From d335799a37c65d6a943aff31fe3d5b17799076a4 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 4 Feb 2025 18:20:04 -0300 Subject: [PATCH] [Rule Tuning] Tighten Up Elastic Defend Indexes - Linux --- rules/linux/command_and_control_cat_network_activity.toml | 4 ++-- .../linux/command_and_control_cupsd_foomatic_rip_netcon.toml | 4 ++-- .../linux/command_and_control_curl_socks_proxy_detected.toml | 4 ++-- rules/linux/command_and_control_ip_forwarding_activity.toml | 4 ++-- .../command_and_control_linux_chisel_client_activity.toml | 4 ++-- .../command_and_control_linux_chisel_server_activity.toml | 4 ++-- .../linux/command_and_control_linux_proxychains_activity.toml | 4 ++-- rules/linux/command_and_control_linux_ssh_x11_forwarding.toml | 4 ++-- ...and_and_control_linux_suspicious_proxychains_activity.toml | 4 ++-- ...mmand_and_control_linux_tunneling_and_port_forwarding.toml | 4 ++-- rules/linux/command_and_control_tunneling_via_earthworm.toml | 4 ++-- rules/linux/credential_access_credential_dumping.toml | 4 ++-- rules/linux/credential_access_gdb_init_process_hooking.toml | 4 ++-- rules/linux/credential_access_gdb_process_hooking.toml | 4 ++-- ...ntial_access_potential_linux_local_account_bruteforce.toml | 4 ++-- rules/linux/credential_access_proc_credential_dumping.toml | 4 ++-- ..._access_unusual_instance_metadata_service_api_request.toml | 4 ++-- rules/linux/defense_evasion_acl_modification_via_setfacl.toml | 4 ++-- ...fense_evasion_attempt_to_disable_iptables_or_firewall.toml | 4 ++-- .../defense_evasion_attempt_to_disable_syslog_service.toml | 4 ++-- ...vasion_base16_or_base32_encoding_or_decoding_activity.toml | 4 ++-- rules/linux/defense_evasion_chattr_immutable_file.toml | 4 ++-- rules/linux/defense_evasion_clear_kernel_ring_buffer.toml | 4 ++-- .../defense_evasion_creation_of_hidden_files_directories.toml | 4 ++-- rules/linux/defense_evasion_directory_creation_in_bin.toml | 4 ++-- rules/linux/defense_evasion_disable_apparmor_attempt.toml | 4 ++-- rules/linux/defense_evasion_disable_selinux_attempt.toml | 4 ++-- rules/linux/defense_evasion_dynamic_linker_file_creation.toml | 4 ++-- .../defense_evasion_esxi_suspicious_timestomp_touch.toml | 4 ++-- rules/linux/defense_evasion_file_deletion_via_shred.toml | 4 ++-- rules/linux/defense_evasion_hidden_directory_creation.toml | 4 ++-- rules/linux/defense_evasion_hidden_file_dir_tmp.toml | 4 ++-- rules/linux/defense_evasion_hidden_shared_object.toml | 4 ++-- rules/linux/defense_evasion_kernel_module_removal.toml | 4 ++-- rules/linux/defense_evasion_kthreadd_masquerading.toml | 4 ++-- rules/linux/defense_evasion_log_files_deleted.toml | 4 ++-- rules/linux/defense_evasion_mount_execution.toml | 4 ++-- rules/linux/defense_evasion_potential_proot_exploits.toml | 4 ++-- rules/linux/defense_evasion_rename_esxi_files.toml | 4 ++-- rules/linux/defense_evasion_rename_esxi_index_file.toml | 4 ++-- ...fense_evasion_sus_utility_executed_via_tmux_or_screen.toml | 4 ++-- rules/linux/discovery_dynamic_linker_via_od.toml | 4 ++-- rules/linux/discovery_esxi_software_via_find.toml | 4 ++-- rules/linux/discovery_esxi_software_via_grep.toml | 4 ++-- rules/linux/discovery_kernel_seeking.toml | 4 ++-- rules/linux/discovery_kernel_unpacking.toml | 4 ++-- rules/linux/discovery_linux_hping_activity.toml | 4 ++-- rules/linux/discovery_linux_nping_activity.toml | 4 ++-- rules/linux/discovery_pam_version_discovery.toml | 4 ++-- rules/linux/discovery_polkit_version_discovery.toml | 4 ++-- .../discovery_private_key_password_searching_activity.toml | 4 ++-- rules/linux/discovery_proc_maps_read.toml | 4 ++-- rules/linux/discovery_process_capabilities.toml | 4 ++-- .../discovery_security_file_access_via_common_utility.toml | 4 ++-- rules/linux/discovery_sudo_allowed_command_enumeration.toml | 4 ++-- rules/linux/discovery_suid_sguid_enumeration.toml | 4 ++-- rules/linux/discovery_suspicious_memory_grep_activity.toml | 4 ++-- rules/linux/discovery_suspicious_which_command_execution.toml | 4 ++-- rules/linux/discovery_unusual_user_enumeration_via_id.toml | 4 ++-- rules/linux/discovery_yum_dnf_plugin_detection.toml | 4 ++-- rules/linux/execution_cupsd_foomatic_rip_file_creation.toml | 4 ++-- .../linux/execution_cupsd_foomatic_rip_lp_user_execution.toml | 4 ++-- rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml | 4 ++-- ...ecution_cupsd_foomatic_rip_suspicious_child_execution.toml | 4 ++-- rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml | 4 ++-- ...cution_egress_connection_from_entrypoint_in_container.toml | 4 ++-- .../linux/execution_file_execution_followed_by_deletion.toml | 4 ++-- ...tion_file_transfer_or_listener_established_via_netcat.toml | 4 ++-- rules/linux/execution_interpreter_tty_upgrade.toml | 4 ++-- rules/linux/execution_nc_listener_via_rlwrap.toml | 4 ++-- rules/linux/execution_netcon_from_rwx_mem_region_binary.toml | 4 ++-- rules/linux/execution_network_event_post_compilation.toml | 4 ++-- rules/linux/execution_potential_hack_tool_executed.toml | 4 ++-- .../linux/execution_process_started_from_process_id_file.toml | 4 ++-- .../execution_process_started_in_shared_memory_directory.toml | 4 ++-- rules/linux/execution_python_tty_shell.toml | 4 ++-- rules/linux/execution_python_webserver_spawned.toml | 4 ++-- .../linux/execution_remote_code_execution_via_postgresql.toml | 4 ++-- rules/linux/execution_shell_evasion_linux_binary.toml | 4 ++-- rules/linux/execution_shell_openssl_client_or_server.toml | 4 ++-- rules/linux/execution_shell_via_background_process.toml | 4 ++-- rules/linux/execution_shell_via_child_tcp_utility_linux.toml | 4 ++-- rules/linux/execution_shell_via_java_revshell_linux.toml | 4 ++-- rules/linux/execution_shell_via_lolbin_interpreter_linux.toml | 4 ++-- rules/linux/execution_shell_via_suspicious_binary.toml | 4 ++-- rules/linux/execution_shell_via_tcp_cli_utility_linux.toml | 4 ++-- ...execution_sus_extraction_or_decrompression_via_funzip.toml | 4 ++-- .../execution_suspicious_mining_process_creation_events.toml | 4 ++-- .../linux/execution_system_binary_file_permission_change.toml | 4 ++-- rules/linux/execution_tc_bpf_filter.toml | 4 ++-- rules/linux/execution_unix_socket_communication.toml | 4 ++-- ...xfiltration_potential_data_splitting_for_exfiltration.toml | 4 ++-- rules/linux/impact_data_encrypted_via_openssl.toml | 4 ++-- rules/linux/impact_esxi_process_kill.toml | 4 ++-- rules/linux/impact_memory_swap_modification.toml | 4 ++-- .../impact_potential_linux_ransomware_note_detected.toml | 4 ++-- rules/linux/lateral_movement_ssh_it_worm_download.toml | 4 ++-- .../lateral_movement_telnet_network_activity_external.toml | 4 ++-- .../lateral_movement_telnet_network_activity_internal.toml | 4 ++-- rules/linux/persistence_apt_package_manager_execution.toml | 4 ++-- rules/linux/persistence_apt_package_manager_netcon.toml | 4 ++-- rules/linux/persistence_chkconfig_service_add.toml | 4 ++-- rules/linux/persistence_dpkg_unusual_execution.toml | 4 ++-- rules/linux/persistence_dynamic_linker_backup.toml | 4 ++-- rules/linux/persistence_etc_file_creation.toml | 4 ++-- rules/linux/persistence_init_d_file_creation.toml | 4 ++-- rules/linux/persistence_insmod_kernel_module_load.toml | 4 ++-- rules/linux/persistence_kde_autostart_modification.toml | 4 ++-- rules/linux/persistence_kworker_file_creation.toml | 4 ++-- rules/linux/persistence_linux_backdoor_user_creation.toml | 4 ++-- .../persistence_linux_shell_activity_via_web_server.toml | 4 ++-- .../persistence_linux_user_added_to_privileged_group.toml | 4 ++-- rules/linux/persistence_manual_dracut_execution.toml | 4 ++-- rules/linux/persistence_rc_script_creation.toml | 4 ++-- rules/linux/persistence_setuid_setgid_capability_set.toml | 4 ++-- rules/linux/persistence_ssh_netcon.toml | 4 ++-- .../persistence_suspicious_file_opened_through_editor.toml | 4 ++-- .../persistence_suspicious_ssh_execution_xzbackdoor.toml | 4 ++-- rules/linux/persistence_systemd_netcon.toml | 4 ++-- rules/linux/persistence_xdg_autostart_netcon.toml | 4 ++-- ...ivilege_escalation_chown_chmod_unauthorized_file_read.toml | 4 ++-- .../privilege_escalation_container_util_misconfiguration.toml | 4 ++-- ...ilege_escalation_docker_mount_chroot_container_escape.toml | 4 ++-- .../privilege_escalation_enlightenment_window_manager.toml | 4 ++-- .../linux/privilege_escalation_gdb_sys_ptrace_elevation.toml | 4 ++-- rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml | 4 ++-- rules/linux/privilege_escalation_kworker_uid_elevation.toml | 4 ++-- .../privilege_escalation_linux_suspicious_symbolic_link.toml | 4 ++-- rules/linux/privilege_escalation_linux_uid_int_max_bug.toml | 4 ++-- ...vilege_escalation_load_and_unload_of_kernel_via_kexec.toml | 4 ++-- .../privilege_escalation_looney_tunables_cve_2023_4911.toml | 4 ++-- rules/linux/privilege_escalation_netcon_via_sudo_binary.toml | 4 ++-- rules/linux/privilege_escalation_overlayfs_local_privesc.toml | 4 ++-- rules/linux/privilege_escalation_pkexec_envar_hijack.toml | 4 ++-- ...privilege_escalation_potential_suid_sgid_exploitation.toml | 4 ++-- .../privilege_escalation_potential_wildcard_shell_spawn.toml | 4 ++-- rules/linux/privilege_escalation_sda_disk_mount_non_root.toml | 4 ++-- rules/linux/privilege_escalation_sudo_cve_2019_14287.toml | 4 ++-- ...privilege_escalation_sudo_token_via_process_injection.toml | 4 ++-- ...ege_escalation_suspicious_cap_setuid_python_execution.toml | 4 ++-- ...rivilege_escalation_suspicious_chown_fowner_elevation.toml | 4 ++-- .../privilege_escalation_suspicious_passwd_file_write.toml | 4 ++-- .../privilege_escalation_suspicious_uid_guid_elevation.toml | 4 ++-- .../privilege_escalation_uid_change_post_compilation.toml | 4 ++-- .../privilege_escalation_unshare_namespace_manipulation.toml | 4 ++-- rules/linux/privilege_escalation_writable_docker_socket.toml | 4 ++-- 146 files changed, 292 insertions(+), 292 deletions(-) diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index 946ca45924a..e0ce29eee9d 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -39,7 +39,7 @@ activity is highly suspicious, and should be investigated. Attackers may leverag files to another host in the network or exfiltrate data while attempting to evade detection in the process. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Network Activity Detected via cat" diff --git a/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml b/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml index 30ce455a176..5356874e6a6 100644 --- a/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml +++ b/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs o UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Network Connection by Cups or Foomatic-rip Child" diff --git a/rules/linux/command_and_control_curl_socks_proxy_detected.toml b/rules/linux/command_and_control_curl_socks_proxy_detected.toml index 3fb5537d2ee..6fc18eaaca8 100644 --- a/rules/linux/command_and_control_curl_socks_proxy_detected.toml +++ b/rules/linux/command_and_control_curl_socks_proxy_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ process. Attackers may use `curl` to establish a SOCKS proxy connection to bypas data or communicate with C2 servers. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Curl SOCKS Proxy Activity from Unusual Parent" diff --git a/rules/linux/command_and_control_ip_forwarding_activity.toml b/rules/linux/command_and_control_ip_forwarding_activity.toml index 6f101558f2c..329a6d1d1d2 100644 --- a/rules/linux/command_and_control_ip_forwarding_activity.toml +++ b/rules/linux/command_and_control_ip_forwarding_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ forwarding can be used to route network traffic between different network interf pivot between networks, exfiltrate data, or establish command and control channels. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "IPv4/IPv6 Forwarding Activity" diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index 7d41cf8e9a2..f946aaaa5b8 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -40,7 +40,7 @@ channels, bypass network restrictions, and carry out malicious activities by cre access to internal systems. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via Chisel Client" diff --git a/rules/linux/command_and_control_linux_chisel_server_activity.toml b/rules/linux/command_and_control_linux_chisel_server_activity.toml index 263bb2dad24..c277cc52b06 100644 --- a/rules/linux/command_and_control_linux_chisel_server_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_server_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -40,7 +40,7 @@ establish covert communication channels, bypass network restrictions, and carry tunnels that allow unauthorized access to internal systems. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via Chisel Server" diff --git a/rules/linux/command_and_control_linux_proxychains_activity.toml b/rules/linux/command_and_control_linux_proxychains_activity.toml index 8253c3b5cb9..46cd848e64f 100644 --- a/rules/linux/command_and_control_linux_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_proxychains_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -41,7 +41,7 @@ resources. Attackers can exploit the ProxyChains utility to hide their true sour perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "ProxyChains Activity" diff --git a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml index 111e9a9f3a2..4cc5b788c70 100644 --- a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml +++ b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -41,7 +41,7 @@ can abuse X11 forwarding for tunneling their GUI-based tools, pivot through comp communication channels, enabling lateral movement and facilitating remote control of systems within a network. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Linux SSH X11 Forwarding" diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index d5b475379c6..baf53ccab50 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -42,7 +42,7 @@ detection, and perform malicious activities through a chain of proxy servers, po intentions. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Utility Launched via ProxyChains" diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index da95e39efd7..68be50722be 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -41,7 +41,7 @@ and gain unauthorized access to internal resources, facilitating data exfiltrati control. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Tunneling and/or Port Forwarding" diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index e79d8842251..b5f92960e13 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -40,7 +40,7 @@ system within a separate protocol to avoid detection and network filtering, or t systems. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via EarthWorm" diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index cc7bfb06a26..1ffa0927ca8 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ password-cracking utilities or prepare themselves for future operations by gathe victim. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Credential Dumping via Unshadow" diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index c6934659caa..267ef6a5683 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ dumping techniques to attempt secret extraction from privileged processes. Tools "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Linux init (PID 1) Secret Dump via GDB" diff --git a/rules/linux/credential_access_gdb_process_hooking.toml b/rules/linux/credential_access_gdb_process_hooking.toml index 5e9c2f228c4..d668a5a7a2d 100644 --- a/rules/linux/credential_access_gdb_process_hooking.toml +++ b/rules/linux/credential_access_gdb_process_hooking.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ secret extraction from privileged processes. Tools that display this behavior in "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Linux Process Hooking via GDB" diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index f570f4601e2..a83e64aca7c 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ short time interval. Adversaries might brute force login attempts across differe set of customly crafted passwords in an attempt to gain access to these accounts. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Local Account Brute Force Detected" diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index 90b1a9cb404..bdae2eaf8e1 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext c process and extracting lines that have a high probability of containing cleartext passwords. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Credential Dumping via Proc Filesystem" diff --git a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml index cdb9ef2e487..5f66865720e 100644 --- a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml +++ b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/22" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ public IP address, and even temporary security credentials if role's are assumed various tools and scripts like curl, wget, python, and perl that might be used to interact with the metadata API. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Unusual Instance Metadata Service (IMDS) API Request" diff --git a/rules/linux/defense_evasion_acl_modification_via_setfacl.toml b/rules/linux/defense_evasion_acl_modification_via_setfacl.toml index a27dcc37ec6..5d28c2abd93 100644 --- a/rules/linux/defense_evasion_acl_modification_via_setfacl.toml +++ b/rules/linux/defense_evasion_acl_modification_via_setfacl.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ description = """ This rule detects Linux Access Control List (ACL) modification via the setfacl command. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Access Control List Modification via setfacl" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 04675023c8e..024008d82c8 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Adversaries may attempt to disable the iptables or firewall service in an attemp receive or send network traffic. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Attempt to Disable IPTables or Firewall" diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index c5dc2298b82..b8eb9f0e226 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Adversaries may attempt to disable the syslog service in an attempt to an attemp detection by security controls. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Attempt to Disable Syslog Service" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 011dc4721f0..613f65a3b6d 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Base16 or Base32 Encoding/Decoding Activity" diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index bb66372e2fb..405cf25b306 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ opened in write mode. Threat actors will commonly utilize this to prevent tamper files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" max_signals = 33 diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index 773c4da0cc3..9e4dc7450cc 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Monitors for the deletion of the kernel ring buffer events through dmesg. Attack to evade detection after installing a Linux kernel module (LKM). """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Attempt to Clear Kernel Ring Buffer" diff --git a/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml b/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml index dd98206f9e8..5e4687c75a5 100644 --- a/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml +++ b/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identify activity related where adversaries can add the 'hidden' flag to files t to evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Hidden Files and Directories via Hidden Flag" diff --git a/rules/linux/defense_evasion_directory_creation_in_bin.toml b/rules/linux/defense_evasion_directory_creation_in_bin.toml index ff4dc6d7fab..819542e63f5 100644 --- a/rules/linux/defense_evasion_directory_creation_in_bin.toml +++ b/rules/linux/defense_evasion_directory_creation_in_bin.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ files that are required for the system to function properly. The creation of dir attempt to hide malicious files or executables, as these /bin directories usually just contain binaries. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Directory Creation in /bin directory" diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index 6dbf13a0351..4ac7da81c95 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ fine-grained access control policies to restrict the actions and resources that access. Adversaries may disable security tools to avoid possible detection of their tools and activities. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Disabling of AppArmor" diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 32fba2c5e81..3b3e6dd8c01 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ support access control policies. Adversaries may disable security tools to avoid activities. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Disabling of SELinux" diff --git a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml index c07ff4d976f..03e17d56c22 100644 --- a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml +++ b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ shared library that is used by the Linux kernel to load and execute programs. At execution flow of a program by modifying the dynamic linker configuration files. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Dynamic Linker Creation or Modification" diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index aa321096af7..b7b54978b9c 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ their presence in the touch command arguments may indicate that a threat actor i of VM-related files and configurations on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "ESXI Timestomping using Touch Command" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 5391b81c5a8..d7de9703aa8 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ a network and how. Adversaries may remove these files over the course of an intr remove them at the end as part of the post-intrusion cleanup process. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "File Deletion via Shred" diff --git a/rules/linux/defense_evasion_hidden_directory_creation.toml b/rules/linux/defense_evasion_hidden_directory_creation.toml index 929e64c9422..76312a85791 100644 --- a/rules/linux/defense_evasion_hidden_directory_creation.toml +++ b/rules/linux/defense_evasion_hidden_directory_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Hidden Directory Creation via Unusual Parent" diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index b6e8178ba21..ab2a7a74da8 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" max_signals = 33 diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 972126958bb..82d386bd667 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ a "." as the first character in the file or folder name. Adversaries can use thi folders on the system for persistence and defense evasion. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" max_signals = 33 diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index c8a356d3c8e..065c84ee7ef 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Kernel Module Removal" diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index 41af91bd706..5047db3c552 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ as kthreadd and kworker typically do not have process.executable fields associat hide their malicious programs by masquerading as legitimate kernel processes. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Executable Masquerading as Kernel Process" diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 7c0d2d251fe..814aee33818 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the deletion of sensitive Linux system logs. This may indicate an att forensic evidence on a system. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "System Log File Deletion" diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index f7b5185aa3a..b1b3758bffa 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ hidepid option all the user has to do is remount the /proc filesystem with the o detected. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Hidden Process via Mount Hidepid" diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index 7986d531651..40d530a9378 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ malicious payload or elevate privileges or perform network scans or orchestrate Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Defense Evasion via PRoot" diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index b033e004796..9237b08e9ff 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies instances where VMware-related files, such as those with extensions l event action associated with these file types, which could indicate malicious activity. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Suspicious Renaming of ESXI Files" diff --git a/rules/linux/defense_evasion_rename_esxi_index_file.toml b/rules/linux/defense_evasion_rename_esxi_index_file.toml index db701e9a6c9..ab0619ad0c7 100644 --- a/rules/linux/defense_evasion_rename_esxi_index_file.toml +++ b/rules/linux/defense_evasion_rename_esxi_index_file.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ The rule monitors for the "rename" event action associated with this specific fi malicious activity. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Suspicious Renaming of ESXI index.html File" diff --git a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index 643e151226b..244d0e21321 100644 --- a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ directly, the commands will be executed in the background via its parent process to execute commands while attempting to evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potentially Suspicious Process Started via tmux or screen" diff --git a/rules/linux/discovery_dynamic_linker_via_od.toml b/rules/linux/discovery_dynamic_linker_via_od.toml index b2ab0c4bdac..5630ad2483e 100644 --- a/rules/linux/discovery_dynamic_linker_via_od.toml +++ b/rules/linux/discovery_dynamic_linker_via_od.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ for examining and debugging binary files or data streams. Attackers can leverage identifying injection points and craft exploits based on the observed behaviors and structures within these files. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Dynamic Linker Discovery via od" diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index 6e4547b09f7..eae69d1e367 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ software, and their presence in the find command arguments may indicate that a t analyze, or manipulate VM-related files and configurations on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Find" diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index 4fa7fedc1e3..063a4e64759 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "v may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "ESXI Discovery via Grep" diff --git a/rules/linux/discovery_kernel_seeking.toml b/rules/linux/discovery_kernel_seeking.toml index 0b9e8830503..72efe98deed 100644 --- a/rules/linux/discovery_kernel_seeking.toml +++ b/rules/linux/discovery_kernel_seeking.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ to search the Linux kernel for available symbols, functions, and other informati kernel. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Kernel Seeking Activity" diff --git a/rules/linux/discovery_kernel_unpacking.toml b/rules/linux/discovery_kernel_unpacking.toml index fa7d0695c9d..81323d2a478 100644 --- a/rules/linux/discovery_kernel_unpacking.toml +++ b/rules/linux/discovery_kernel_unpacking.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ This rule detects kernel unpacking activity through several built-in Linux utili to unpack kernel images and modules to search for vulnerabilities or to modify the kernel. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Kernel Unpacking Activity" diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 79193866414..df98c5ebf3d 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Hping Process Activity" diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index cdb26df5e17..760afd3f369 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Nping Process Activity" diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml index 932c0dbe220..a14fb277651 100644 --- a/rules/linux/discovery_pam_version_discovery.toml +++ b/rules/linux/discovery_pam_version_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ This rule detects PAM version discovery activity on Linux systems. PAM version d attacker attempting to backdoor the authentication process through malicious PAM modules. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Pluggable Authentication Module (PAM) Version Discovery" diff --git a/rules/linux/discovery_polkit_version_discovery.toml b/rules/linux/discovery_polkit_version_discovery.toml index 1ea639d8133..0a2202d69cc 100644 --- a/rules/linux/discovery_polkit_version_discovery.toml +++ b/rules/linux/discovery_polkit_version_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/22" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ This rule detects Polkit version discovery activity on Linux systems. Polkit ver indication of an attacker attempting to exploit misconfigurations or vulnerabilities in the Polkit service. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Polkit Version Discovery" diff --git a/rules/linux/discovery_private_key_password_searching_activity.toml b/rules/linux/discovery_private_key_password_searching_activity.toml index 495e0053a07..356264921ae 100644 --- a/rules/linux/discovery_private_key_password_searching_activity.toml +++ b/rules/linux/discovery_private_key_password_searching_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ This rule detects private key searching activity on Linux systems. Searching for attacker attempting to escalate privileges or exfiltrate sensitive information. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Private Key Searching Activity" diff --git a/rules/linux/discovery_proc_maps_read.toml b/rules/linux/discovery_proc_maps_read.toml index 1b628573d2d..fbc0fb36c8e 100644 --- a/rules/linux/discovery_proc_maps_read.toml +++ b/rules/linux/discovery_proc_maps_read.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ detailing the memory segments, permissions, and what files are mapped to these s memory map to identify memory addresses for code injection or process hijacking. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious /proc/maps Discovery" diff --git a/rules/linux/discovery_process_capabilities.toml b/rules/linux/discovery_process_capabilities.toml index 5d1ceb285e6..dc379d05024 100644 --- a/rules/linux/discovery_process_capabilities.toml +++ b/rules/linux/discovery_process_capabilities.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies recursive process capability enumeration of the entire filesystem thr may manipulate identified capabilities to gain root privileges. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Process Capability Enumeration" diff --git a/rules/linux/discovery_security_file_access_via_common_utility.toml b/rules/linux/discovery_security_file_access_via_common_utility.toml index 77e8b38321e..e345c1f4c8a 100644 --- a/rules/linux/discovery_security_file_access_via_common_utility.toml +++ b/rules/linux/discovery_security_file_access_via_common_utility.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ This rule detects sensitive security file access via common utilities on Linux s from sensitive files using common utilities to gather information about the system and its security configuration. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Security File Access via Common Utilities" diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index 4d5f05ee658..fe6b11cc968 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ the invoking user. Attackers may execute this command to enumerate commands allo permissions, potentially allowing to escalate privileges to root. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Sudo Command Enumeration Detected" diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index 35482e28743..dbd83aa0b45 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/24" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ an attacker is able to enumerate and find a binary that is misconfigured, they m misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "SUID/SGUID Enumeration Detected" diff --git a/rules/linux/discovery_suspicious_memory_grep_activity.toml b/rules/linux/discovery_suspicious_memory_grep_activity.toml index d3e44c6ac62..e9520b48079 100644 --- a/rules/linux/discovery_suspicious_memory_grep_activity.toml +++ b/rules/linux/discovery_suspicious_memory_grep_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ specific process, detailing the memory segments, permissions, and what files are read a process's memory map to identify memory addresses for code injection or process hijacking. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Memory grep Activity" diff --git a/rules/linux/discovery_suspicious_which_command_execution.toml b/rules/linux/discovery_suspicious_which_command_execution.toml index ce077dd902d..92116188fab 100644 --- a/rules/linux/discovery_suspicious_which_command_execution.toml +++ b/rules/linux/discovery_suspicious_which_command_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ leverage the which command to enumerate the system for useful installed utilitie system to escalate privileges or move latteraly across the network. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious which Enumeration" diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index ad351fb672d..e37017ee7a4 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ behavior is unusual, and may be indicative of the execution of an enumeration sc scripts leverage the "id" command to enumerate the privileges of all users present on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Unusual User Privilege Enumeration via id" diff --git a/rules/linux/discovery_yum_dnf_plugin_detection.toml b/rules/linux/discovery_yum_dnf_plugin_detection.toml index bfeef246d2a..d0829ba736a 100644 --- a/rules/linux/discovery_yum_dnf_plugin_detection.toml +++ b/rules/linux/discovery_yum_dnf_plugin_detection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ to search for YUM/DNF configurations and/or plugins with an enabled state. This attempting to establish persistence in a YUM or DNF plugin. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Yum/DNF Plugin Status Discovery" diff --git a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml index 00e2a0f6f3c..75fb1e6c1b5 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP UR crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "File Creation by Cups or Foomatic-rip Child" diff --git a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml index 680ec8ef8ba..1c8a89cd072 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ through crafted UDP packets or network spoofing. This can result in arbitrary co initiated. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Printer User (lp) Shell Execution" diff --git a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml index fb4fcdc909e..2a9e3882054 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ remote unauthenticated attackers to manipulate IPP URLs or inject malicious data spoofing. This can result in arbitrary command execution when a print job is initiated. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Cupsd or Foomatic-rip Shell Execution" diff --git a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml index db4f72abaa1..baff7f2d5ac 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ through crafted UDP packets or network spoofing. This can result in arbitrary co initiated. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution from Foomatic-rip or Cupsd Parent" diff --git a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml index 9397f734f14..086dcc36c06 100644 --- a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml +++ b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instruc this rule. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential curl CVE-2023-38545 Exploitation" diff --git a/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml b/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml index c555a3312c1..1e15219c594 100644 --- a/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml +++ b/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ entrypoint is a command or script specified in the Dockerfile and executed when this technique to establish a foothold in the environment, escape from a container to the host, or establish persistence. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Egress Connection from Entrypoint in Container" diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index 1a9f053b7e3..6221e571c8e 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ directory often used for malicious purposes by threat actors. This behavior is o malicious code and delete itself to hide its tracks. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "File Creation, Execution and Self-Deletion in Suspicious Directory" diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 47330570bc6..6f29f3951b8 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "logs-endpoint.events.network*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "File Transfer or Listener Established via Netcat" diff --git a/rules/linux/execution_interpreter_tty_upgrade.toml b/rules/linux/execution_interpreter_tty_upgrade.toml index a29e2ce0515..1d9edd02b53 100644 --- a/rules/linux/execution_interpreter_tty_upgrade.toml +++ b/rules/linux/execution_interpreter_tty_upgrade.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ simple reverse shell to a fully interactive tty after obtaining initial access t stable connection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Upgrade of Non-interactive Shell" diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index d0b9ca17f43..d30212828a0 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Netcat Listener Established via rlwrap" diff --git a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml index 184a0a06b5d..39958a99e37 100644 --- a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml +++ b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ cases overly permissive, and should (especially in conjunction with an outbound thoroughly. """ from = "now-9m" -index = ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Network Connection from Binary with RWX Memory Region" diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index e8f276243a4..18f1cdda773 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ connection event. This behavior can indicate the set up of a reverse tcp connect Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*", "logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Recently Compiled Executable" diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index d83be6e0342..639aac82354 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ this rule should be investigated further, as hack tools are commonly used by blu well. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Hack Tool Launched" diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index cf89945fd35..9188badd565 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Process Started from Process ID (PID) File" diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index d70310f3aa0..2c230e7fb95 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Binary Executed from Shared Memory Directory" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 1ab71d1ab2a..840ce3b7edb 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a interactive tty after obtaining initial access to a host. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Interactive Terminal Spawned via Python" diff --git a/rules/linux/execution_python_webserver_spawned.toml b/rules/linux/execution_python_webserver_spawned.toml index 84d53f57b5c..a5c56cdcd63 100644 --- a/rules/linux/execution_python_webserver_spawned.toml +++ b/rules/linux/execution_python_webserver_spawned.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ This rule identifies when a web server is spawned via Python. Attackers may use exfiltrate/infiltrate data or to move laterally within a network. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Web Server Spawned via Python" diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index 2d9d6ec7f5f..23b306e43a9 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ which can result in unauthorized access and malicious actions, and facilitate po unauthorized access and malicious actions. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Code Execution via Postgresql" diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index bb7b2c29a66..7dfe90cd632 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/17" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ system shell. The activity of spawning a shell from a binary is not common behav and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Linux Restricted Shell Breakout via Linux Binary(s)" diff --git a/rules/linux/execution_shell_openssl_client_or_server.toml b/rules/linux/execution_shell_openssl_client_or_server.toml index 5fce4337ccf..c91ef9fb642 100644 --- a/rules/linux/execution_shell_openssl_client_or_server.toml +++ b/rules/linux/execution_shell_openssl_client_or_server.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ establish a secure connection to a remote server or to create a secure server to may be used to exfiltrate data or establish a command and control channel. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Openssl Client or Server Activity" diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 482507d447f..057f3fab8e6 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Monitors for the execution of background processes with process arguments capabl channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Background Process" diff --git a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml index cc04183c1bd..cb4b21a61df 100644 --- a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml +++ b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ activity consists of a network event that is followed by the creation of a shell arguments. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Child" diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml index e1dbc140954..b45e10e2657 100644 --- a/rules/linux/execution_shell_via_java_revshell_linux.toml +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ This detection rule identifies the execution of a Linux shell process from a Jav network connection. This behavior may indicate reverse shell activity via a Java application. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Java" diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index cae82200bc1..4640cc46cb7 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ the specified utilities that are initialized from a single process followed by a captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Child Process" diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index 0fe844990be..a3e2057910d 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ spawned. Stageless reverse tcp shells display this behaviour. Attackers may spaw persistence onto a target system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Binary" diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index 8a7e50d193d..3a93c51c73a 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ activity consists of a parent-child relationship where a network event is follow An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell" diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index 08691468699..9056e38af37 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ output from tail can be piped to funzip in order to decompress malicious code be consistent with malware families such as Bundlore. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Content Extracted or Decompressed via Funzip" diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index f07b9025d8b..75a52429d9f 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies service creation events of common mining services, possibly indicatin cryptominer. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Mining Process Creation Event" diff --git a/rules/linux/execution_system_binary_file_permission_change.toml b/rules/linux/execution_system_binary_file_permission_change.toml index c5622803be1..c43395afbbe 100644 --- a/rules/linux/execution_system_binary_file_permission_change.toml +++ b/rules/linux/execution_system_binary_file_permission_change.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ This rule identifies file permission modification events on files located in com hide their payloads in the default Linux system directories, and modify the file permissions of these payloads prior to execution. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "System Binary Path File Permission Modification" diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index d484d173106..154708e80c4 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ A threat actor can utilize tc to set a bpf filter on an interface for the purpos This technique is not at all common and should indicate abnormal, suspicious or malicious activity. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "BPF filter applied using TC" diff --git a/rules/linux/execution_unix_socket_communication.toml b/rules/linux/execution_unix_socket_communication.toml index f788067e6fe..b31d97f5fdc 100644 --- a/rules/linux/execution_unix_socket_communication.toml +++ b/rules/linux/execution_unix_socket_communication.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ privileges or set up malicious communication channels via Unix sockets for inter evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Unix Socket Connection" diff --git a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml index 7cf613d4335..3b1a1f4a34a 100644 --- a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml +++ b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ for exfiltration on Linux systems. Data splitting is a technique used by adversa avoid detection and exfiltrate data. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Data Splitting Detected" diff --git a/rules/linux/impact_data_encrypted_via_openssl.toml b/rules/linux/impact_data_encrypted_via_openssl.toml index e994de1025d..f0db697d35b 100644 --- a/rules/linux/impact_data_encrypted_via_openssl.toml +++ b/rules/linux/impact_data_encrypted_via_openssl.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Adversaries may encrypt data on a single or multiple systems in order to disrupt and may attempt to hold the organization's data to ransom for the purposes of extortion. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Data Encryption via OpenSSL Utility" diff --git a/rules/linux/impact_esxi_process_kill.toml b/rules/linux/impact_esxi_process_kill.toml index 149015fce4a..f97a7adf9ab 100644 --- a/rules/linux/impact_esxi_process_kill.toml +++ b/rules/linux/impact_esxi_process_kill.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ command. The rule monitors for the "end" event type, which signifies the termina interfere with the virtualized environment on the targeted system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Termination of ESXI Process" diff --git a/rules/linux/impact_memory_swap_modification.toml b/rules/linux/impact_memory_swap_modification.toml index 07c7b897207..d39b8f1763d 100644 --- a/rules/linux/impact_memory_swap_modification.toml +++ b/rules/linux/impact_memory_swap_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ the system's memory and potentially impact the system's performance. This behavi deploys miner software such as XMRig. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Memory Swap Modification" diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index 8d1787e9789..3353a9b725b 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ decryption key. One important indicator of a ransomware attack is the mass encry new file extension is added to the file. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Ransomware Note Creation Detected" diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index cd5672bdc5b..b111e3b5fc0 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies processes that are capable of downloading files with command line arg autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential SSH-IT SSH Worm Downloaded" diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 1d83b8fdd41..68dda3bbad7 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Connection to External Network via Telnet" diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index f3935e9cdb8..107c0a38bc3 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Connection to Internal Network via Telnet" diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 46456642634..625d5d4de54 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ repositories. Attackers can backdoor APT to gain persistence by injecting malici thereby ensuring continued unauthorized access or control each time APT is used for package management. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious APT Package Manager Execution" diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index 6b806e42ebe..0dffc185e77 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ repositories. Attackers can backdoor APT to gain persistence by injecting malici thereby ensuring continued unauthorized access or control each time APT is used for package management. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious APT Package Manager Network Connection" diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 5d417d59a93..2a908cda88a 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -55,7 +55,7 @@ either a start or a kill entry in every runlevel and when the system is rebooted providing long-term persistence. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Chkconfig Service Add" diff --git a/rules/linux/persistence_dpkg_unusual_execution.toml b/rules/linux/persistence_dpkg_unusual_execution.toml index ff1d13c999e..a6fe79198dd 100644 --- a/rules/linux/persistence_dpkg_unusual_execution.toml +++ b/rules/linux/persistence_dpkg_unusual_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ command is used to install, remove, and manage Debian packages on a Linux system to install malicious packages on a system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Unusual DPKG Execution" diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index 7825dba63ea..c59e3a57064 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -56,7 +56,7 @@ inject and preload a malicious shared object file. This activity should never oc considered highly suspicious or malicious. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Dynamic Linker Copy" diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 5db941163f4..7cd3bbae746 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -57,7 +57,7 @@ elevate privileges on compromised systems. File creation in these directories sh indicate a malicious binary or script installing persistence mechanisms for long term access. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Deprecated - Suspicious File Creation in /etc for Persistence" diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index e933187bed6..b268ef38aac 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -42,7 +42,7 @@ can convert init.d files to service unit files that run at boot. Adversaries may /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "System V Init Script Created" diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index 3475045d5eb..be9b7a9fe67 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -41,7 +41,7 @@ security products. Manually loading a kernel module in this manner should not be suspcious or malicious behavior. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Kernel Module Load via insmod" diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index ce945fed552..9fd2b9acc31 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -83,7 +83,7 @@ Identifies the creation or modification of a K Desktop Environment (KDE) AutoSta execute upon each user logon. Adversaries may abuse this method for persistence. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Persistence via KDE AutoStart Script or Desktop File Modification" diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index 81927769bb2..79e32fb1943 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -54,7 +54,7 @@ to be done in kernel space, which might include tasks like handling interrupts, kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Suspicious File Creation via Kworker" diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index be6a103295e..70a01525ea2 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -38,7 +38,7 @@ Identifies the attempt to create a new backdoor user by setting the user's UID t 0 to establish persistence on a system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Backdoor User Account Creation" diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index bcf271a4fdb..75ef6bee4a2 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -42,7 +42,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Code Execution via Web Server" diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index ed911093468..192d6627424 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -31,7 +31,7 @@ Identifies attempts to add a user to a privileged group. Attackers may add users establish persistence on a system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Linux User Added to Privileged Group" diff --git a/rules/linux/persistence_manual_dracut_execution.toml b/rules/linux/persistence_manual_dracut_execution.toml index 8f9cadc0cc1..260b43dcdab 100644 --- a/rules/linux/persistence_manual_dracut_execution.toml +++ b/rules/linux/persistence_manual_dracut_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/22" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ initramfs image that is used to boot the system. Attackers may use `dracut` to c that includes malicious code or backdoors, allowing them to maintain persistence on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Manual Dracut Execution" diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index 44c531d325f..29091adcc2f 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -35,7 +35,7 @@ boot. Adversaries may alter rc.local/rc.common to execute malicious code at star system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "rc.local/rc.common File Creation" diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index 455472a5449..f281b3b7e24 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/03" +updated_date = "2025/02/04" [transform] [[transform.osquery]] @@ -41,7 +41,7 @@ file owner or group. Threat actors can exploit these attributes to achieve persi allowing them to maintain control over a compromised system with elevated permissions. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Setcap setuid/setgid Capability Set" diff --git a/rules/linux/persistence_ssh_netcon.toml b/rules/linux/persistence_ssh_netcon.toml index abf7fbba0c1..88130c4d2bf 100644 --- a/rules/linux/persistence_ssh_netcon.toml +++ b/rules/linux/persistence_ssh_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ new SSH login occurs. Attackers can also backdoor the SSH daemon to allow for pe or to steal credentials. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Network Connection Initiated by SSHD Child Process" diff --git a/rules/linux/persistence_suspicious_file_opened_through_editor.toml b/rules/linux/persistence_suspicious_file_opened_through_editor.toml index f3e87559052..2dfb4da2e50 100644 --- a/rules/linux/persistence_suspicious_file_opened_through_editor.toml +++ b/rules/linux/persistence_suspicious_file_opened_through_editor.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ through an editor will trigger this event. Attackers may alter any of the files persistence, escalate privileges or perform reconnaisance on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" max_signals = 1 diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml index dafd11750df..5be74bebb7e 100644 --- a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +++ b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ It identifies potential malicious shell executions through remote SSH and detect terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Execution via XZBackdoor" diff --git a/rules/linux/persistence_systemd_netcon.toml b/rules/linux/persistence_systemd_netcon.toml index a47b7303adb..f010db5e51e 100644 --- a/rules/linux/persistence_systemd_netcon.toml +++ b/rules/linux/persistence_systemd_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ or commands, or by replacing legitimate systemd binaries with compromised ones, automatically executed at system startup or during certain system events. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Network Connection via systemd" diff --git a/rules/linux/persistence_xdg_autostart_netcon.toml b/rules/linux/persistence_xdg_autostart_netcon.toml index 6abecb878d7..a4053fb7b6a 100644 --- a/rules/linux/persistence_xdg_autostart_netcon.toml +++ b/rules/linux/persistence_xdg_autostart_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ helps to identify potential malicious activity where an attacker may have modifi persistence on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Network Connections Initiated Through XDG Autostart Entry" diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index 5a802bc7ad8..6dd7ba60122 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ commands or input containing wildcards (e.g., *, ?, []) to execute unintended op tricking the system into interpreting the wildcard characters in unexpected ways. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Unauthorized Access via Wildcard Injection Detected" diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml index 42f91415ab3..bee56739f5a 100644 --- a/rules/linux/privilege_escalation_container_util_misconfiguration.toml +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ able to create and run a container that mounts the root folder or spawn a privil escape attack, which might allow them to escalate privileges and gain further access onto the host file system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Container Misconfiguration" diff --git a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml index f0581fb23e5..eb87c2531d8 100644 --- a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml +++ b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ within a container is capable of mounting the root file system of the host, and containarized environment. This behavior pattern is very uncommon and should be investigated. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Chroot Container Escape via Mount" diff --git a/rules/linux/privilege_escalation_enlightenment_window_manager.toml b/rules/linux/privilege_escalation_enlightenment_window_manager.toml index 6b7dc4ae353..163762f1cb3 100644 --- a/rules/linux/privilege_escalation_enlightenment_window_manager.toml +++ b/rules/linux/privilege_escalation_enlightenment_window_manager.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Enlightenment. enlightenment_sys in Enlightenment before 0.25.4 allows local use setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Enlightenment" diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml index 5d3662cea93..d9f136f68e5 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ Attackers may leverage this capability to hook and inject into a process that is to escalate their privileges to root. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via GDB CAP_SYS_PTRACE" diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml index 1b5d1c83725..b03edb7d5b6 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ processes. Attackers may leverage this capability to hook and inject into a proc permissions in order to execute shell code and gain a reverse shell with root privileges. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Root Network Connection via GDB CAP_SYS_PTRACE" diff --git a/rules/linux/privilege_escalation_kworker_uid_elevation.toml b/rules/linux/privilege_escalation_kworker_uid_elevation.toml index bbfc3315906..5c695d128cc 100644 --- a/rules/linux/privilege_escalation_kworker_uid_elevation.toml +++ b/rules/linux/privilege_escalation_kworker_uid_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ hijack the execution flow by hooking certain functions/syscalls through a rootki root via a special modified command. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Kworker UID Elevation" diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index 146c9775d1d..af3b13bbbe3 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ privileged process into following the symbolic link to a sensitive file, giving capabilities they would not normally have. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Symbolic Link Created" diff --git a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml index 92e93513b1e..9c7f2352d62 100644 --- a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml +++ b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/27" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ allowed UID size (INT_MAX). Some older Linux versions were affected by a bug whi greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*"] +index = ["endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via UID INT_MAX Bug Detected" diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index 487698dcb69..1f39e9a2a8c 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ escalate privileges, establish persistence or hide their activities by loading a tamper with the system's trusted state, allowing e.g. a VM Escape. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Kernel Load or Unload via Kexec Detected" diff --git a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml index db331d56794..7f703f3cf39 100644 --- a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml +++ b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ This rule detects potential privilege escalation attempts through Looney Tunable buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via CVE-2023-4911" diff --git a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml index c10a5214353..52cc3a0faa7 100644 --- a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml +++ b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/27" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ reverse shell shellcode is injected into a process run with elevated permissions inject shellcode into processes running as root, to escalate privileges. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["endgame-*", "logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Sudo Binary" diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index abc06624f8a..c7b540738b2 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ modifications to OverlayFS. These flaws allow the creation of specialized execut ability to escalate privileges to root on the affected machine. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via OverlayFS" diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 0b74052275b..793e90b2b57 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies an attempt to exploit a local privilege escalation in polkit pkexec ( variable injection. Successful exploitation allows an unprivileged user to escalate to the root user. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via PKEXEC" diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml index fabd017de00..a5d2203f979 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_version = "8.16.0" min_stack_comments = "Breaking change at 8.16.0 for the Endpoint Integration with respect to ecs field process.group.id" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ privileges. Attackers may leverage a misconfiguration for exploitation in order establish a backdoor for persistence. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via SUID/SGID" diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index d3f6d037f39..a3ba3a40cad 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ vulnerability where attackers manipulate commands or input containing wildcards operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Shell via Wildcard Injection Detected" diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index 3ea1234fb5f..d916e1256e9 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ root, such as the shadow file, root ssh private keys or other sensitive files th privileges. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Suspicious DebugFS Root Device Access" diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index b3c4583f75f..259c129272f 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ that can be chosen arbitrarily. By using the sudo privileges, the command "sudo representing the root user. This exploit may work for sudo versions prior to v1.28. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Sudo Privilege Escalation via CVE-2019-14287" diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index b0172b2cd1d..4cd122d636c 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_version = "8.16.0" min_stack_comments = "Breaking change at 8.16.0 for the Endpoint Integration with respect to ecs field process.group.id" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ attackers to activate their own sudo token. This attack requires ptrace to be en of a living process that has a valid sudo token with the same uid as the current user. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Sudo Token Manipulation via Process Injection" diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml index 016b5c7c445..9e7f6b499d7 100644 --- a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ privileges, based on the file owner or group. Threat actors can exploit these at privileges that are set on the binary that is being executed. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Python cap_setuid" diff --git a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml index e2c0f653c3d..0035cfea05d 100644 --- a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ owner of a file, while CAP_FOWNER permits it to bypass permission checks on oper reading, writing, and executing). Attackers may abuse these capabilities to obtain unauthorized access to files. """ from = "now-9m" -index = ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.file*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities" diff --git a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml index f16ef0d7c7b..923962a5d96 100644 --- a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml +++ b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ permissions or other privileges to add a new entry to the "/etc/passwd" file wit new user account to login as root. """ from = "now-9m" -index = ["logs-endpoint.events.*", "logs-auditd_manager.auditd-*"] +index = ["logs-auditd_manager.auditd-*", "logs-endpoint.events.file*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Passwd File Event Action" diff --git a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml index 0b459d067a2..fa50b74e797 100644 --- a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/27" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ change its UID and GID, respectively, providing control over user and group iden a misconfiguration for exploitation in order to escalate their privileges to root. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via CAP_SETUID/SETGID Capabilities" diff --git a/rules/linux/privilege_escalation_uid_change_post_compilation.toml b/rules/linux/privilege_escalation_uid_change_post_compilation.toml index d9cbb6f9bb2..79f3fc167b6 100644 --- a/rules/linux/privilege_escalation_uid_change_post_compilation.toml +++ b/rules/linux/privilege_escalation_uid_change_post_compilation.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ alteration of UID permissions to root privileges. This behavior can potentially software privilege escalation exploit. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Recently Compiled Executable" diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index 31642cba6d3..110652ad38b 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ or escape container security boundaries. Threat actors have utilized this binary host and access other resources or escalate privileges. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Namespace Manipulation Using Unshare" diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml index b635512f9d5..d295882bb9d 100644 --- a/rules/linux/privilege_escalation_writable_docker_socket.toml +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ sockets may be able to create and run a container that allows them to escalate p the host file system. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation through Writable Docker Socket"