From 8bb951b5fb74736a9628d8cf94c77401da6be13b Mon Sep 17 00:00:00 2001 From: Andras Kovacs Date: Mon, 10 Jul 2023 20:10:20 +0200 Subject: [PATCH 1/5] no need catch 32bit calls separately --- audit.rules | 46 ---------------------------------------------- 1 file changed, 46 deletions(-) diff --git a/audit.rules b/audit.rules index d590068..3cdacba 100644 --- a/audit.rules +++ b/audit.rules @@ -86,27 +86,21 @@ -a never,exit -F subj_type=crond_t ## This prevents chrony from overwhelming the logs --a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t -a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t ## This is not very interesting and wastes a lot of space if the server is public facing -a always,exclude -F msgtype=CRYPTO_KEY_USER ## VMware tools --a never,exit -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 -a never,exit -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 --a exit,never -F arch=b32 -S all -F exe=/usr/bin/vmtoolsd -a exit,never -F arch=b64 -S all -F exe=/usr/bin/vmtoolsd ## High Volume Event Filter (especially on Linux Workstations) --a never,exit -F arch=b32 -F dir=/dev/shm -k sharedmemaccess -a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess --a never,exit -F arch=b32 -F dir=/var/lock/lvm -k locklvm -a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm ## FileBeat --a never,exit -F arch=b32 -F path=/opt/filebeat -k filebeat -a never,exit -F arch=b64 -F path=/opt/filebeat -k filebeat ## More information on how to filter events @@ -123,7 +117,6 @@ -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules -a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules --a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules ## Modprobe configuration -w /etc/modprobe.conf -p wa -k modprobe @@ -131,22 +124,17 @@ ## KExec usage (all actions) -a always,exit -F arch=b64 -S kexec_load -k KEXEC --a always,exit -F arch=b32 -S sys_kexec_load -k KEXEC ## Special files --a always,exit -F arch=b32 -S mknod -S mknodat -k specialfiles -a always,exit -F arch=b64 -S mknod -S mknodat -k specialfiles ## Mount operations (only attributable) -a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount --a always,exit -F arch=b32 -S mount -S umount -S umount2 -F auid!=-1 -k mount ## Change swap (only attributable) -a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap --a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap ## Time --a always,exit -F arch=b32 -F uid!=ntp -S adjtimex -S settimeofday -S clock_settime -k time -a always,exit -F arch=b64 -F uid!=ntp -S adjtimex -S settimeofday -S clock_settime -k time ### Local time zone -w /etc/localtime -p wa -k localtime @@ -198,22 +186,17 @@ ## Network Environment ### Changes to hostname --a always,exit -F arch=b32 -S sethostname -S setdomainname -k network_modifications -a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications ### Detect Remote Shell Use --a always,exit -F arch=b32 -F exe=/bin/bash -F success=1 -S connect -k "remote_shell" -a always,exit -F arch=b64 -F exe=/bin/bash -F success=1 -S connect -k "remote_shell" --a always,exit -F arch=b32 -F exe=/usr/bin/bash -F success=1 -S connect -k "remote_shell" -a always,exit -F arch=b64 -F exe=/usr/bin/bash -F success=1 -S connect -k "remote_shell" ### Successful IPv4 Connections -a always,exit -F arch=b64 -S connect -F a2=16 -F success=1 -F key=network_connect_4 --a always,exit -F arch=b32 -S connect -F a2=16 -F success=1 -F key=network_connect_4 ### Successful IPv6 Connections -a always,exit -F arch=b64 -S connect -F a2=28 -F success=1 -F key=network_connect_6 --a always,exit -F arch=b32 -S connect -F a2=28 -F success=1 -F key=network_connect_6 ### Changes to other files -w /etc/hosts -p wa -k network_modifications @@ -304,19 +287,6 @@ -w /var/log/wtmp -p wa -k session ## Discretionary Access Control (DAC) modifications --a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_mod --a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_mod @@ -439,7 +409,6 @@ # Web Server Actvity ## Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33 --a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www ### https://clustershell.readthedocs.io/ @@ -469,13 +438,9 @@ ## Injection ### These rules watch for code injection by the ptrace facility. ### This could indicate someone trying to do something bad or just debugging --a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection -a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection --a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection -a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection --a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection -a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection --a always,exit -F arch=b32 -S ptrace -k tracing -a always,exit -F arch=b64 -S ptrace -k tracing ## Anonymous File Creation @@ -483,7 +448,6 @@ ### "memfd_create" creates anonymous file and returns a file descriptor to access it ### When combined with "fexecve" can be used to stealthily run binaries in memory without touching disk -a always,exit -F arch=b64 -S memfd_create -F key=anon_file_create --a always,exit -F arch=b32 -S memfd_create -F key=anon_file_create ## Privilege Abuse ### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir. @@ -492,10 +456,8 @@ # Socket Creations # will catch both IPv4 and IPv6 --a always,exit -F arch=b32 -S socket -F a0=2 -k T1011_Exfiltration_Over_Other_Network_Medium -a always,exit -F arch=b64 -S socket -F a0=2 -k T1011_Exfiltration_Over_Other_Network_Medium --a always,exit -F arch=b32 -S socket -F a0=10 -k T1011_Exfiltration_Over_Other_Network_Medium -a always,exit -F arch=b64 -S socket -F a0=10 -k T1011_Exfiltration_Over_Other_Network_Medium # Software Management --------------------------------------------------------- @@ -747,29 +709,21 @@ ## Root command executions -a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k rootcmd --a always,exit -F arch=b32 -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k rootcmd ## File Deletion Events by User --a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete ## File Access ### Unauthorized Access (unsuccessful) --a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k file_access --a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k file_access -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k file_access -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k file_access ### Unsuccessful Creation --a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation -a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation --a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation -a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation ### Unsuccessful Modification --a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification --a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification ## 32bit API Exploitation From d767272ffbac245bcdc129b1d7a086a11198546b Mon Sep 17 00:00:00 2001 From: Andras Kovacs Date: Mon, 10 Jul 2023 20:54:28 +0200 Subject: [PATCH 2/5] officially supported guest agent is open-vm-tools --- audit.rules | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/audit.rules b/audit.rules index 3cdacba..227fa7f 100644 --- a/audit.rules +++ b/audit.rules @@ -91,9 +91,7 @@ ## This is not very interesting and wastes a lot of space if the server is public facing -a always,exclude -F msgtype=CRYPTO_KEY_USER -## VMware tools --a never,exit -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 - +## Open VM Tools -a exit,never -F arch=b64 -S all -F exe=/usr/bin/vmtoolsd ## High Volume Event Filter (especially on Linux Workstations) From 705153946b65d3e0ca837522a5d7bc7946ef7871 Mon Sep 17 00:00:00 2001 From: Andras Kovacs Date: Thu, 13 Jul 2023 01:04:05 +0200 Subject: [PATCH 3/5] use "unset" consistently --- audit.rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audit.rules b/audit.rules index 227fa7f..452686d 100644 --- a/audit.rules +++ b/audit.rules @@ -86,7 +86,7 @@ -a never,exit -F subj_type=crond_t ## This prevents chrony from overwhelming the logs --a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t +-a never,exit -F arch=b64 -S adjtimex -F auid=-1 -F uid=chrony -F subj_type=chronyd_t ## This is not very interesting and wastes a lot of space if the server is public facing -a always,exclude -F msgtype=CRYPTO_KEY_USER @@ -706,7 +706,7 @@ -w /bin/ksh -p x -k susp_shell ## Root command executions --a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k rootcmd +-a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -k rootcmd ## File Deletion Events by User -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete From a9de58fb81c4e626f22bef2336c66b60d14c9814 Mon Sep 17 00:00:00 2001 From: Andras Kovacs Date: Thu, 13 Jul 2023 01:35:03 +0200 Subject: [PATCH 4/5] del duplicates --- audit.rules | 2 -- 1 file changed, 2 deletions(-) diff --git a/audit.rules b/audit.rules index 452686d..b7fef90 100644 --- a/audit.rules +++ b/audit.rules @@ -270,8 +270,6 @@ ## Process ID change (switching accounts) applications -w /bin/su -p x -k priv_esc -w /usr/bin/sudo -p x -k priv_esc --w /etc/sudoers -p rw -k priv_esc --w /etc/sudoers.d -p rw -k priv_esc ## Power state -w /sbin/shutdown -p x -k power From 3f77776d1adde7ac1205f57fff181561d7b42b4e Mon Sep 17 00:00:00 2001 From: Andras Kovacs Date: Thu, 13 Jul 2023 02:47:37 +0200 Subject: [PATCH 5/5] del macOS related --- audit.rules | 81 ----------------------------------------------------- 1 file changed, 81 deletions(-) diff --git a/audit.rules b/audit.rules index b7fef90..9f35fa9 100644 --- a/audit.rules +++ b/audit.rules @@ -337,35 +337,15 @@ -w /usr/bin/gzip -p x -k T1002_Data_Compressed -w /usr/bin/tar -p x -k T1002_Data_Compressed -w /usr/bin/bzip2 -p x -k T1002_Data_Compressed - -w /usr/bin/lzip -p x -k T1002_Data_Compressed --w /usr/local/bin/lzip -p x -k T1002_Data_Compressed - -w /usr/bin/lz4 -p x -k T1002_Data_Compressed --w /usr/local/bin/lz4 -p x -k T1002_Data_Compressed - -w /usr/bin/lzop -p x -k T1002_Data_Compressed --w /usr/local/bin/lzop -p x -k T1002_Data_Compressed - -w /usr/bin/plzip -p x -k T1002_Data_Compressed --w /usr/local/bin/plzip -p x -k T1002_Data_Compressed - -w /usr/bin/pbzip2 -p x -k T1002_Data_Compressed --w /usr/local/bin/pbzip2 -p x -k T1002_Data_Compressed - -w /usr/bin/lbzip2 -p x -k T1002_Data_Compressed --w /usr/local/bin/lbzip2 -p x -k T1002_Data_Compressed - -w /usr/bin/pixz -p x -k T1002_Data_Compressed --w /usr/local/bin/pixz -p x -k T1002_Data_Compressed - -w /usr/bin/pigz -p x -k T1002_Data_Compressed --w /usr/local/bin/pigz -p x -k T1002_Data_Compressed --w /usr/bin/unpigz -p x -k T1002_Data_Compressed --w /usr/local/bin/unpigz -p x -k T1002_Data_Compressed - -w /usr/bin/zstd -p x -k T1002_Data_Compressed --w /usr/local/bin/zstd -p x -k T1002_Data_Compressed ## Added to catch netcat on Ubuntu -w /bin/nc.openbsd -p x -k susp_activity @@ -541,59 +521,37 @@ -w /usr/bin/grep -p x -k T1081_Credentials_In_Files -w /usr/bin/egrep -p x -k T1081_Credentials_In_Files -w /usr/bin/ugrep -p x -k T1081_Credentials_In_Files -### macOS --w /usr/local/bin/grep -p x -k T1081_Credentials_In_Files --w /usr/local/bin/egrep -p x -k T1081_Credentials_In_Files --w /usr/local/bin/ugrep -p x -k T1081_Credentials_In_Files ### https://github.com/tmbinc/bgrep -w /usr/bin/bgrep -p x -k T1081_Credentials_In_Files -### macOS --w /usr/local/bin/bgrep -p x -k T1081_Credentials_In_Files ### https://github.com/BurntSushi/ripgrep -w /usr/bin/rg -p x -k T1081_Credentials_In_Files -### macOS --w /usr/local/bin/rg -p x -k T1081_Credentials_In_Files ### https://github.com/awgn/cgrep -w /usr/bin/cgrep -p x -k T1081_Credentials_In_Files -### macOS --w /usr/local/bin/cgrep -p x -k T1081_Credentials_In_Files ### https://github.com/jpr5/ngrep -w /usr/bin/ngrep -p x -k T1081_Credentials_In_Files -### macOS --w /usr/local/bin/ngrep -p x -k T1081_Credentials_In_Files ### https://github.com/vrothberg/vgrep -w /usr/bin/vgrep -p x -k T1081_Credentials_In_Files -### macOS --w /usr/local/bin/vgrep -p x -k T1081_Credentials_In_Files ### https://github.com/monochromegane/the_platinum_searcher -w /usr/bin/pt -p x -k T1081_Credentials_In_Files -### macOS --w /usr/local/bin/pt -p x -k T1081_Credentials_In_Files ### https://github.com/gvansickle/ucg -w /usr/bin/ucg -p x -k T1081_Credentials_In_Files -### macOS --w /usr/local/bin/ucg -p x -k T1081_Credentials_In_Files ### https://github.com/ggreer/the_silver_searcher -w /usr/bin/ag -p x -k T1081_Credentials_In_Files -### macOS --w /usr/local/bin/ag -p x -k T1081_Credentials_In_Files ### https://github.com/beyondgrep/ack3 ### https://beyondgrep.com -w /usr/bin/ack -p x -k T1081_Credentials_In_Files -w /usr/local/bin/ack -p x -k T1081_Credentials_In_Files -w /usr/bin/semgrep -p x -k T1081_Credentials_In_Files -### macOS --w /usr/local/bin/semgrep -p x -k T1081_Credentials_In_Files ## Docker -w /usr/bin/dockerd -k docker @@ -616,45 +574,6 @@ -w /usr/bin/virt-manager -p x -k virt-manager -w /usr/bin/VBoxManage -p x -k VBoxManage -#### VirtualBox on macOS - --w /usr/local/bin/VirtualBox -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/VirtualBoxVM -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/VBoxManage -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/VBoxVRDP -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/VBoxHeadless -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/vboxwebsrv -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/VBoxBugReport -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/VBoxBalloonCtrl -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/VBoxAutostart -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/VBoxDTrace -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/vbox-img -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /Library/LaunchDaemons/org.virtualbox.startup.plist -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /Library/Application Support/VirtualBox/LaunchDaemons/ -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /Library/Application Support/VirtualBox/VBoxDrv.kext/ -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /Library/Application Support/VirtualBox/VBoxUSB.kext/ -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /Library/Application Support/VirtualBox/VBoxNetFlt.kext/ -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /Library/Application Support/VirtualBox/VBoxNetAdp.kext/ -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks - -### Parallels Desktop on macOS - --w /usr/local/bin/prl_convert -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/prl_disk_tool -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/prl_perf_ctl -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/prlcore2dmp -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/prlctl -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/prlexec -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/prlsrvctl -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /Library/Preferences/Parallels -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks - -### qemu on macOS - --w /usr/local/bin/qemu-edid -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/qemu-img -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/qemu-io -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/qemu-nbd -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks --w /usr/local/bin/qemu-system-x86_64 -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks - ## Kubelet -w /usr/bin/kubelet -k kubelet