* [New] Unusual Process Connection to Docker or Containerd Socket
Detects a process connecting to a container runtime Unix socket (containerd or Docker) that is not a known legitimate runtime component. Direct access to the container runtime socket allows an attacker to create, exec into, or manipulate containers without going through the Kubernetes API server, bypassing RBAC, admission webhooks, pod security standards, and Kubernetes audit logging entirely.
* Update discovery_unusual_process_connection_to_container_runtime_socket.toml
* [New] Suspicious SUDI Binary Execution
Detects execution of common privilege elevation helpers (su, sudo, pkexec, passwd, chsh, newgrp) under the root effective user when the real user and parent user are not root, combined with minimal argument counts and suspicious parent context (interpreters, short shell -c invocations, or parents running from user-writable paths) :
* Update rules/linux/privilege_escalation_suspicious_sudi_binary_execution.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update rules/linux/privilege_escalation_suspicious_sudi_binary_execution.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update privilege_escalation_suspicious_sudi_binary_execution.toml
* Update privilege_escalation_suspicious_sudi_binary_execution.toml
* Rename privilege_escalation_suspicious_sudi_binary_execution.toml to privilege_escalation_suspicious_suid_binary_execution.toml
* Update privilege_escalation_suspicious_suid_binary_execution.toml
* Update privilege_escalation_suspicious_suid_binary_execution.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* [Rule Tuning] Kernel Module Load via Built-in Utility
* Apply suggestion from @eric-forte-elastic
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Refine process.args conditions for modprobe
* Refactor notes and references in kernel module load rule
Removed detailed notes and investigation steps related to kernel module loading via insmod utility. Updated note section and added a reference link.
* Update persistence_insmod_kernel_module_load.toml
* Update persistence_insmod_kernel_module_load.toml
* Update kernel module load rule for clarity and tactics
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [Rule Tuning] Adding D4C Compatibility to Compatible Container-Related Rules
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [Rule Tuning] Dormant & Deprecated Rule Clean-Up
* [Rule Tuning] Dormant & Deprecated Rule Clean-Up
* Few more deprecations
* ++
* Update unit test syntax fix
* Update bad bytes
* ++
* [New/Tuning] Several New Linux Rules
* Update collection_potential_video_recording_or_screenshot_activity.toml
* Update discovery_dmidecode_system_discovery.toml
* Update rules/linux/collection_potential_audio_recording_activity.toml
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Update exfiltration_potential_wget_data_exfiltration.toml
* [New Rule] Linux User or Group Deletion
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 3
* Update rules/linux/credential_access_aws_creds_search_inside_container.toml
* Adjust thresholds and expand event action handling
* Update credential_access_potential_linux_ssh_bruteforce_external.toml
* Increase threshold for SSH brute force detection
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Update credential_access_ssh_backdoor_log.toml
Removed 'auditbeat-*' from the index list.
* Refactor credential access rule for clarity
Removed redundant event.action expansion and filtering logic.
* Refactor ESQL query for SSH brute force detection
Refactor ESQL query to improve readability and maintainability by moving the event.action expansion and filtering logic.
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Update credential_access_potential_successful_linux_ftp_bruteforce.toml
* Update credential_access_potential_successful_linux_rdp_bruteforce.toml
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Add time window truncation to bruteforce rule
* Add time window truncation to SSH brute force rule
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Update SSH brute force detection rule to EQL
* Update CIDR match conditions for SSH brute force rule
* Update EQL query for SSH brute force detection
* [Rule Tuning] Linux DR Tuning - 6
* Fix syntax error in discovery_esxi_software_via_grep.toml
* Update discovery_pam_version_discovery.toml
* Update discovery_virtual_machine_fingerprinting.toml
* Revise investigation title for kernel module enumeration
Updated the title of the investigation section to clarify focus on unusual kernel module enumeration.
* Update discovery_port_scanning_activity_from_compromised_host.toml
* Enhance ESQL query for subnet scanning detection
Updated ESQL query to include additional fields and conditions for better analysis of connection attempts from compromised hosts.
* Remove Elastic Endgame data source from rule
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 8
* Revise investigation guide for THC tool downloads
Updated investigation guide to reflect THC tool instead of SSH-IT worm. Enhanced description for clarity.
* Update exfiltration_unusual_file_transfer_utility_launched.toml
* Refine ESQL query for brute force malware detection
Updated the query to include additional fields and modified the conditions for filtering events.
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 10
* Update persistence_udev_rule_creation.toml
* Refactor ESQL query for Linux process events
* Refactor query in persistence_web_server_sus_command_execution rule
Removed unnecessary fields from the query and added new fields for event dataset and data stream namespace.
* Update persistence_systemd_netcon.toml
* Update persistence_web_server_sus_child_spawned.toml
* Refactor process.parent.name conditions in TOML file
* Update persistence_web_server_unusual_command_execution.toml
* Update persistence_web_server_unusual_command_execution.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 9
* Update rules/linux/persistence_apt_package_manager_file_creation.toml
* Fix formatting in persistence_boot_file_copy.toml
* Update persistence_chkconfig_service_add.toml
* Change user.id values to string format in TOML
* Fix condition for Java process working directory
* Fix logical operator in OpenSSL passwd hash rule
* Fix syntax for working_directory check
* Fix condition for original file name check
* Update persistence_web_server_unusual_command_execution.toml
* Add cloud CLI tools to persistence rules
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Samirbous