Skip to content

[Tuning] Linux DR Tuning - Part 3 #3454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Feb 20, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
updated_date = "2024/02/20"

[rule]
author = ["Elastic"]
Expand All @@ -13,7 +13,7 @@ Adversaries may attempt to disable the iptables or firewall service in an attemp
receive or send network traffic.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Attempt to Disable IPTables or Firewall"
Expand Down Expand Up @@ -46,11 +46,19 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast

"""
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"

]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
(
/* disable FW */
(
Expand All @@ -68,22 +76,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action
)
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
name = "Impair Defenses"
id = "T1562"
reference = "https://attack.mitre.org/techniques/T1562/"

[[rule.threat.technique.subtechnique]]
name = "Disable or Modify Tools"
id = "T1562.001"
reference = "https://attack.mitre.org/techniques/T1562/001/"



[rule.threat.tactic]
name = "Defense Evasion"
id = "TA0005"
reference = "https://attack.mitre.org/tactics/TA0005/"

21 changes: 15 additions & 6 deletions rules/linux/defense_evasion_disable_apparmor_attempt.toml
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2023/08/28"
integration = ["endpoint"]
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
updated_date = "2024/02/20"

[rule]
author = ["Elastic"]
Expand All @@ -14,7 +14,7 @@ fine-grained access control policies to restrict the actions and resources that
access. Adversaries may disable security tools to avoid possible detection of their tools and activities.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Disabling of AppArmor"
Expand Down Expand Up @@ -47,13 +47,22 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast

"""
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed") and event.type == "start"
and (
(process.name == "systemctl" and process.args == "disable" and process.args == "apparmor") or
(process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args : "/etc/apparmor.d/disable/")
(process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args == "/etc/apparmor.d/disable/")
)
'''

Expand Down
30 changes: 18 additions & 12 deletions rules/linux/defense_evasion_disable_selinux_attempt.toml
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2020/04/22"
integration = ["endpoint"]
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
updated_date = "2024/02/20"

[rule]
author = ["Elastic"]
Expand All @@ -14,8 +14,8 @@ support access control policies. Adversaries may disable security tools to avoid
activities.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "kuery"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Disabling of SELinux"
risk_score = 47
Expand Down Expand Up @@ -59,30 +59,36 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit

"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "query"

type = "eql"
query = '''
event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0
process where host.os.type == "linux" and event.type in ("start", "process_started") and
process.name == "setenforce" and process.args == "0"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"

[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"



[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

27 changes: 17 additions & 10 deletions rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
[metadata]
creation_date = "2023/04/11"
integration = ["endpoint"]
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.5.0"
updated_date = "2023/11/02"
updated_date = "2024/02/20"

[rule]
author = ["Elastic"]
Expand All @@ -16,7 +16,7 @@ software, and their presence in the touch command arguments may indicate that a
tamper with timestamps of VM-related files and configurations on the system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "ESXI Timestomping using Touch Command"
Expand Down Expand Up @@ -52,29 +52,36 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast

"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Auditd Manager"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name : "touch" and process.args : "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed")
and process.name : "touch" and process.args : "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"

[[rule.threat.technique.subtechnique]]
id = "T1070.006"
name = "Timestomp"
reference = "https://attack.mitre.org/techniques/T1070/006/"



[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
reference = "https://attack.mitre.org/tactics/TA0005/"
28 changes: 17 additions & 11 deletions rules/linux/defense_evasion_file_deletion_via_shred.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
updated_date = "2024/02/20"

[rule]
author = ["Elastic"]
Expand All @@ -14,8 +14,8 @@ a network and how. Adversaries may remove these files over the course of an intr
remove them at the end as part of the post-intrusion cleanup process.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "kuery"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "File Deletion via Shred"
risk_score = 21
Expand Down Expand Up @@ -47,31 +47,37 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast

"""
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"
]
timestamp_override = "event.ingested"
type = "query"
type = "eql"

query = '''
event.category:process and host.os.type:linux and event.type:start and process.name:shred and
process.args:("-u" or "--remove" or "-z" or "--zero") and not process.parent.name:logrotate
process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in (
"-u", "--remove", "-z", "--zero"
) and not process.parent.name == "logrotate"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"

[[rule.threat.technique.subtechnique]]
id = "T1070.004"
name = "File Deletion"
reference = "https://attack.mitre.org/techniques/T1070/004/"



[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"