Merge branch 'main' into ebpf-rootkit-installed

hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md

@@ -0,0 +1,43 @@
+# IAM Unusual Default Aviatrix Role Activity
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunting query identifies unusual activity related to the default Aviatrix role in AWS CloudTrail logs. The Aviatrix role is a default role created by the Aviatrix Controller to manage AWS resources. Unusual activity may indicate unauthorized access or misuse of the Aviatrix role, potentially leading to data exfiltration, privilege escalation, or other security incidents.
+
+- **UUID:** `9fe48b6e-d83a-11ef-84a6-f661ea17fbcd`
+- **Integration:** [aws.cloudtrail](https://docs.elastic.co/integrations/aws/cloudtrail)
+- **Language:** `[ES|QL]`
+- **Source File:** [IAM Unusual Default Aviatrix Role Activity](../queries/iam_unusual_default_aviatrix_role_activity.toml)
+
+## Query
+
+```sql
+from logs-aws.cloudtrail-*
+| where @timestamp > now() - 14 day
+| where event.dataset == "aws.cloudtrail"
+    and aws.cloudtrail.user_identity.type == "AssumedRole"
+    and aws.cloudtrail.user_identity.arn like "*aviatrix-role*"
+| stats activity_counts = count(*) by event.provider, event.action, aws.cloudtrail.user_identity.arn
+| where activity_counts < 10
+| sort by activity_counts asc
+```
+
+## Notes
+
+- Review the `aws.cloudtrail.user_identity.arn` field to identify the Aviatrix role.
+- Review the `aws.cloudtrail.resources.arn` field to identify the EC2 instance associated with the activity.
+- Review security group and network ACL configurations for the EC2 instance to ensure they are not overly permissive or allow unauthorized access.
+- Using the EC2 instance, pivot into VPC Flow Logs to identify network traffic patterns and potential lateral movement.
+- Review if the controller was recently deployed or updated, as this may explain unusual activity related to the Aviatrix role.
+- If available, review endpoint logs for the Aviatrix Controller to identify any aviatrix processes that have made unusual requests or system calls.
+
+## MITRE ATT&CK Techniques
+
+- [T1078.004](https://attack.mitre.org/techniques/T1078/004)
+
+## License
+
+- `Elastic License v2`

hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml

@@ -0,0 +1,29 @@
+[hunt]
+author = "Elastic"
+description = """
+This hunting query identifies unusual activity related to the default Aviatrix role in AWS CloudTrail logs. The Aviatrix role is a default role created by the Aviatrix Controller to manage AWS resources. Unusual activity may indicate unauthorized access or misuse of the Aviatrix role, potentially leading to data exfiltration, privilege escalation, or other security incidents.
+"""
+integration = ["aws.cloudtrail"]
+uuid = "9fe48b6e-d83a-11ef-84a6-f661ea17fbcd"
+name = "IAM Unusual Default Aviatrix Role Activity"
+language = ["ES|QL"]
+license = "Elastic License v2"
+notes = [
+"Review the `aws.cloudtrail.user_identity.arn` field to identify the Aviatrix role.",
+"Review the `aws.cloudtrail.resources.arn` field to identify the EC2 instance associated with the activity.",
+"Review security group and network ACL configurations for the EC2 instance to ensure they are not overly permissive or allow unauthorized access.",
+"Using the EC2 instance, pivot into VPC Flow Logs to identify network traffic patterns and potential lateral movement.",
+"Review if the controller was recently deployed or updated, as this may explain unusual activity related to the Aviatrix role.",
+"If available, review endpoint logs for the Aviatrix Controller to identify any aviatrix processes that have made unusual requests or system calls.",
+]
+mitre = ['T1078.004']
+query = ['''
+from logs-aws.cloudtrail-*
+| where @timestamp > now() - 14 day
+| where event.dataset == "aws.cloudtrail"
+    and aws.cloudtrail.user_identity.type == "AssumedRole"
+    and aws.cloudtrail.user_identity.arn like "*aviatrix-role*"
+| stats activity_counts = count(*) by event.provider, event.action, aws.cloudtrail.user_identity.arn
+| where activity_counts < 10
+| sort by activity_counts asc
+''']

hunting/index.md

@@ -12,6 +12,7 @@ Here are the queries currently available:
 - [High Frequency of EC2 Multi-Region `DescribeInstances` API Calls](./aws/docs/ec2_discovery_multi_region_describe_instance_calls.md) (ES|QL)
 - [High Frequency of Service Quotas Multi-Region `GetServiceQuota` API Calls](./aws/docs/servicequotas_discovery_multi_region_get_service_quota_calls.md) (ES|QL)
 - [IAM Assume Role Creation with Attached Policy](./aws/docs/iam_assume_role_creation_with_attached_policy.md) (ES|QL)
+- [IAM Unusual Default Aviatrix Role Activity](./aws/docs/iam_unusual_default_aviatrix_role_activity.md) (ES|QL)
 - [IAM User Activity with No MFA Session](./aws/docs/iam_user_activity_with_no_mfa_session.md) (ES|QL)
 - [Lambda Add Permissions for Write Actions to Function](./aws/docs/lambda_add_permissions_for_write_actions_to_function.md) (ES|QL)
 - [Multiple Service Logging Deleted or Stopped](./aws/docs/multiple_service_logging_deleted_or_stopped.md) (ES|QL)

hunting/index.yml

@@ -414,6 +414,11 @@ aws:
     path: ./aws/queries/iam_unusual_access_key_usage_for_user.toml
     mitre:
     - T1078.004
+  9fe48b6e-d83a-11ef-84a6-f661ea17fbcd:
+    name: IAM Unusual Default Aviatrix Role Activity
+    path: ./aws/queries/iam_unusual_default_aviatrix_role_activity.toml
+    mitre:
+    - T1078.004
 windows:
   44e6adc6-e183-4bfa-b06d-db41669641fa:
     name: Rundll32 Execution Aggregated by Command Line

rules/linux/command_and_control_ip_forwarding_activity.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -44,7 +44,8 @@ process.parent.executable != null and process.command_line like (
     process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and
     process.command_line like "*echo *"
   )
-)
+) and
+not process.parent.name like~ ("privsep-helper", "platform-python*", "init.ipv6-global", "wsl-bootstrap")
 '''
 note = """## Triage and analysis
 

rules/linux/command_and_control_linux_chisel_client_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/08/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [transform]
 [[transform.osquery]]
@@ -152,7 +152,7 @@ sequence by host.id, process.entity_id with maxspan=3s
   [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
    process.args == "client" and process.args : ("R*", "*:*", "*socks*", "*.*") and process.args_count >= 4 and 
    process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
-   not process.name in ("velociraptor", "nbemmcmd")]
+   not process.name in ("velociraptor", "nbemmcmd", "redis-cli", "ipa")]
   [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and 
    destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and 
    not process.name : (

rules/linux/command_and_control_linux_kworker_netcon.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/10/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -68,7 +68,8 @@ process.name:kworker* and not destination.ip:(
   224.0.0.0/4 or
   "::1" or
   "FE80::/10" or
-  "FF00::/8"
+  "FF00::/8" or
+  "0.0.0.0"
 ) and not destination.port:("2049" or "111" or "892" or "597")
 '''
 note = """## Triage and analysis

rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/06/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [transform]
 [[transform.osquery]]
@@ -195,7 +195,7 @@ not (
   process.name : (
     apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or
     kited or node or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or
-    php* or pip* or python* or steam* or terraform*
+    php* or pip* or python* or steam* or terraform* or filebeat or apk or cursor or http
   ) or
   destination.ip:(
     0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or

rules/linux/credential_access_ssh_backdoor_log.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ references = [
     "https://github.com/eset/malware-ioc/tree/master/sshdoor",
     "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf",
 ]
-risk_score = 73
+risk_score = 21
 rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22"
 setup = """## Setup
 
@@ -65,7 +65,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
 #### Custom Ingest Pipeline
 For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
 """
-severity = "high"
+severity = "low"
 tags = [
     "Domain: Endpoint",
     "OS: Linux",

rules/linux/defense_evasion_acl_modification_via_setfacl.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -39,7 +39,9 @@ process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 process.name == "setfacl" and not (
   process.command_line == "/bin/setfacl --restore=-" or
-  process.args == "/var/log/journal/"
+  process.args == "/var/log/journal/" or
+  process.parent.name in ("stats.pl", "perl", "find") or
+  process.parent.command_line like~ "/bin/sh -c *ansible*"
 )
 '''
 note = """## Triage and analysis

rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -65,7 +65,8 @@ process where host.os.type == "linux" and event.type == "start" and event.action
   (process.name == "chkconfig" and process.args == "off") or
   (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))
 ) and
-process.args in ("auditd", "auditd.service")
+process.args in ("auditd", "auditd.service") and 
+not process.parent.name == "auditd.prerm"
 '''
 note = """## Triage and analysis
 

rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -77,7 +77,8 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event",
  ( (process.name == "service" and process.args == "stop") or
    (process.name == "chkconfig" and process.args == "off") or
    (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))
- ) and process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service")
+ ) and process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service") and
+not process.parent.name == "rsyslog-rotate"
 '''
 note = """## Triage and analysis
 

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/08/29"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -83,7 +83,8 @@ file.Ext.original.path : (
   process.name like (
     "python*", "packagekitd", "systemd", "ln", "platform-python", "dnf_install", "runc", "apt-get", "ssm-agent-worker",
     "convert-usrmerge", "updatenow.static-cpanelsync", "apk", "exe", "php", "containerd-shim-runc-v2", "dpkg", "sed",
-    "platform-python*", "gedit", "crond", "sshd", "ruby", "sudo", "chainctl", "update-alternatives", "pip*"
+    "platform-python*", "gedit", "crond", "sshd", "ruby", "sudo", "chainctl", "update-alternatives", "pip*", "microdnf",
+    "rsync", "convert2rhel", "convert-usr-merge"
   ) or
   file.Ext.original.path : (
     "/bin/*.tmp", "/usr/bin/*.tmp", "/usr/local/bin/*.tmp", "/sbin/*.tmp", "/usr/sbin/*.tmp", "/usr/local/sbin/*.tmp"

rules/linux/defense_evasion_clear_kernel_ring_buffer.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -62,7 +62,7 @@ type = "eql"
 
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started")
- and process.name == "dmesg" and process.args == "-c"
+ and process.name == "dmesg" and process.args in ("-c", "--clear")
 '''
 note = """## Triage and analysis
 
@@ -98,32 +98,30 @@ The kernel ring buffer logs system messages, crucial for diagnosing issues. Adve
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 - Conduct a post-incident review to identify gaps in detection and response, and update security policies and procedures to prevent recurrence."""
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1070"
 name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1070.002"
 name = "Clear Linux or Mac System Logs"
 reference = "https://attack.mitre.org/techniques/T1070/002/"
 
-
 [[rule.threat.technique]]
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
 name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/linux/defense_evasion_dynamic_linker_file_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/08/08"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -76,7 +76,10 @@ not (
     "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", "/opt/dynatrace/oneagent/*"
   ) or
   process.executable == null or
-  process.name == "java" or
+  process.name in (
+    "java", "executor", "ssm-agent-worker", "packagekitd", "crio", "dockerd-entrypoint.sh",
+    "docker-init", "BootTimeChecker"
+  ) or
   (process.name == "sed" and file.name : "sed*") or
   (process.name == "perl" and file.name : "e2scrub_all.tmp*")
 )

rules/linux/defense_evasion_file_mod_writable_dir.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -75,7 +75,9 @@ type = "new_terms"
 query = '''
 host.os.type:linux and event.category:process and event.type:start and
 process.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and
-not process.parent.name:(apt-key or update-motd-updates-available or apt-get)
+not process.parent.name:(
+  apt-key or update-motd-updates-available or apt-get or java or pilot or PassengerAgent or nginx
+)
 '''
 note = """## Triage and analysis
 

rules/linux/defense_evasion_hidden_directory_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -72,8 +72,9 @@ process.name == "mkdir" and process.parent.executable like (
 ) and process.args like (".*", "/*/.*") and process.args_count <= 3 and not (
   process.parent.executable like ("/tmp/newroot/*", "/run/containerd/*") or
   process.command_line like ("mkdir -p .", "mkdir ./*") or
+  process.args == "/root/.ssh" or
   process.parent.executable like (
-    "/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img"
+    "/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img", "/tmp/snap.rootfs_*"
   )
 )
 '''