security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
618a1dbe068aba66ec6403f6d1ee767234c85068
sigma-rules/rules/linux/execution_abnormal_process_id_file_created.toml
T
Ruben Groenewoud 020fff3aea [Rule Tuning] Linux Rules (#3092) 
* [Rule Tuning] [WIP] Linux DR

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Fixed tag

* Added additional tuning

* unit test fix

* Additional tuning

* tuning

* added max signals

* Added max_signals=1 to brute force rules

* Cross-Platform Tuning

* Small fix

* new_terms conversion

* typo

* new_terms conversion

* Ransomware rule tuning

* performance tuning

* new_terms conversion for auditd_manager

* tune

* Need coffee

* kql/eql stuff

* formatting improvement

* new_terms sudo hijacking conversion

* exclusion

* Deprecations that were added last tuning

* Deprecations that were added last tuning

* Increased max timespan for brute force rules

* version bump

* added domain tag

* Two tunings

* More tuning

* Additional tuning

* updated_date bump

* query optimization

* Tuning

* Readded the exclusions for this one

* Changed int comparison

* Some tunings

* Update persistence_systemd_scheduled_timer_created.toml

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml

* Update rules/linux/command_and_control_cat_network_activity.toml

* Update persistence_message_of_the_day_execution.toml

* Changed max_signals

* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"

This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.

* Revertable merge

* Update defense_evasion_ld_preload_env_variable_process_injection.toml

* File name change

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2023-10-23 16:28:58 +02:00

149 lines
7.9 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2022/05/11"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/10/16"
[rule]
author = ["Elastic"]
description = """
Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs)
directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage
other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising
itself or these files as legitimate PID files.
"""
false_positives = [
"""
False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To
differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious.
""",
]
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Abnormal Process ID or Lock File Created"
note = """## Triage and analysis
### Investigating Abnormal Process ID or Lock File Created
Linux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.
Linux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.
This rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.
#### Possible investigation steps
- Retrieve the file and determine if it is malicious:
- Check the contents of the PID files. They should only contain integer strings.
- Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.
- Check the size of the subject file. Legitimate PID files should be under 10 bytes.
- Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.
- Analysts can use tools like `ent` to measure entropy.
- Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.
- Trace the file's creation to ensure it came from a legitimate or authorized process.
- Investigate other alerts associated with the user/host during the past 48 hours.
- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.
- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.
### False positive analysis
- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.
- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of file name and process executable conditions.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- Block the identified indicators of compromise (IoCs).
- Take actions to terminate processes and connections used by the attacker.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = [
"https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/",
"https://twitter.com/GossiTheDog/status/1522964028284411907",
"https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
"https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor",
]
risk_score = 47
rule_id = "cac91072-d165-11ec-a764-f661ea17fbce"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
- Go to the Kibana home page and click Add integrations.
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
- Click Add Elastic Defend.
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
- Click Save and Continue.
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Threat: BPFDoor",
"Resources: Investigation Guide",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:linux and event.category:file and event.action:creation and
user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (
(process.name : (
bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)
) or (
process.executable : (
./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*
))
) and not process.name : (go or git or containerd* or snap-confine)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1106"
name = "Native API"
reference = "https://attack.mitre.org/techniques/T1106/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "file.path"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
Reference in New Issue View Git Blame Copy Permalink