diff --git a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml index 41bc6085bee..03eb9c80e8c 100644 --- a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml +++ b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/02" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -92,7 +92,8 @@ tags = [ timestamp_override = "event.ingested" type = "esql" query = ''' -from logs-endpoint.events.network-* +from logs-endpoint.events.network-* metadata _id, _index, _version +| mv_expand event.action | where @timestamp > now() - 1h and host.os.type == "linux" and @@ -139,7 +140,9 @@ from logs-endpoint.events.network-* Esql.event_count = count(), Esql.agent_id_count_distinct = count_distinct(agent.id), Esql.host_name_values = values(host.name), - Esql.agent_id_values = values(agent.id) + Esql.agent_id_values = values(agent.id), + Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_namespace_values = values(data_stream.namespace) by process.executable | where Esql.agent_id_count_distinct == 1 and diff --git a/rules/linux/defense_evasion_acl_modification_via_setfacl.toml b/rules/linux/defense_evasion_acl_modification_via_setfacl.toml index 8ca35ddc450..bc20b1cec36 100644 --- a/rules/linux/defense_evasion_acl_modification_via_setfacl.toml +++ b/rules/linux/defense_evasion_acl_modification_via_setfacl.toml @@ -2,11 +2,15 @@ creation_date = "2024/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] -description = "This rule detects Linux Access Control List (ACL) modification via the setfacl command.\n" +description = """ +This rule detects Linux Access Control List (ACL) modification via the setfacl command. Attackers may +use the setfacl utility to modify file and directory permissions in order to evade detection and maintain +persistence on a compromised system. +""" from = "now-9m" index = [ "auditbeat-*", @@ -72,34 +76,36 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name == "setfacl" and not ( + ?process.parent.executable in ( + "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/dirsrv/ds_systemd_ask_password_acl", "/usr/lib/systemd/systemd-udevd", + "/usr/bin/udevadm", "/usr/sbin/ds_systemd_ask_password_acl", "/usr/bin/su", "/bin/su" + ) or process.command_line == "/bin/setfacl --restore=-" or process.args == "/var/log/journal/" or - process.parent.name in ("stats.pl", "perl", "find") or - process.parent.command_line like~ "/bin/sh -c *ansible*" + ?process.parent.name in ("stats.pl", "perl", "find") or + ?process.parent.command_line like~ "*ansible*" or + ?process.parent.args == "/opt/audit-log-acl.sh" ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" + [[rule.threat.technique.subtechnique]] id = "T1222.002" name = "Linux and Mac File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml index c3587dda471..6b076f4a605 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -54,7 +54,7 @@ Auditd is a critical Linux service responsible for system auditing and logging, - Apply any necessary security patches or updates to the affected system to address vulnerabilities that may have been exploited by the adversary. - Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected. - Implement enhanced monitoring and alerting for similar activities across the network to detect and respond to future attempts to disable critical security services.""" -risk_score = 21 +risk_score = 47 rule_id = "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf" setup = """## Setup @@ -81,7 +81,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -95,33 +95,31 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and ( (process.name == "service" and process.args == "stop") or (process.name == "chkconfig" and process.args == "off") or - (process.name == "systemctl" and process.args in ("disable", "stop", "kill")) + (process.name == "update-rc.d" and process.args in ("remove", "disable")) or + (process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask")) ) and process.args in ("auditd", "auditd.service") and -not process.parent.name == "auditd.prerm" +not ?process.parent.name == "auditd.prerm" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 330d65b308c..f1d091298b1 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -51,7 +51,7 @@ Firewalls like IPTables on Linux systems are crucial for controlling network tra - Implement additional monitoring and alerting for similar activities across the network to detect and respond to future attempts to disable firewall services promptly. - Review and update firewall policies and configurations to enhance security measures and prevent similar defense evasion tactics in the future.""" references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"] -risk_score = 21 +risk_score = 47 rule_id = "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f" setup = """## Setup @@ -78,7 +78,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -91,43 +91,43 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and - ( +( /* disable FW */ - ( - (process.name == "ufw" and process.args == "disable") or - (process.name == "iptables" and process.args in ("-F", "--flush", "-X", "--delete-chain") and process.args_count == 2) or - (process.name in ("iptables", "ip6tables") and process.parent.args == "force-stop") - ) or + ( + (process.name == "ufw" and process.args == "disable") or + (process.name == "iptables" and process.args in ("-F", "--flush", "-X", "--delete-chain") and process.args_count == 2) or + (process.name in ("iptables", "ip6tables") and process.parent.args == "force-stop") + ) or /* stop FW service */ - ( - ((process.name == "service" and process.args == "stop") or - (process.name == "chkconfig" and process.args == "off") or - (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))) and + ( + ( + (process.name == "service" and process.args == "stop") or + (process.name == "chkconfig" and process.args == "off") or + (process.name == "update-rc.d" and process.args in ("remove", "disable")) or + (process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask")) + ) and process.args in ("firewalld", "ip6tables", "iptables", "firewalld.service", "ip6tables.service", "iptables.service") - ) ) +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 18d470f7609..716db12a621 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,13 +2,13 @@ creation_date = "2020/04/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/29" +updated_date = "2025/12/17" [rule] author = ["Elastic"] description = """ -Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade -detection by security controls. +Syslog is a critical component in Linux environments, responsible for logging system events and activities. Adversaries +may attempt to disable the syslog service to disrupt event logging and evade detection by security controls. """ from = "now-9m" index = [ @@ -110,11 +110,14 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and - ( (process.name == "service" and process.args == "stop") or - (process.name == "chkconfig" and process.args == "off") or - (process.name == "systemctl" and process.args in ("disable", "stop", "kill")) - ) and process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service") and +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event", "start", "ProcessRollup2") and ( + (process.name == "service" and process.args == "stop") or + (process.name == "chkconfig" and process.args == "off") or + (process.name == "update-rc.d" and process.args in ("remove", "disable")) or + (process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask")) +) and +process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service") and not ( process.parent.name == "rsyslog-rotate" or process.args == "HUP" diff --git a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml index b75176fef92..b1c2b0ae4e9 100644 --- a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml +++ b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/05/15" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -96,7 +96,8 @@ not ( process.executable in ( "/usr/bin/google_guest_agent", "/usr/bin/dockerd", "/bin/dockerd", "/usr/bin/containerd" ) or - process.executable like~ "/nix/store/*" + process.executable like~ "/nix/store/*" or + file.path like~ ("*backup*", "*ansible*", "*puppet*") ) ''' diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 53fe306644f..5b514d442b2 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -2,11 +2,15 @@ creation_date = "2020/04/17" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] -description = "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls." +description = """ +Base16 and Base32 are encoding schemes that convert binary data into text, making it easier to transmit and store. This rule +monitors for Base16 or Base32 encoding and decoding activity on Linux systems. Attackers may use these encoding schemes to +obfuscate malicious payloads, evade detection, and facilitate data exfiltration. +""" false_positives = [ """ Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be @@ -60,7 +64,7 @@ Base16 and Base32 are encoding schemes used to convert binary data into text, fa - Restore any affected files or systems from known good backups to ensure system integrity and data accuracy. - Update and patch the affected system to close any vulnerabilities that may have been exploited by the adversary. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" -risk_score = 21 +risk_score = 47 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795" setup = """## Setup @@ -99,7 +103,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -114,17 +118,16 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and - process.name in ("base16", "base32", "base32plain", "base32hex") and +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and +process.name in ("base16", "base32", "base32plain", "base32hex") and not process.args in ("--help", "--version") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" @@ -135,9 +138,7 @@ id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_base64_decoding_activity.toml b/rules/linux/defense_evasion_base64_decoding_activity.toml index ffd98181da9..9ad7f27e98a 100644 --- a/rules/linux/defense_evasion_base64_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -92,11 +92,10 @@ tags = [ ] timestamp_override = "event.ingested" type = "esql" - query = ''' -from logs-endpoint.events.process-* +from logs-endpoint.events.process-* metadata _id, _index, _version +| mv_expand event.action | where - @timestamp > now() - 1h and host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -144,9 +143,15 @@ from logs-endpoint.events.process-* host.name | stats Esql.event_count = count(), + Esql.process_name_values = values(process.name), + Esql.process_command_line_values = values(process.command_line), + Esql.process_parent_name_values = values(process.parent.name), + Esql.process_parent_command_line_values = values(process.parent.command_line), Esql.agent_id_count_distinct = count_distinct(agent.id), Esql.host_name_values = values(host.name), - Esql.agent_id_values = values(agent.id) + Esql.agent_id_values = values(agent.id), + Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_namespace_values = values(data_stream.namespace) by process.name, process.command_line | where Esql.agent_id_count_distinct == 1 and @@ -155,9 +160,9 @@ from logs-endpoint.events.process-* | limit 100 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" @@ -168,36 +173,35 @@ id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index 9815afe3576..2a3b2c93dca 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -58,43 +58,17 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and process.name != null and +file where host.os.type == "linux" and event.action in ("rename", "creation") and process.name in ("cp", "mv") and file.Ext.original.path : ( "/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/sbin/*", "/usr/sbin/*", "/usr/local/sbin/*" ) and not ( - process.executable in ( - "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", - "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", - "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", - "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", - "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", - "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", - "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", - "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/libexec/netplan/generate", - "/usr/bin/update-alternatives", "/bin/update-alternatives", "/usr/sbin/update-alternatives", - "/sbin/update-alternatives", "/usr/bin/pip3", "/bin/pip3", "/usr/local/bin/pip3", "/usr/local/bin/node", - "/bin/node", "/usr/bin/node", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/pip", "/bin/pip", - "/usr/local/bin/pip", "/usr/libexec/platform-python", "/usr/bin/platform-python", "/bin/platform-python", - "/usr/lib/systemd/systemd", "/usr/sbin/sshd", "/sbin/sshd", "/usr/local/sbin/sshd", "/usr/sbin/crond", "/sbin/crond", - "/usr/local/sbin/crond", "/usr/sbin/gdm" - ) or - process.name like ( - "python*", "packagekitd", "systemd", "ln", "platform-python", "dnf_install", "runc", "apt-get", "ssm-agent-worker", - "convert-usrmerge", "updatenow.static-cpanelsync", "apk", "exe", "php", "containerd-shim-runc-v2", "dpkg", "sed", - "platform-python*", "gedit", "crond", "sshd", "ruby", "sudo", "chainctl", "update-alternatives", "pip*", "microdnf", - "rsync", "convert2rhel", "convert-usr-merge" - ) or file.Ext.original.path : ( "/bin/*.tmp", "/usr/bin/*.tmp", "/usr/local/bin/*.tmp", "/sbin/*.tmp", "/usr/sbin/*.tmp", "/usr/local/sbin/*.tmp" ) or file.extension in ("swp", "swpx", "swx", "dpkg-remove") or file.Ext.original.extension == "dpkg-new" or - process.executable : ("/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*") or - process.executable == null or - (process.name == "sed" and file.name : "sed*") or - (process.name == "perl" and file.name : "e2scrub_all.tmp*") + process.executable : ("/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/tmp/newroot/*") ) ''' note = """## Triage and analysis diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index acae70f730b..526aa8ea811 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2022/07/22" -integration = ["endpoint", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "sentinel_one_cloud_funnel", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -13,7 +13,14 @@ opened in write mode. Threat actors will commonly utilize this to prevent tamper files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). """ from = "now-9m" -index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "eql" license = "Elastic License v2" max_signals = 33 @@ -103,38 +110,44 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type == "linux" and event.type == "start" and process.parent.executable != null and -process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and not ( - process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd") or - process.parent.name in ( +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and +?process.parent.executable != null and +process.name == "chattr" and process.args : ("-*i*", "+*i*") and +not ( + ?process.parent.executable: ( + "/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd", "/usr/local/emps/sbin/php-fpm", + "/usr/local/emps/bin/php" + ) or + ?process.parent.name in ( "systemd", "cf-agent", "ntpdate", "xargs", "px", "preinst", "auth", "cf-agent", "dcservice", "dcagentupgrader", "sudo", "ephemeral-disk-warning" - ) + ) or + process.args like "/opt/ai-bolit/*" ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" + [[rule.threat.technique.subtechnique]] id = "T1222.002" name = "Linux and Mac File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index 35ce6af280c..b3f77d4cefc 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -2,13 +2,14 @@ creation_date = "2023/10/24" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] description = """ Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events -to evade detection after installing a Linux kernel module (LKM). +to evade detection after installing a Linux kernel module (LKM). This activity is commonly observed by intrusions that +leverage kernel-level rootkits to maintain persistence on a compromised host. """ from = "now-9m" index = [ @@ -55,7 +56,7 @@ The kernel ring buffer logs system messages, crucial for diagnosing issues. Adve - Implement enhanced monitoring and logging for the affected system to detect any future attempts to clear the kernel ring buffer or similar evasion tactics. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Conduct a post-incident review to identify gaps in detection and response, and update security policies and procedures to prevent recurrence.""" -risk_score = 21 +risk_score = 73 rule_id = "2724808c-ba5d-48b2-86d2-0002103df753" setup = """## Setup @@ -82,7 +83,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -97,38 +98,36 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") - and process.name == "dmesg" and process.args in ("-c", "--clear") +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and +process.name == "dmesg" and process.args in ("-c", "--clear") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml b/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml index 874a3f33738..320e6e9969a 100644 --- a/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml +++ b/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml @@ -2,13 +2,14 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] description = """ Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt -to evade detection. +to evade detection. This behavior is often observed in attempts to conceal malicious files or maintain persistence on +a compromised system. """ from = "now-9m" index = [ @@ -56,9 +57,9 @@ In Unix-like systems, the 'hidden' flag can be set on files to conceal them from - Implement file integrity monitoring to detect unauthorized changes to file attributes, including the hidden flag, on critical systems. - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. - Update and enhance endpoint detection and response (EDR) solutions to improve detection capabilities for similar threats in the future.""" -risk_score = 21 +risk_score = 47 rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97" -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -73,27 +74,24 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_directory_creation_in_bin.toml b/rules/linux/defense_evasion_directory_creation_in_bin.toml index dda9951a020..450965c1864 100644 --- a/rules/linux/defense_evasion_directory_creation_in_bin.toml +++ b/rules/linux/defense_evasion_directory_creation_in_bin.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -97,32 +97,32 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "start", "ProcessRollup2", "exec_event") and process.name == "mkdir" and - process.args like ("/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/sbin/*", "/usr/sbin/*", "/usr/local/sbin/*") and -not process.args in ("/bin/mkdir", "/usr/bin/mkdir", "/usr/local/bin/mkdir") +event.action in ("exec", "start", "ProcessRollup2", "exec_event") and process.name == "mkdir" and +process.args like ("/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/sbin/*", "/usr/sbin/*", "/usr/local/sbin/*") and +not process.args in ("/bin/mkdir", "/usr/bin/mkdir", "/usr/local/bin/mkdir", "/usr/local/bin/cursor", "/usr/bin/coreutils") and +not process.parent.executable in ("/usr/bin/make", "/bin/make") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -130,4 +130,3 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index 3e5779689bb..bb6110202b7 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ AppArmor is a Linux security module that enforces strict access controls, limiti - Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected. - Implement enhanced monitoring on the affected system and similar environments to detect any future attempts to disable AppArmor or other security controls. - Review and update access controls and permissions to ensure that only authorized personnel can modify security settings, reducing the risk of similar incidents.""" -risk_score = 21 +risk_score = 73 rule_id = "fac52c69-2646-4e79-89c0-fd7653461010" setup = """## Setup @@ -85,7 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -100,34 +100,33 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and - ( - (process.name == "systemctl" and process.args in ("stop", "disable", "kill") and process.args in ("apparmor", "apparmor.service")) or - (process.name == "service" and process.args == "apparmor" and process.args == "stop") or - (process.name == "chkconfig" and process.args == "apparmor" and process.args == "off") or +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and +( + (process.name == "service" and process.args == "stop") or + (process.name == "chkconfig" and process.args == "off") or + (process.name == "update-rc.d" and process.args in ("remove", "disable")) or + (process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask")) or (process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args == "/etc/apparmor.d/disable/") -) +) and +not ?process.parent.executable == "/opt/puppetlabs/puppet/bin/ruby" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 4baa2aed772..b6e65ea7aca 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/22" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -57,7 +57,7 @@ SELinux is a critical security feature in Linux environments, enforcing access c - Scan the affected system for malware or unauthorized software installations using a trusted antivirus or endpoint detection and response (EDR) tool. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Implement additional monitoring and alerting for similar SELinux-related events to enhance detection capabilities and prevent recurrence.""" -risk_score = 47 +risk_score = 73 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e" setup = """## Setup @@ -96,7 +96,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -111,29 +111,26 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and - process.name == "setenforce" and process.args == "0" +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and +process.name == "setenforce" and process.args == "0" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml index b0adf07fbd7..8f0a8af6a0e 100644 --- a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml +++ b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -51,7 +51,7 @@ Doas is a command-line utility on Linux systems that allows users to execute com - Apply patches and updates to the affected system to address any vulnerabilities that may have been exploited by the adversary. - Review and enhance access controls and authentication mechanisms to prevent unauthorized privilege escalation attempts in the future.""" references = ["https://wiki.archlinux.org/title/Doas"] -risk_score = 21 +risk_score = 47 rule_id = "26a726d7-126e-4267-b43d-e9a70bfdee1e" setup = """## Setup @@ -78,7 +78,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -91,27 +91,24 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type != "deletion" and file.path == "/etc/doas.conf" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml index 6df0ad926bd..92d844476c3 100644 --- a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml +++ b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml @@ -2,21 +2,21 @@ creation_date = "2024/08/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/29" +updated_date = "2025/12/17" [rule] author = ["Elastic"] description = """ -Detects the creation or modification of files related to the configuration of the dynamic linker on Linux systems. -The dynamic linker is a shared library that is used by the Linux kernel to load and execute programs. Attackers may -attempt to hijack the execution flow of a program by modifying the dynamic linker configuration files. This technique -is often observed by userland rootkits that leverage shared objects to maintain persistence on a compromised host. +Detects the creation of files related to the configuration of the dynamic linker on Linux systems. The dynamic linker +is a shared library that is used by the Linux kernel to load and execute programs. Attackers may attempt to hijack +the execution flow of a program by modifying the dynamic linker configuration files. This technique is often observed +by userland rootkits that leverage shared objects to maintain persistence on a compromised host. """ from = "now-9m" index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" -name = "Dynamic Linker Creation or Modification" +name = "Dynamic Linker Creation" risk_score = 47 rule_id = "640f79d1-571d-4f96-a9af-1194fc8cf763" setup = """## Setup @@ -57,8 +57,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -file where host.os.type == "linux" and event.action in ("creation", "rename") and -file.path : ("/etc/ld.so.preload", "/etc/ld.so.conf.d/*", "/etc/ld.so.conf") and +file where host.os.type == "linux" and event.action == "creation" and +file.path like ("/etc/ld.so.preload", "/etc/ld.so.conf.d/*", "/etc/ld.so.conf") and not ( process.executable in ( "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index c66ef77e4d3..90b9c8b3890 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["auditd_manager", "crowdstrike", "endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -57,7 +57,7 @@ The `shred` command in Linux is used to securely delete files by overwriting the - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized use of `shred` or similar file deletion tools. - Review and update endpoint security configurations to prevent unauthorized execution of file deletion commands by non-administrative users.""" -risk_score = 21 +risk_score = 47 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4" setup = """## Setup @@ -84,7 +84,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -99,7 +99,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name == "shred" and ( @@ -110,20 +109,19 @@ process.args in ("--remove", "--zero") not process.parent.name == "logrotate" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 54c8ee0c3d1..b838709d6db 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ index = ["logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" name = "File Permission Modification in Writable Directory" -risk_score = 21 +risk_score = 73 rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4" setup = """## Setup @@ -60,7 +60,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -severity = "low" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -71,12 +71,21 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' -host.os.type:linux and event.category:process and event.type:start and -process.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and -not process.parent.name:( - apt-key or update-motd-updates-available or apt-get or java or pilot or PassengerAgent or nginx +host.os.type:"linux" and event.category:process and event.type:"start" and event.action:"exec" and +process.name:("chattr" or "chgrp" or "chmod") and process.working_directory:("/dev/shm" or "/tmp" or "/var/tmp") and +not ( + process.args:( + "+r" or "640" or /tmp/apt-key-gpghome* or "/usr/bin/coreutils" or "/opt/eset/eei/uninstall.sh" or /tmp/era.repository.*.bin + ) or + process.parent.args:"/var/illumio_pce/illumio/scripts/consul" or + process.parent.name:( + apt-key or update-motd-updates-available or apt-get or java or pilot or PassengerAgent or nginx + ) or + process.parent.executable:( + "/usr/local/bin/afb-ssh-setup-keys.sh" or "/usr/local/bin/afb-ssh-setup-keys.sh" or "/opt/puppetlabs/puppet/bin/ruby" or + "/usr/sbin/update-exim4.conf" or "/bin/dracut" + ) ) ''' note = """## Triage and analysis @@ -114,15 +123,14 @@ In Linux environments, writable directories like /tmp or /var/tmp are often used - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for file permission changes in writable directories to detect similar threats in the future.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -131,8 +139,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable", "process.command_line"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" - - +value = "now-5d" diff --git a/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml b/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml index 72fd94b7f6f..96000cee0bf 100644 --- a/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml +++ b/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/04/29" -integration = ["endpoint", "crowdstrike"] +integration = ["auditd_manager", "crowdstrike", "endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -11,7 +11,14 @@ This rule detects when a process executes a command line containing hexadecimal hexadecimal encoding to obfuscate their payload and evade detection. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", + "logs-auditd_manager.auditd-*", +] language = "eql" license = "Elastic License v2" name = "Potential Hex Payload Execution via Command-Line" @@ -83,17 +90,22 @@ tags = [ "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", + "Data Source: Auditd Manager", "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Data Source: Elastic Endgame", "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and ?process.parent.executable != null and process.command_line : "*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*\\x*" and -length(process.command_line) > 50 +length(process.command_line) > 50 and +not process.name in ("snap", "printf", "sed") ''' [[rule.threat]] diff --git a/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml b/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml index 48a4b805ec5..62bddb86804 100644 --- a/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml +++ b/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/04/29" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -97,23 +97,37 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2") and - ( - (process.name == "xxd" and process.args like ("-r*", "-p*")) or - (process.name like "python*" and process.command_line like "*fromhex*" and process.command_line like ("*decode*", "*encode*")) or - (process.name like "php*" and process.command_line like "*hex2bin*") or - (process.name like "ruby*" and process.command_line like "*].pack(\"H*\")*") or - (process.name like "perl*" and process.command_line like "*pack(\"H*\",*") or - (process.name like "lua*" and process.command_line like "*tonumber(cc, 16)*") +event.action in ("exec", "exec_event", "start", "ProcessRollup2") and +( + (process.name == "xxd" and process.args like ("-r*", "-p*")) or + (process.name like "python*" and process.command_line like "*fromhex*" and process.command_line like ("*decode*", "*encode*")) or + (process.name like "php*" and process.command_line like "*hex2bin*") or + (process.name like "ruby*" and process.command_line like "*].pack(\"H*\")*") or + (process.name like "perl*" and process.command_line like "*pack(\"H*\",*") or + (process.name like "lua*" and process.command_line like "*tonumber(cc, 16)*") +) and +not ( + // Vulnerability scanning tools scanning for xz-backdoor + process.command_line like ("*liblzma*", "*xz*") or + ?process.parent.args like ( + "/srv/acme/acme.sh", "/home/*/.acme.sh/acme.sh", "/opt/custom-nagios-plugins/check_rad_eap", + "/usr/bin/testssl", "./testssl.sh", "/root/.acme.sh/acme.sh" + ) or + ?process.parent.args like "printf*" or + ?process.working_directory in ( + "/home/prtg-ssh", + "/home/svc-acas-lnx", + "/tmp/newroot/home/svc-acas-lnx", + "/var/prtg/scriptsxml" ) +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" @@ -124,36 +138,35 @@ id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -