Jonhnathan
b1989a921b
* [Security Content] Small tweaks on the setup guides
* Additional Fixes
* Avoid touching deprecated rules
Removed changes from:
- rules/integrations/beaconing/command_and_control_beaconing.toml
- rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml
- rules/linux/discovery_process_capabilities.toml
- rules/linux/privilege_escalation_dac_permissions.toml
- rules/linux/privilege_escalation_enlightenment_window_manager.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
- rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml
- rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml
- rules_building_block/discovery_capnetraw_capability.toml
- rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml
(selectively cherry picked from commit 458e67918a)
77 lines
2.2 KiB
TOML
77 lines
2.2 KiB
TOML
[metadata]
|
|
creation_date = "2023/12/11"
|
|
maturity = "production"
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
|
min_stack_version = "8.3.0"
|
|
updated_date = "2023/12/11"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a
|
|
threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short
|
|
time interval could indicate application exploitation attempts.
|
|
"""
|
|
from = "now-9m"
|
|
index = [".alerts-security.*"]
|
|
language = "kuery"
|
|
license = "Elastic License v2"
|
|
name = "Potential Buffer Overflow Attack Detected"
|
|
risk_score = 21
|
|
rule_id = "b7c05aaf-78c2-4558-b069-87fa25973489"
|
|
setup = """## Setup
|
|
|
|
|
|
This rule leverages alert data from other prebuilt detection rules to function correctly.
|
|
|
|
### Dependent Elastic Detection Rule Enablement
|
|
As a higher-order rule (based on other detections), this rule also requires the following prerequisite Elastic detection rule to be installed and enabled:
|
|
- Segfault Detected (5c81fc9d-1eae-437f-ba07-268472967013)
|
|
"""
|
|
severity = "low"
|
|
tags = [
|
|
"Domain: Endpoint",
|
|
"OS: Linux",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Privilege Escalation",
|
|
"Tactic: Initial Access",
|
|
"Use Case: Vulnerability",
|
|
"Rule Type: Higher-Order Rule"
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "threshold"
|
|
query = '''
|
|
kibana.alert.rule.rule_id:5c81fc9d-1eae-437f-ba07-268472967013 and event.kind:signal
|
|
'''
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1068"
|
|
name = "Exploitation for Privilege Escalation"
|
|
reference = "https://attack.mitre.org/techniques/T1068/"
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0004"
|
|
name = "Privilege Escalation"
|
|
reference = "https://attack.mitre.org/tactics/TA0004/"
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1190"
|
|
name = "Exploit Public-Facing Application"
|
|
reference = "https://attack.mitre.org/techniques/T1190/"
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0001"
|
|
name = "Initial Access"
|
|
reference = "https://attack.mitre.org/tactics/TA0001/"
|
|
|
|
[rule.threshold]
|
|
field = ["event.kind", "host.id"]
|
|
value = 100
|
|
|