security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Linux DR Tuning - Part 1 (#4416)

Browse Source
This commit is contained in:
Ruben Groenewoud
2025-01-28 14:43:00 +01:00
committed by GitHub
parent bbcf0c7c34
commit fed7b216d5
10 changed files with 31 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_ip_forwarding_activity.toml
+3 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/24"
[rule]
author = ["Elastic"]
@@ -44,7 +44,8 @@ process.parent.executable != null and process.command_line like (
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and
process.command_line like "*echo *"
)
)
) and
not process.parent.name like~ ("privsep-helper", "platform-python*", "init.ipv6-global", "wsl-bootstrap")
'''
note = """## Triage and analysis
rules/linux/command_and_control_linux_chisel_client_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/01/24"
[transform]
[[transform.osquery]]
@@ -152,7 +152,7 @@ sequence by host.id, process.entity_id with maxspan=3s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.args == "client" and process.args : ("R*", "*:*", "*socks*", "*.*") and process.args_count >= 4 and
process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
not process.name in ("velociraptor", "nbemmcmd")]
not process.name in ("velociraptor", "nbemmcmd", "redis-cli", "ipa")]
[network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and
destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and
not process.name : (
rules/linux/command_and_control_linux_kworker_netcon.toml
+3 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/10/18"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/01/24"
[rule]
author = ["Elastic"]
@@ -68,7 +68,8 @@ process.name:kworker* and not destination.ip:(
224.0.0.0/4 or
"::1" or
"FE80::/10" or
"FF00::/8"
"FF00::/8" or
"0.0.0.0"
) and not destination.port:("2049" or "111" or "892" or "597")
'''
note = """## Triage and analysis
rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/06/14"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/01/24"
[transform]
[[transform.osquery]]
@@ -195,7 +195,7 @@ not (
process.name : (
apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or
kited or node or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or
php* or pip* or python* or steam* or terraform*
php* or pip* or python* or steam* or terraform* or filebeat or apk or cursor or http
) or
destination.ip:(
0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or
rules/linux/credential_access_ssh_backdoor_log.toml
+3 -3
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/15"
updated_date = "2025/01/24"
[rule]
author = ["Elastic"]
@@ -23,7 +23,7 @@ references = [
"https://github.com/eset/malware-ioc/tree/master/sshdoor",
"https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf",
]
risk_score = 73
risk_score = 21
rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22"
setup = """## Setup
@@ -65,7 +65,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
#### Custom Ingest Pipeline
For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
"""
severity = "high"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
rules/linux/defense_evasion_acl_modification_via_setfacl.toml
+4 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/24"
[rule]
author = ["Elastic"]
@@ -39,7 +39,9 @@ process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name == "setfacl" and not (
process.command_line == "/bin/setfacl --restore=-" or
process.args == "/var/log/journal/"
process.args == "/var/log/journal/" or
process.parent.name in ("stats.pl", "perl", "find") or
process.parent.command_line like~ "/bin/sh -c *ansible*"
)
'''
note = """## Triage and analysis
rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml
+3 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/24"
[rule]
author = ["Elastic"]
@@ -65,7 +65,8 @@ process where host.os.type == "linux" and event.type == "start" and event.action
(process.name == "chkconfig" and process.args == "off") or
(process.name == "systemctl" and process.args in ("disable", "stop", "kill"))
) and
process.args in ("auditd", "auditd.service")
process.args in ("auditd", "auditd.service") and
not process.parent.name == "auditd.prerm"
'''
note = """## Triage and analysis
rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml
+3 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/24"
[rule]
author = ["Elastic"]
@@ -77,7 +77,8 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event",
( (process.name == "service" and process.args == "stop") or
(process.name == "chkconfig" and process.args == "off") or
(process.name == "systemctl" and process.args in ("disable", "stop", "kill"))
) and process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service")
) and process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service") and
not process.parent.name == "rsyslog-rotate"
'''
note = """## Triage and analysis
rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
+3 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/29"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/01/24"
[rule]
author = ["Elastic"]
@@ -83,7 +83,8 @@ file.Ext.original.path : (
process.name like (
"python*", "packagekitd", "systemd", "ln", "platform-python", "dnf_install", "runc", "apt-get", "ssm-agent-worker",
"convert-usrmerge", "updatenow.static-cpanelsync", "apk", "exe", "php", "containerd-shim-runc-v2", "dpkg", "sed",
"platform-python*", "gedit", "crond", "sshd", "ruby", "sudo", "chainctl", "update-alternatives", "pip*"
"platform-python*", "gedit", "crond", "sshd", "ruby", "sudo", "chainctl", "update-alternatives", "pip*", "microdnf",
"rsync", "convert2rhel", "convert-usr-merge"
) or
file.Ext.original.path : (
"/bin/*.tmp", "/usr/bin/*.tmp", "/usr/local/bin/*.tmp", "/sbin/*.tmp", "/usr/sbin/*.tmp", "/usr/local/sbin/*.tmp"
rules/linux/defense_evasion_clear_kernel_ring_buffer.toml
+5 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/24"
[rule]
author = ["Elastic"]
@@ -62,7 +62,7 @@ type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started")
and process.name == "dmesg" and process.args == "-c"
and process.name == "dmesg" and process.args in ("-c", "--clear")
'''
note = """## Triage and analysis
@@ -98,32 +98,30 @@ The kernel ring buffer logs system messages, crucial for diagnosing issues. Adve
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Conduct a post-incident review to identify gaps in detection and response, and update security policies and procedures to prevent recurrence."""
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"
[[rule.threat.technique.subtechnique]]
id = "T1070.002"
name = "Clear Linux or Mac System Logs"
reference = "https://attack.mitre.org/techniques/T1070/002/"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"