system owner/user of a compromised system."
+from = "now-119m"
+interval = "60m"
+index = ["auditbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "System Owner/User Discovery Linux"
+risk_score = 21
+rule_id = "bf8c007c-7dee-4842-8e9a-ee534c09d205"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where event.type == "start" and
+  process.name : ("whoami", "w", "who", "users", "id")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1033"
+name = "System Owner/User Discovery"
+reference = "https://attack.mitre.org/techniques/T1033/"
+[[rule.threat.technique]]
+id = "T1069"
+name = "Permission Groups Discovery"
+reference = "https://attack.mitre.org/techniques/T1069/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"