diff --git a/rules/linux/command_and_control_ip_forwarding_activity.toml b/rules/linux/command_and_control_ip_forwarding_activity.toml index 08ec19a6e..6f101558f 100644 --- a/rules/linux/command_and_control_ip_forwarding_activity.toml +++ b/rules/linux/command_and_control_ip_forwarding_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -44,7 +44,8 @@ process.parent.executable != null and process.command_line like ( process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and process.command_line like "*echo *" ) -) +) and +not process.parent.name like~ ("privsep-helper", "platform-python*", "init.ipv6-global", "wsl-bootstrap") ''' note = """## Triage and analysis diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index 185b7f8f2..25094b627 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [transform] [[transform.osquery]] @@ -152,7 +152,7 @@ sequence by host.id, process.entity_id with maxspan=3s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.args == "client" and process.args : ("R*", "*:*", "*socks*", "*.*") and process.args_count >= 4 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and - not process.name in ("velociraptor", "nbemmcmd")] + not process.name in ("velociraptor", "nbemmcmd", "redis-cli", "ipa")] [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and not process.name : ( diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml index ee8641376..acd204dae 100644 --- a/rules/linux/command_and_control_linux_kworker_netcon.toml +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -68,7 +68,8 @@ process.name:kworker* and not destination.ip:( 224.0.0.0/4 or "::1" or "FE80::/10" or - "FF00::/8" + "FF00::/8" or + "0.0.0.0" ) and not destination.port:("2049" or "111" or "892" or "597") ''' note = """## Triage and analysis diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index d0a040278..69c63039b 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [transform] [[transform.osquery]] @@ -195,7 +195,7 @@ not ( process.name : ( apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or kited or node or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or - php* or pip* or python* or steam* or terraform* + php* or pip* or python* or steam* or terraform* or filebeat or apk or cursor or http ) or destination.ip:( 0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index a3d944072..e2432df22 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ "https://github.com/eset/malware-ioc/tree/master/sshdoor", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", ] -risk_score = 73 +risk_score = 21 rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22" setup = """## Setup @@ -65,7 +65,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). """ -severity = "high" +severity = "low" tags = [ "Domain: Endpoint", "OS: Linux", diff --git a/rules/linux/defense_evasion_acl_modification_via_setfacl.toml b/rules/linux/defense_evasion_acl_modification_via_setfacl.toml index c537294da..a27dcc37e 100644 --- a/rules/linux/defense_evasion_acl_modification_via_setfacl.toml +++ b/rules/linux/defense_evasion_acl_modification_via_setfacl.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -39,7 +39,9 @@ process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name == "setfacl" and not ( process.command_line == "/bin/setfacl --restore=-" or - process.args == "/var/log/journal/" + process.args == "/var/log/journal/" or + process.parent.name in ("stats.pl", "perl", "find") or + process.parent.command_line like~ "/bin/sh -c *ansible*" ) ''' note = """## Triage and analysis diff --git a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml index 3ab0e3ff0..ae6348cef 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -65,7 +65,8 @@ process where host.os.type == "linux" and event.type == "start" and event.action (process.name == "chkconfig" and process.args == "off") or (process.name == "systemctl" and process.args in ("disable", "stop", "kill")) ) and -process.args in ("auditd", "auditd.service") +process.args in ("auditd", "auditd.service") and +not process.parent.name == "auditd.prerm" ''' note = """## Triage and analysis diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index fe2829e70..c5dc2298b 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -77,7 +77,8 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event", ( (process.name == "service" and process.args == "stop") or (process.name == "chkconfig" and process.args == "off") or (process.name == "systemctl" and process.args in ("disable", "stop", "kill")) - ) and process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service") + ) and process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service") and +not process.parent.name == "rsyslog-rotate" ''' note = """## Triage and analysis diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index e56bd0d64..fab30b229 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -83,7 +83,8 @@ file.Ext.original.path : ( process.name like ( "python*", "packagekitd", "systemd", "ln", "platform-python", "dnf_install", "runc", "apt-get", "ssm-agent-worker", "convert-usrmerge", "updatenow.static-cpanelsync", "apk", "exe", "php", "containerd-shim-runc-v2", "dpkg", "sed", - "platform-python*", "gedit", "crond", "sshd", "ruby", "sudo", "chainctl", "update-alternatives", "pip*" + "platform-python*", "gedit", "crond", "sshd", "ruby", "sudo", "chainctl", "update-alternatives", "pip*", "microdnf", + "rsync", "convert2rhel", "convert-usr-merge" ) or file.Ext.original.path : ( "/bin/*.tmp", "/usr/bin/*.tmp", "/usr/local/bin/*.tmp", "/sbin/*.tmp", "/usr/sbin/*.tmp", "/usr/local/sbin/*.tmp" diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index b7ec71585..773c4da0c 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") - and process.name == "dmesg" and process.args == "-c" + and process.name == "dmesg" and process.args in ("-c", "--clear") ''' note = """## Triage and analysis @@ -98,32 +98,30 @@ The kernel ring buffer logs system messages, crucial for diagnosing issues. Adve - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Conduct a post-incident review to identify gaps in detection and response, and update security policies and procedures to prevent recurrence.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -