diff --git a/hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md b/hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md new file mode 100644 index 00000000000..3802a1ecc89 --- /dev/null +++ b/hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md @@ -0,0 +1,43 @@ +# IAM Unusual Default Aviatrix Role Activity + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunting query identifies unusual activity related to the default Aviatrix role in AWS CloudTrail logs. The Aviatrix role is a default role created by the Aviatrix Controller to manage AWS resources. Unusual activity may indicate unauthorized access or misuse of the Aviatrix role, potentially leading to data exfiltration, privilege escalation, or other security incidents. + +- **UUID:** `9fe48b6e-d83a-11ef-84a6-f661ea17fbcd` +- **Integration:** [aws.cloudtrail](https://docs.elastic.co/integrations/aws/cloudtrail) +- **Language:** `[ES|QL]` +- **Source File:** [IAM Unusual Default Aviatrix Role Activity](../queries/iam_unusual_default_aviatrix_role_activity.toml) + +## Query + +```sql +from logs-aws.cloudtrail-* +| where @timestamp > now() - 14 day +| where event.dataset == "aws.cloudtrail" + and aws.cloudtrail.user_identity.type == "AssumedRole" + and aws.cloudtrail.user_identity.arn like "*aviatrix-role*" +| stats activity_counts = count(*) by event.provider, event.action, aws.cloudtrail.user_identity.arn +| where activity_counts < 10 +| sort by activity_counts asc +``` + +## Notes + +- Review the `aws.cloudtrail.user_identity.arn` field to identify the Aviatrix role. +- Review the `aws.cloudtrail.resources.arn` field to identify the EC2 instance associated with the activity. +- Review security group and network ACL configurations for the EC2 instance to ensure they are not overly permissive or allow unauthorized access. +- Using the EC2 instance, pivot into VPC Flow Logs to identify network traffic patterns and potential lateral movement. +- Review if the controller was recently deployed or updated, as this may explain unusual activity related to the Aviatrix role. +- If available, review endpoint logs for the Aviatrix Controller to identify any aviatrix processes that have made unusual requests or system calls. + +## MITRE ATT&CK Techniques + +- [T1078.004](https://attack.mitre.org/techniques/T1078/004) + +## License + +- `Elastic License v2` diff --git a/hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml b/hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml new file mode 100644 index 00000000000..92bd247ae9a --- /dev/null +++ b/hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml @@ -0,0 +1,29 @@ +[hunt] +author = "Elastic" +description = """ +This hunting query identifies unusual activity related to the default Aviatrix role in AWS CloudTrail logs. The Aviatrix role is a default role created by the Aviatrix Controller to manage AWS resources. Unusual activity may indicate unauthorized access or misuse of the Aviatrix role, potentially leading to data exfiltration, privilege escalation, or other security incidents. +""" +integration = ["aws.cloudtrail"] +uuid = "9fe48b6e-d83a-11ef-84a6-f661ea17fbcd" +name = "IAM Unusual Default Aviatrix Role Activity" +language = ["ES|QL"] +license = "Elastic License v2" +notes = [ +"Review the `aws.cloudtrail.user_identity.arn` field to identify the Aviatrix role.", +"Review the `aws.cloudtrail.resources.arn` field to identify the EC2 instance associated with the activity.", +"Review security group and network ACL configurations for the EC2 instance to ensure they are not overly permissive or allow unauthorized access.", +"Using the EC2 instance, pivot into VPC Flow Logs to identify network traffic patterns and potential lateral movement.", +"Review if the controller was recently deployed or updated, as this may explain unusual activity related to the Aviatrix role.", +"If available, review endpoint logs for the Aviatrix Controller to identify any aviatrix processes that have made unusual requests or system calls.", +] +mitre = ['T1078.004'] +query = [''' +from logs-aws.cloudtrail-* +| where @timestamp > now() - 14 day +| where event.dataset == "aws.cloudtrail" + and aws.cloudtrail.user_identity.type == "AssumedRole" + and aws.cloudtrail.user_identity.arn like "*aviatrix-role*" +| stats activity_counts = count(*) by event.provider, event.action, aws.cloudtrail.user_identity.arn +| where activity_counts < 10 +| sort by activity_counts asc +'''] \ No newline at end of file diff --git a/hunting/index.md b/hunting/index.md index d282cc4c8ac..2d988789a54 100644 --- a/hunting/index.md +++ b/hunting/index.md @@ -12,6 +12,7 @@ Here are the queries currently available: - [High Frequency of EC2 Multi-Region `DescribeInstances` API Calls](./aws/docs/ec2_discovery_multi_region_describe_instance_calls.md) (ES|QL) - [High Frequency of Service Quotas Multi-Region `GetServiceQuota` API Calls](./aws/docs/servicequotas_discovery_multi_region_get_service_quota_calls.md) (ES|QL) - [IAM Assume Role Creation with Attached Policy](./aws/docs/iam_assume_role_creation_with_attached_policy.md) (ES|QL) +- [IAM Unusual Default Aviatrix Role Activity](./aws/docs/iam_unusual_default_aviatrix_role_activity.md) (ES|QL) - [IAM User Activity with No MFA Session](./aws/docs/iam_user_activity_with_no_mfa_session.md) (ES|QL) - [Lambda Add Permissions for Write Actions to Function](./aws/docs/lambda_add_permissions_for_write_actions_to_function.md) (ES|QL) - [Multiple Service Logging Deleted or Stopped](./aws/docs/multiple_service_logging_deleted_or_stopped.md) (ES|QL) diff --git a/hunting/index.yml b/hunting/index.yml index 3eed8c5f48b..9c8cdea3f5d 100644 --- a/hunting/index.yml +++ b/hunting/index.yml @@ -414,6 +414,11 @@ aws: path: ./aws/queries/iam_unusual_access_key_usage_for_user.toml mitre: - T1078.004 + 9fe48b6e-d83a-11ef-84a6-f661ea17fbcd: + name: IAM Unusual Default Aviatrix Role Activity + path: ./aws/queries/iam_unusual_default_aviatrix_role_activity.toml + mitre: + - T1078.004 windows: 44e6adc6-e183-4bfa-b06d-db41669641fa: name: Rundll32 Execution Aggregated by Command Line diff --git a/rules/linux/command_and_control_ip_forwarding_activity.toml b/rules/linux/command_and_control_ip_forwarding_activity.toml index 08ec19a6e4a..6f101558f2c 100644 --- a/rules/linux/command_and_control_ip_forwarding_activity.toml +++ b/rules/linux/command_and_control_ip_forwarding_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -44,7 +44,8 @@ process.parent.executable != null and process.command_line like ( process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and process.command_line like "*echo *" ) -) +) and +not process.parent.name like~ ("privsep-helper", "platform-python*", "init.ipv6-global", "wsl-bootstrap") ''' note = """## Triage and analysis diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index 185b7f8f263..25094b627b0 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [transform] [[transform.osquery]] @@ -152,7 +152,7 @@ sequence by host.id, process.entity_id with maxspan=3s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.args == "client" and process.args : ("R*", "*:*", "*socks*", "*.*") and process.args_count >= 4 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and - not process.name in ("velociraptor", "nbemmcmd")] + not process.name in ("velociraptor", "nbemmcmd", "redis-cli", "ipa")] [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and not process.name : ( diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml index ee8641376f8..acd204dae9a 100644 --- a/rules/linux/command_and_control_linux_kworker_netcon.toml +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -68,7 +68,8 @@ process.name:kworker* and not destination.ip:( 224.0.0.0/4 or "::1" or "FE80::/10" or - "FF00::/8" + "FF00::/8" or + "0.0.0.0" ) and not destination.port:("2049" or "111" or "892" or "597") ''' note = """## Triage and analysis diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index d0a0402788d..69c63039b73 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [transform] [[transform.osquery]] @@ -195,7 +195,7 @@ not ( process.name : ( apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or kited or node or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or - php* or pip* or python* or steam* or terraform* + php* or pip* or python* or steam* or terraform* or filebeat or apk or cursor or http ) or destination.ip:( 0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index a3d9440729c..e2432df22bd 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ "https://github.com/eset/malware-ioc/tree/master/sshdoor", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", ] -risk_score = 73 +risk_score = 21 rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22" setup = """## Setup @@ -65,7 +65,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). """ -severity = "high" +severity = "low" tags = [ "Domain: Endpoint", "OS: Linux", diff --git a/rules/linux/defense_evasion_acl_modification_via_setfacl.toml b/rules/linux/defense_evasion_acl_modification_via_setfacl.toml index c537294daf0..a27dcc37ec6 100644 --- a/rules/linux/defense_evasion_acl_modification_via_setfacl.toml +++ b/rules/linux/defense_evasion_acl_modification_via_setfacl.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -39,7 +39,9 @@ process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name == "setfacl" and not ( process.command_line == "/bin/setfacl --restore=-" or - process.args == "/var/log/journal/" + process.args == "/var/log/journal/" or + process.parent.name in ("stats.pl", "perl", "find") or + process.parent.command_line like~ "/bin/sh -c *ansible*" ) ''' note = """## Triage and analysis diff --git a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml index 3ab0e3ff00e..ae6348cef81 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -65,7 +65,8 @@ process where host.os.type == "linux" and event.type == "start" and event.action (process.name == "chkconfig" and process.args == "off") or (process.name == "systemctl" and process.args in ("disable", "stop", "kill")) ) and -process.args in ("auditd", "auditd.service") +process.args in ("auditd", "auditd.service") and +not process.parent.name == "auditd.prerm" ''' note = """## Triage and analysis diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index fe2829e707f..c5dc2298b82 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -77,7 +77,8 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event", ( (process.name == "service" and process.args == "stop") or (process.name == "chkconfig" and process.args == "off") or (process.name == "systemctl" and process.args in ("disable", "stop", "kill")) - ) and process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service") + ) and process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service") and +not process.parent.name == "rsyslog-rotate" ''' note = """## Triage and analysis diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index e56bd0d6452..fab30b2292a 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -83,7 +83,8 @@ file.Ext.original.path : ( process.name like ( "python*", "packagekitd", "systemd", "ln", "platform-python", "dnf_install", "runc", "apt-get", "ssm-agent-worker", "convert-usrmerge", "updatenow.static-cpanelsync", "apk", "exe", "php", "containerd-shim-runc-v2", "dpkg", "sed", - "platform-python*", "gedit", "crond", "sshd", "ruby", "sudo", "chainctl", "update-alternatives", "pip*" + "platform-python*", "gedit", "crond", "sshd", "ruby", "sudo", "chainctl", "update-alternatives", "pip*", "microdnf", + "rsync", "convert2rhel", "convert-usr-merge" ) or file.Ext.original.path : ( "/bin/*.tmp", "/usr/bin/*.tmp", "/usr/local/bin/*.tmp", "/sbin/*.tmp", "/usr/sbin/*.tmp", "/usr/local/sbin/*.tmp" diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index b7ec71585fa..773c4da0cc3 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") - and process.name == "dmesg" and process.args == "-c" + and process.name == "dmesg" and process.args in ("-c", "--clear") ''' note = """## Triage and analysis @@ -98,32 +98,30 @@ The kernel ring buffer logs system messages, crucial for diagnosing issues. Adve - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Conduct a post-incident review to identify gaps in detection and response, and update security policies and procedures to prevent recurrence.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml index bc15dc494c8..c07ff4d976f 100644 --- a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml +++ b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -76,7 +76,10 @@ not ( "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", "/opt/dynatrace/oneagent/*" ) or process.executable == null or - process.name == "java" or + process.name in ( + "java", "executor", "ssm-agent-worker", "packagekitd", "crio", "dockerd-entrypoint.sh", + "docker-init", "BootTimeChecker" + ) or (process.name == "sed" and file.name : "sed*") or (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index f87b1240f82..54c8ee0c3d1 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -75,7 +75,9 @@ type = "new_terms" query = ''' host.os.type:linux and event.category:process and event.type:start and process.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and -not process.parent.name:(apt-key or update-motd-updates-available or apt-get) +not process.parent.name:( + apt-key or update-motd-updates-available or apt-get or java or pilot or PassengerAgent or nginx +) ''' note = """## Triage and analysis diff --git a/rules/linux/defense_evasion_hidden_directory_creation.toml b/rules/linux/defense_evasion_hidden_directory_creation.toml index ed15f89caf3..929e64c9422 100644 --- a/rules/linux/defense_evasion_hidden_directory_creation.toml +++ b/rules/linux/defense_evasion_hidden_directory_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -72,8 +72,9 @@ process.name == "mkdir" and process.parent.executable like ( ) and process.args like (".*", "/*/.*") and process.args_count <= 3 and not ( process.parent.executable like ("/tmp/newroot/*", "/run/containerd/*") or process.command_line like ("mkdir -p .", "mkdir ./*") or + process.args == "/root/.ssh" or process.parent.executable like ( - "/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img" + "/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img", "/tmp/snap.rootfs_*" ) ) ''' diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 83eff47b826..b6e8178ba21 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and not process.name in ( "ls", "find", "grep", "git", "jq", "basename", "check_snmp", "snmpget", "snmpwalk", "cc1plus", "snap", - "command-not-found" + "command-not-found", "sqlite", "apk", "fgrep", "locate", "objdump" ) ''' note = """## Triage and analysis diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 1879c8fd90d..972126958bb 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ type = "eql" query = ''' file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and -not process.name == "dockerd" +not process.name in ("dockerd", "azcopy", "podman") ''' note = """## Triage and analysis diff --git a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml index 1bb3cccd863..8e0bd45dbae 100644 --- a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml +++ b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -67,6 +67,8 @@ event.category:process and host.os.type:linux and event.type:start and event.act ) or process.args:(/etc/apt/trusted.gpg.d/* or /tmp/apt-key-gpg*) or process.name:(awk or apt-config or dpkg or grep or gpgv or sed) or + (user.name:_apt and process.name:(sqv or apt-key or gpgconf or sort or mktemp or find or cmp or gpg-connect-agent)) or + (user.name:man and process.name:mandb) or (user.name:daemon and process.name:at) ) ''' diff --git a/rules/linux/defense_evasion_root_certificate_installation.toml b/rules/linux/defense_evasion_root_certificate_installation.toml index e29ffb290fa..cb8237b8ef3 100644 --- a/rules/linux/defense_evasion_root_certificate_installation.toml +++ b/rules/linux/defense_evasion_root_certificate_installation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action process.name in ("update-ca-trust", "update-ca-certificates") and not ( process.parent.name like ( "ca-certificates.postinst", "ca-certificates-*.trigger", "pacman", "pamac-daemon", "autofirma.postinst", - "ipa-client-install", "su", "platform-python", "python*", "kesl", "execd" + "ipa-client-install", "su", "platform-python", "python*", "kesl", "execd", "systemd", "flock" ) or process.parent.args like "/var/tmp/rpm*" or (process.parent.name in ("sh", "bash", "zsh") and process.args == "-e") diff --git a/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml b/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml index 185877f5618..c4f67be5850 100644 --- a/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml +++ b/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.16.2 for the SentinelOne Integration." min_stack_version = "8.16.2" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") -and file.path : "/etc/selinux/config" +and file.path : "/etc/selinux/config" and not process.name in ("dockerd", "platform-python") ''' note = """## Triage and analysis diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 69eac0b8c26..64a7eeaf5f2 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -72,8 +72,9 @@ not ( process.parent.name:( mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools or readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or weak-modules or zfs or - systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install - ) + systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install or newrelic-infra + ) or + process.parent.executable:/var/lib/dpkg/info/linux-modules*-generic.post* ) ''' note = """## Triage and analysis diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml index 4f7d00fa38e..932c0dbe220 100644 --- a/rules/linux/discovery_pam_version_discovery.toml +++ b/rules/linux/discovery_pam_version_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -66,11 +66,12 @@ timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2") and + event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.parent.name != null and ( (process.name in ("dpkg", "dpkg-query") and process.args == "libpam-modules") or (process.name == "rpm" and process.args == "pam") - ) + ) and +not process.parent.name in ("dcservice", "inspectorssmplugin") ''' note = """## Triage and analysis diff --git a/rules/linux/discovery_pspy_process_monitoring_detected.toml b/rules/linux/discovery_pspy_process_monitoring_detected.toml index a20064a1f1c..b03f97dae68 100644 --- a/rules/linux/discovery_pspy_process_monitoring_detected.toml +++ b/rules/linux/discovery_pspy_process_monitoring_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/20" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ query = ''' sequence by process.pid, host.id with maxspan=5s [file where host.os.type == "linux" and auditd.data.syscall == "openat" and file.path == "/proc" and auditd.data.a0 : ("ffffffffffffff9c", "ffffff9c") and auditd.data.a2 : ("80000", "88000") and - not process.name == "agentbeat" + not process.name in ("agentbeat", "packetbeat") ] with runs=10 ''' note = """## Triage and analysis diff --git a/rules/linux/discovery_security_file_access_via_common_utility.toml b/rules/linux/discovery_security_file_access_via_common_utility.toml index 3d11cf452c3..77e8b38321e 100644 --- a/rules/linux/discovery_security_file_access_via_common_utility.toml +++ b/rules/linux/discovery_security_file_access_via_common_utility.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -68,7 +68,8 @@ process where host.os.type == "linux" and event.type == "start" and "/home/*/.aws/credentials", "/home/*/.aws/config", "/home/*/.config/gcloud/*credentials.json", "/home/*/.config/gcloud/configurations/config_default", "/home/*/.azure/accessTokens.json", "/home/*/.azure/azureProfile.json" - ) + ) and +not process.parent.name in ("wazuh-modulesd", "lynis") ''' note = """## Triage and analysis diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index cead4910326..ad351fb672d 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -58,7 +58,10 @@ query = ''' sequence by host.id, process.parent.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "id" and process.args_count == 2 and - not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20 + not ( + process.parent.name in ("rpm", "snarftmp", "quota_copy", "java") or + process.parent.args : "/var/tmp/rpm-tmp*" + )] with runs=20 ''' note = """## Triage and analysis