* [New/Tuning] Direct Kubelet API Access rules
- tuned existing rule for D4C to bump-up severity to high (low FP and very susp behavior) + added 10255 port and wss url.
- duplicated same rule logic for auditd/endpoint compatibility for both 10250 port in args and kubeletctl exec.
- added a new one using network event vs process argument for more resilience.
* ++
* Update discovery_potential_direct_kubelet_access_via_process_args.toml
* Update and rename discovery_potential_direct_kubelet_access_via_process_args.toml to lateral_movement_direct_kubelet_access_via_process_args.toml
* Update rules/linux/lateral_movement_direct_kubelet_access_via_process_args.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
* Update rules/linux/discovery_potential_kubeletctl_execution.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
* Update discovery_potential_kubeletctl_execution.toml
* Update lateral_movement_kubelet_api_connection_attempt_internal_ip.toml
* Apply suggestion from @Aegrah
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Apply suggestion from @Aegrah
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* [New] Sensitive Identity File Open by Suspicious Process via Auditd
Detects Auditd opened-file reads on sensitive root and cluster paths (Kubernetes token mounts, kubelet and admin kubeconfig, PKI material, shadow, root SSH keys, root cloud CLI and Docker config) when the process looks like common copy or scripting utilities or the binary runs from temp or run staging. User home paths are excluded so file watches
stay explicit and aligned with auditd:
* ++
* Update credential_access_auditd_sensitive_cloud_and_host_identity_file_open.toml
* Update credential_access_auditd_sensitive_cloud_and_host_identity_file_open.toml
* Update rules/linux/credential_access_auditd_sensitive_cloud_and_host_identity_file_open.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* Apply suggestion from @imays11
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
* Apply suggestion from @Mikaayenson
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* [New] Nsenter to PID 1 Namespace via Auditd
we have an existing rule https://github.com/elastic/detection-rules/blob/0f521a0848420844f3af383f1dee8481d41b2e5b/rules/linux/privilege_escalation_docker_escape_via_nsenter.toml#L15 (compatible only with Elastic Defend `process.entry_leader.entry_meta.type == "container"`).
This rule is compatible with the auditd integration and scoped to Init/systemd PID namespace commonly targeted for container escape.
* Create privilege_escalation_nsenter_execution_inside_container.toml
* Update privilege_escalation_auditd_nsenter_target_host_pid.toml
* Update privilege_escalation_auditd_nsenter_target_host_pid.toml
* Update privilege_escalation_auditd_nsenter_target_host_pid.toml
* Update privilege_escalation_auditd_nsenter_target_host_pid.toml
* Update rules/linux/privilege_escalation_auditd_nsenter_target_host_pid.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* Update privilege_escalation_nsenter_execution_inside_container.toml
* Update privilege_escalation_auditd_nsenter_target_host_pid.toml
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* [New/Tuning] Chroot Execution in Container Context on Linux
New rule compatible with auditd and ED using process.title and process.entry_leader.entry_meta.type and tuned an existing one (bum-up severity to high).
* Update rules/linux/privilege_escalation_chroot_execution_container_context.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* [New] Unusual Process Connection to Docker or Containerd Socket
Detects a process connecting to a container runtime Unix socket (containerd or Docker) that is not a known legitimate runtime component. Direct access to the container runtime socket allows an attacker to create, exec into, or manipulate containers without going through the Kubernetes API server, bypassing RBAC, admission webhooks, pod security standards, and Kubernetes audit logging entirely.
* Update discovery_unusual_process_connection_to_container_runtime_socket.toml
* [New] Suspicious SUDI Binary Execution
Detects execution of common privilege elevation helpers (su, sudo, pkexec, passwd, chsh, newgrp) under the root effective user when the real user and parent user are not root, combined with minimal argument counts and suspicious parent context (interpreters, short shell -c invocations, or parents running from user-writable paths) :
* Update rules/linux/privilege_escalation_suspicious_sudi_binary_execution.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update rules/linux/privilege_escalation_suspicious_sudi_binary_execution.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update privilege_escalation_suspicious_sudi_binary_execution.toml
* Update privilege_escalation_suspicious_sudi_binary_execution.toml
* Rename privilege_escalation_suspicious_sudi_binary_execution.toml to privilege_escalation_suspicious_suid_binary_execution.toml
* Update privilege_escalation_suspicious_suid_binary_execution.toml
* Update privilege_escalation_suspicious_suid_binary_execution.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* [Rule Tuning] Kernel Module Load via Built-in Utility
* Apply suggestion from @eric-forte-elastic
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Refine process.args conditions for modprobe
* Refactor notes and references in kernel module load rule
Removed detailed notes and investigation steps related to kernel module loading via insmod utility. Updated note section and added a reference link.
* Update persistence_insmod_kernel_module_load.toml
* Update persistence_insmod_kernel_module_load.toml
* Update kernel module load rule for clarity and tactics
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [Rule Tuning] Adding D4C Compatibility to Compatible Container-Related Rules
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword
* [Rule Tuning] Dormant & Deprecated Rule Clean-Up
* [Rule Tuning] Dormant & Deprecated Rule Clean-Up
* Few more deprecations
* ++
* Update unit test syntax fix
* Update bad bytes
* ++
* [New/Tuning] Several New Linux Rules
* Update collection_potential_video_recording_or_screenshot_activity.toml
* Update discovery_dmidecode_system_discovery.toml
* Update rules/linux/collection_potential_audio_recording_activity.toml
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Update exfiltration_potential_wget_data_exfiltration.toml
* [New Rule] Linux User or Group Deletion
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 3
* Update rules/linux/credential_access_aws_creds_search_inside_container.toml
* Adjust thresholds and expand event action handling
* Update credential_access_potential_linux_ssh_bruteforce_external.toml
* Increase threshold for SSH brute force detection
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Update credential_access_ssh_backdoor_log.toml
Removed 'auditbeat-*' from the index list.
* Refactor credential access rule for clarity
Removed redundant event.action expansion and filtering logic.
* Refactor ESQL query for SSH brute force detection
Refactor ESQL query to improve readability and maintainability by moving the event.action expansion and filtering logic.
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Update credential_access_potential_successful_linux_ftp_bruteforce.toml
* Update credential_access_potential_successful_linux_rdp_bruteforce.toml
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Add time window truncation to bruteforce rule
* Add time window truncation to SSH brute force rule
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Update SSH brute force detection rule to EQL
* Update CIDR match conditions for SSH brute force rule
* Update EQL query for SSH brute force detection
* [Rule Tuning] Linux DR Tuning - 6
* Fix syntax error in discovery_esxi_software_via_grep.toml
* Update discovery_pam_version_discovery.toml
* Update discovery_virtual_machine_fingerprinting.toml
* Revise investigation title for kernel module enumeration
Updated the title of the investigation section to clarify focus on unusual kernel module enumeration.
* Update discovery_port_scanning_activity_from_compromised_host.toml
* Enhance ESQL query for subnet scanning detection
Updated ESQL query to include additional fields and conditions for better analysis of connection attempts from compromised hosts.
* Remove Elastic Endgame data source from rule
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 8
* Revise investigation guide for THC tool downloads
Updated investigation guide to reflect THC tool instead of SSH-IT worm. Enhanced description for clarity.
* Update exfiltration_unusual_file_transfer_utility_launched.toml
* Refine ESQL query for brute force malware detection
Updated the query to include additional fields and modified the conditions for filtering events.
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [Rule Tuning] Linux DR Tuning - 10
* Update persistence_udev_rule_creation.toml
* Refactor ESQL query for Linux process events
* Refactor query in persistence_web_server_sus_command_execution rule
Removed unnecessary fields from the query and added new fields for event dataset and data stream namespace.
* Update persistence_systemd_netcon.toml
* Update persistence_web_server_sus_child_spawned.toml
* Refactor process.parent.name conditions in TOML file
* Update persistence_web_server_unusual_command_execution.toml
* Update persistence_web_server_unusual_command_execution.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Samirbous