Skip to content

Commit

Permalink
[Tuning] Linux DR Tuning - Part 2 (#3453)
Browse files Browse the repository at this point in the history 
* [Tuning] Linux DR Tuning - Part 2

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml

(cherry picked from commit 0e48747)
  • Loading branch information
@Aegrah @github-actions
Aegrah authored and github-actions[bot] committed Feb 20, 2024
1 parent f13d207 commit fa2281a
Show file tree
Hide file tree
Showing 5 changed files with 57 additions and 39 deletions.
20 changes: 14 additions & 6 deletions rules/linux/credential_access_potential_linux_local_account_bruteforce.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
updated_date = "2024/02/20"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -47,14 +47,22 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id, process.parent.executable, user.id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and
not process.parent.name in (
"bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server"
)] with runs=10
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and
not process.parent.name in (
"bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server", "ma", "gitlab-runner",
"updatedb.findutils", "cron"
)
] with runs=10
'''

[[rule.threat]]
Expand Down
28 changes: 16 additions & 12 deletions rules/linux/credential_access_proc_credential_dumping.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
updated_date = "2024/02/20"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -52,24 +52,31 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Use Case: Vulnerability",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by process.parent.name,host.name with maxspan=1m
[process where host.os.type == "linux" and process.name == "ps" and event.action == "exec"
and process.args in ("-eo", "pid", "command") ]
[process where host.os.type == "linux" and process.name == "strings" and event.action == "exec"
and process.args : "/tmp/*" ]
sequence by host.id, process.parent.name with maxspan=1m
[process where host.os.type == "linux" and process.name == "ps" and event.action == "exec"
and process.args in ("-eo", "pid", "command")]
[process where host.os.type == "linux" and process.name == "strings" and event.action == "exec"
and process.args : "/tmp/*"]
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"

[[rule.threat.technique.subtechnique]]
id = "T1003.007"
name = "Proc Filesystem"
Expand All @@ -80,10 +87,7 @@ id = "T1212"
name = "Exploitation for Credential Access"
reference = "https://attack.mitre.org/techniques/T1212/"



[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

29 changes: 17 additions & 12 deletions rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2020/04/17"
integration = ["endpoint"]
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
updated_date = "2024/02/20"

[rule]
author = ["Elastic"]
Expand All @@ -16,8 +16,8 @@ false_positives = [
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "kuery"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Base16 or Base32 Encoding/Decoding Activity"
risk_score = 21
Expand Down Expand Up @@ -61,18 +61,25 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "query"

type = "eql"
query = '''
event.category:process and host.os.type:linux and event.type:(start or process_started) and
process.name:(base16 or base32 or base32plain or base32hex)
process where host.os.type == "linux" and event.type in ("start", "process_started") and
process.name in ("base16", "base32", "base32plain", "base32hex") and not process.args in ("--help", "--version")
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1027"
name = "Obfuscated Files or Information"
Expand All @@ -83,9 +90,7 @@ id = "T1140"
name = "Deobfuscate/Decode Files or Information"
reference = "https://attack.mitre.org/techniques/T1140/"


[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

4 changes: 2 additions & 2 deletions rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/12"
updated_date = "2024/02/20"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -82,7 +82,7 @@ sequence by host.id, process.entity_id with maxspan=1s
) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")]
[file where host.os.type == "linux" and event.action == "creation" and file.path : (
"/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*"
) and not file.path : ("/tmp/rear*", "/var/tmp/dracut*")]
) and not file.path : ("/tmp/rear*", "/var/tmp/rear*", "/var/tmp/dracut*", "/var/tmp/mkinitramfs*")]
'''

[[rule.threat]]
Expand Down
15 changes: 8 additions & 7 deletions rules/linux/defense_evasion_clear_kernel_ring_buffer.toml
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2023/10/24"
integration = ["endpoint"]
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
updated_date = "2024/02/20"

[rule]
author = ["Elastic"]
Expand All @@ -13,7 +13,7 @@ Monitors for the deletion of the kernel ring buffer events through dmesg. Attack
to evade detection after installing a Linux kernel module (LKM).
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Attempt to Clear Kernel Ring Buffer"
Expand Down Expand Up @@ -51,13 +51,15 @@ tags = [
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend"
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.name == "dmesg" and process.args : "-c"
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed") and
event.type == "start" and process.name == "dmesg" and process.args : "-c"
'''

[[rule.threat]]
Expand Down Expand Up @@ -87,4 +89,3 @@ reference = "https://attack.mitre.org/techniques/T1070/002/"
name = "Defense Evasion"
id = "TA0005"
reference = "https://attack.mitre.org/tactics/TA0005/"

0 comments on commit fa2281a

Please sign in to comment.