Terrance DeJesus
f0b2cb7c87
* added 'Uncommon Process Execution from Suspicious Directory' hunt * adds all linux hunting files * moves linux hunting files to queries folder * adds generated docs * fixing windows hunts * fixing windows hunts * updated README * Removed 2, updated a few, changed some names/descriptions and added list of str * updated windows for language schema changes, regenerated docs; updated README and index * changed UUIDs to hex only with standard hyphen format * removing unecessary docs * Fixed queries based on Samir feedback * ++ * regenerating linux docs * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * Update * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * regenerating linux docs --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
49 lines
2.7 KiB
TOML
49 lines
2.7 KiB
TOML
[hunt]
|
|
author = "Elastic"
|
|
description = """
|
|
This hunt identifies processes on Linux systems with specific capabilities set. It monitors process execution events where processes have effective or permitted capabilities, which can be indicative of elevated privileges. The hunt focuses on non-root users to detect potential privilege escalation attempts. The hunt lists detailed information for further analysis and investigation.
|
|
"""
|
|
integration = ["endpoint"]
|
|
uuid = "6f67704d-e5b1-4613-912c-e2965660fe17"
|
|
name = "Process Capability Hunting"
|
|
language = ["ES|QL"]
|
|
license = "Elastic License v2"
|
|
notes = [
|
|
"Monitors process execution events where processes have specific capabilities set, such as CAP_SYS_MODULE, CAP_SYS_PTRACE, and others.",
|
|
"Excludes certain processes and capabilities to reduce false positives, but these can be adjusted based on your environment.",
|
|
"Uses EVAL to tag potential privilege escalation events and counts occurrences to identify unusual activity.",
|
|
"Focuses on non-root users to detect potential privilege escalation attempts.",
|
|
"Requires additional data analysis and investigation into results to identify malicious or unauthorized use of process capabilities."
|
|
]
|
|
mitre = ["T1548.001", "T1548.003"]
|
|
|
|
query = [
|
|
'''
|
|
from logs-endpoint.events.process-*
|
|
| where @timestamp > now() - 30 day
|
|
| where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (process.thread.capabilities.effective is not null or process.thread.capabilities.permitted is not null) and user.id != "0" and
|
|
not (
|
|
// Remove these if you expect persistence through capabilities
|
|
process.executable like "/var/lib/docker/*" or
|
|
process.name == "gnome-keyring-daemon" or
|
|
process.thread.capabilities.permitted == "CAP_WAKE_ALARM"
|
|
)
|
|
| stats cc = count(), host_count = count_distinct(host.name) by process.executable, process.thread.capabilities.effective, process.thread.capabilities.permitted
|
|
| where host_count <= 3 and cc < 5
|
|
| sort cc asc
|
|
| limit 100
|
|
''',
|
|
'''
|
|
from logs-endpoint.events.process-*
|
|
| where @timestamp > now() - 30 day
|
|
| where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (
|
|
process.thread.capabilities.effective in ("CAP_SYS_MODULE", "CAP_SYS_PTRACE", "CAP_DAC_OVERRIDE", "CAP_DAC_READ_SEARCH", "CAP_SETUID", "CAP_SETGID", "CAP_SYS_ADMIN") or
|
|
process.thread.capabilities.permitted in ("CAP_SYS_MODULE", "CAP_SYS_PTRACE", "CAP_DAC_OVERRIDE", "CAP_DAC_READ_SEARCH", "CAP_SETUID", "CAP_SETGID", "CAP_SYS_ADMIN")
|
|
) and user.id != "0"
|
|
| stats cc = count(), host_count = count_distinct(host.name) by process.executable, process.thread.capabilities.effective, process.thread.capabilities.permitted
|
|
| where host_count <= 3 and cc < 5
|
|
| sort cc asc
|
|
| limit 100
|
|
'''
|
|
]
|