From fb40a4a8c79a2d5d98a246d78ea8c0dc3da96f6c Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Mon, 28 Mar 2022 22:54:37 +0530 Subject: [PATCH] Description updation across multiple rules (#1893) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> --- rules/linux/execution_apt_binary.toml | 8 +++++--- rules/linux/execution_awk_binary_shell.toml | 5 +++-- rules/linux/execution_env_binary.toml | 9 +++++---- rules/linux/execution_expect_binary.toml | 9 +++++---- rules/linux/execution_find_binary.toml | 7 ++++--- rules/linux/execution_gcc_binary.toml | 7 ++++--- rules/linux/execution_mysql_binary.toml | 9 +++++---- rules/linux/execution_nice_binary.toml | 12 +++++++----- rules/linux/execution_ssh_binary.toml | 9 +++++---- 9 files changed, 43 insertions(+), 32 deletions(-) diff --git a/rules/linux/execution_apt_binary.toml b/rules/linux/execution_apt_binary.toml index 3f8978e99..46819878e 100644 --- a/rules/linux/execution_apt_binary.toml +++ b/rules/linux/execution_apt_binary.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2022/02/24" maturity = "production" -updated_date = "2022/03/17" +updated_date = "2022/03/28" [rule] author = ["Elastic"] description = """ Identifies Linux binary apt/apt-get abuse to breakout out of restricted shells or environments by spawning an -interactive system shell. This activity is not standard use with this binary for a user or system administrator. It -indicates a potentially malicious actor attempting to improve the capabilities or stability of their access. +interactive system shell. The apt utility allows us to manage installation and removal of softwares on Debian based +Linux distributions and the activity of spawning shell is not a standard use of this binary for a user or system +administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their +access. """ from = "now-9m" index = ["logs-endpoint.events.*"] diff --git a/rules/linux/execution_awk_binary_shell.toml b/rules/linux/execution_awk_binary_shell.toml index 53dfb3e5b..966816a7a 100644 --- a/rules/linux/execution_awk_binary_shell.toml +++ b/rules/linux/execution_awk_binary_shell.toml @@ -1,13 +1,14 @@ [metadata] creation_date = "2022/02/24" maturity = "production" -updated_date = "2022/03/17" +updated_date = "2022/03/28" [rule] author = ["Elastic"] description = """ Identifies Linux binary awk abuse to breakout out of restricted shells or environments by spawning an interactive system -shell. This activity is not standard use with this binary for a user or system administrator. It indicates a potentially +shell. The awk utility is a text processing language used for data extraction and reporting tools and the activity of +spawning shell is not a standard use of this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their access. """ from = "now-9m" diff --git a/rules/linux/execution_env_binary.toml b/rules/linux/execution_env_binary.toml index cd6b204f1..a9aa85cf7 100644 --- a/rules/linux/execution_env_binary.toml +++ b/rules/linux/execution_env_binary.toml @@ -1,14 +1,15 @@ [metadata] creation_date = "2022/02/24" maturity = "production" -updated_date = "2022/03/17" +updated_date = "2022/03/28" [rule] author = ["Elastic"] description = """ -Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell.This -activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious -actor attempting to improve the capabilities or stability of their access +Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell.The +env utility is a shell command for Unix like OS which is used to print a list of environment variables and the activity +of spawning shell is not a standard use of this binary for a user or system administrator. It indicates a potentially +malicious actor attempting to improve the capabilities or stability of their access """ from = "now-9m" index = ["logs-endpoint.events.*"] diff --git a/rules/linux/execution_expect_binary.toml b/rules/linux/execution_expect_binary.toml index 4479911d2..c9797ae79 100644 --- a/rules/linux/execution_expect_binary.toml +++ b/rules/linux/execution_expect_binary.toml @@ -1,14 +1,15 @@ [metadata] creation_date = "2022/03/07" maturity = "development" -updated_date = "2022/03/17" +updated_date = "2022/03/28" [rule] author = ["Elastic"] description = """ -Identifies Linux binary expect abuse to break out from restricted environments by spawning an interactive system shell -This activity is not standard use with this binary for a user or system administrator and could potentially indicate -malicious actor attempting to improve the capabilities or stability of their access. +Identifies Linux binary expect abuse to break out from restricted environments by spawning an interactive system shell. +The expect utility allows us to automate control of interactive applications such as telnet,ftp,ssh and others and the +activity of spawning shell is not a standard use of this binary for a user or system administrator and could potentially +indicate malicious actor attempting to improve the capabilities or stability of their access. """ from = "now-9m" index = ["logs-endpoint.events.*"] diff --git a/rules/linux/execution_find_binary.toml b/rules/linux/execution_find_binary.toml index ca32d0df7..73cfc3061 100644 --- a/rules/linux/execution_find_binary.toml +++ b/rules/linux/execution_find_binary.toml @@ -1,14 +1,15 @@ [metadata] creation_date = "2022/02/28" maturity = "production" -updated_date = "2022/03/17" +updated_date = "2022/03/28" [rule] author = ["Elastic"] description = """ Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell. -This activity is not standard use with this binary for a user or system administrator. It indicates a potentially -malicious actor attempting to improve the capabilities or stability of their access. +The find command in Unix is a command line utility for walking a file hirerarchy and the activity of spawning shell is +not a standard use of this binary for a user or system administrator.It indicates a potentially malicious actor +attempting to improve the capabilities or stability of their access. """ from = "now-9m" index = ["logs-endpoint.events.*"] diff --git a/rules/linux/execution_gcc_binary.toml b/rules/linux/execution_gcc_binary.toml index 200ee8787..64b52cc0d 100644 --- a/rules/linux/execution_gcc_binary.toml +++ b/rules/linux/execution_gcc_binary.toml @@ -1,13 +1,14 @@ [metadata] creation_date = "2022/03/09" maturity = "production" -updated_date = "2022/03/17" +updated_date = "2022/03/28" [rule] author = ["Elastic"] description = """ -Identifies Linux binary gcc abuse to break out from restricted environments by spawning an interactive system shell.This -activity is not standard use with this binary for a user or system administrator and could potentially indicate +Identifies Linux binary gcc abuse to break out from restricted environments by spawning an interactive system shell.The +gcc utility is a complier system for various languages and mainly used to complie C and C++ programs and the activity of +spawning shell is not a standard use of this binary for a user or system administrator.It indicates a potentially malicious actor attempting to improve the capabilities or stability of their access. """ from = "now-9m" diff --git a/rules/linux/execution_mysql_binary.toml b/rules/linux/execution_mysql_binary.toml index ffc0c30b4..3077a30b2 100644 --- a/rules/linux/execution_mysql_binary.toml +++ b/rules/linux/execution_mysql_binary.toml @@ -1,14 +1,15 @@ [metadata] creation_date = "2022/03/09" maturity = "production" -updated_date = "2022/03/17" +updated_date = "2022/03/28" [rule] author = ["Elastic"] description = """ -Identifies MySQL server abuse to break out from restricted environments by spawning an interactive system shell.This -activity is not standard use with this binary for a user or system administrator and could potentially indicate -malicious actor attempting to improve the capabilities or stability of their access. +Identifies MySQL server abuse to break out from restricted environments by spawning an interactive system shell.The +MySQL is an open source relational database management system and the activity of spawning shell is not a standard use +of this binary for a user or system administrator.It indicates a potentially malicious actor attempting to improve the +capabilities or stability of their access. """ from = "now-9m" index = ["logs-endpoint.events.*"] diff --git a/rules/linux/execution_nice_binary.toml b/rules/linux/execution_nice_binary.toml index 276d421b1..9e6a32283 100644 --- a/rules/linux/execution_nice_binary.toml +++ b/rules/linux/execution_nice_binary.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2022/03/07" maturity = "development" -updated_date = "2022/03/17" +updated_date = "2022/03/28" [rule] author = ["Elastic"] -description = """ -Identifies Linux binary nice abuse to break out from restricted environments by spawning an interactive system shell.This -activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious -actor attempting to improve the capabilities or stability of their access +description = """ +Identifies Linux binary nice abuse to break out from restricted environments by spawning an interactive system shell.The +nice command is used to invoke a utility or a shell script with a particular CPU priority, thus giving the process more +or less CPU and the activity of spawning shell is not a standard use of this binary for a user or system +administrator.It indicates a potentially malicious actor attempting to improve the capabilities or stability of their +access. """ from = "now-9m" index = ["logs-endpoint.events.*"] diff --git a/rules/linux/execution_ssh_binary.toml b/rules/linux/execution_ssh_binary.toml index 0b94c6cd1..3472dcb20 100644 --- a/rules/linux/execution_ssh_binary.toml +++ b/rules/linux/execution_ssh_binary.toml @@ -1,14 +1,15 @@ [metadata] creation_date = "2022/03/10" maturity = "production" -updated_date = "2022/03/17" +updated_date = "2022/03/28" [rule] author = ["Elastic"] description = """ -Identifies Linux binary ssh abuse to break out from restricted environments by spawning an interactive system shell.This -activity is not standard use with this binary for a user or system administrator and could potentially indicate -malicious actor attempting to improve the capabilities or stability of their access. +Identifies Linux binary ssh abuse to break out from restricted environments by spawning an interactive system shell.The +ssh is a network protocol that gives users,particularly system administrators a secure way to access a computer over a +network and the activity of spawning shell is not a standard use of this binary for a user or system administrator.It +indicates a potentially malicious actor attempting to improve the capabilities or stability of their access. """ from = "now-9m" index = ["logs-endpoint.events.*"]