[BBR Promotion] Q2 Linux BBR Promotion (#4172)

Aegrah · github-actions[bot] · commit 2d947d4c344f · 2024-10-18T15:00:19.000Z
* [BBR Promotion] Q2 Linux BBR Promotion * Update collection_linux_clipboard_activity.toml * Update defense_evasion_creation_of_hidden_files_directories.toml (cherry picked from commit 6012544)
diff --git a/rules/linux/collection_linux_clipboard_activity.toml b/rules/linux/collection_linux_clipboard_activity.toml
@@ -2,22 +2,20 @@
 creation_date = "2023/07/27"
 integration = ["endpoint", "auditd_manager"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/18"
 
 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
 This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group
 leader. Adversaries may collect data stored in the clipboard from users copying information within or between
 applications.
 """
-from = "now-119m"
+from = "now-9m"
 index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
-interval = "60m"
 language = "kuery"
 license = "Elastic License v2"
-name = "Potential Suspicious Clipboard Activity Detected"
+name = "Linux Clipboard Activity Detected"
 risk_score = 21
 rule_id = "884e87cc-c67b-4c90-a4ed-e1e24a940c82"
 severity = "low"
@@ -26,29 +24,27 @@ tags = [
     "OS: Linux",
     "Use Case: Threat Detection",
     "Tactic: Collection",
-    "Rule Type: BBR",
     "Data Source: Elastic Defend",
     "Data Source: Elastic Endgame",
     "Data Source: Auditd Manager",
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"
-
 query = '''
-event.category:process and host.os.type:"linux" and
-event.type:"start" and event.action:("exec" or "exec_event" or "executed" or "process_started") and
-process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq")
+event.category:process and host.os.type:"linux" and event.type:"start" and
+event.action:("exec" or "exec_event" or "executed" or "process_started") and
+process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq") and
+not process.parent.name:("bwrap" or "micro")
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1115"
 name = "Clipboard Data"
 reference = "https://attack.mitre.org/techniques/T1115/"
 
-
 [rule.threat.tactic]
 id = "TA0009"
 name = "Collection"
@@ -57,8 +53,7 @@ reference = "https://attack.mitre.org/tactics/TA0009/"
 [rule.new_terms]
 field = "new_terms_fields"
 value = ["host.id", "process.group_leader.executable"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-7d"
-
-
diff --git a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/08/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/18"
 
 [transform]
 [[transform.osquery]]
@@ -32,19 +32,17 @@ query = "SELECT name, cmdline, parent, path, uid FROM processes"
 
 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
 This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical
 applications on a remote server and display the application's graphical user interface on their local machine. Attackers
 can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert
 communication channels, enabling lateral movement and facilitating remote control of systems within a network.
 """
-from = "now-119m"
+from = "now-9m"
 index = ["logs-endpoint.events.*", "endgame-*"]
-interval = "60m"
 language = "eql"
 license = "Elastic License v2"
-name = "Potential Linux SSH X11 Forwarding"
+name = "Linux SSH X11 Forwarding"
 note = """## Triage and analysis
 
 ### Investigating Potential Linux SSH X11 Forwarding
@@ -115,28 +113,24 @@ tags = [
     "Tactic: Command and Control",
     "Data Source: Elastic Defend",
     "Data Source: Elastic Endgame",
-    "Rule Type: BBR",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
 process.name in ("ssh", "sshd") and process.args in ("-X", "-Y") and process.args_count >= 3 and 
 process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1572"
 name = "Protocol Tunneling"
 reference = "https://attack.mitre.org/techniques/T1572/"
 
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-
diff --git a/rules/linux/defense_evasion_acl_modification_via_setfacl.toml b/rules/linux/defense_evasion_acl_modification_via_setfacl.toml
@@ -1,15 +1,13 @@
 [metadata]
-bypass_bbr_timing = true
 creation_date = "2024/08/23"
 integration = ["endpoint", "auditd_manager"]
 maturity = "production"
-updated_date = "2024/08/23"
+updated_date = "2024/10/18"
 
 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
-This building block rule (BBR) detects Linux Access Control List (ACL) modification via the setfacl command.
+This rule detects Linux Access Control List (ACL) modification via the setfacl command.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
@@ -25,7 +23,6 @@ tags = [
     "OS: Linux",
     "Use Case: Threat Detection",
     "Tactic: Defense Evasion",
-    "Rule Type: BBR",
     "Data Source: Elastic Defend",
     "Data Source: Elastic Endgame",
     "Data Source: Auditd Manager",
@@ -35,7 +32,10 @@ type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "executed", "process_started") and
-process.name == "setfacl"
+process.name == "setfacl" and not (
+  process.command_line == "/bin/setfacl --restore=-" or
+  process.args == "/var/log/journal/"
+)
 '''
 
 [[rule.threat]]
diff --git a/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml b/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml
@@ -2,18 +2,16 @@
 creation_date = "2023/08/23"
 integration = ["endpoint", "auditd_manager"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/18"
 
 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
 Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt
 to evade detection.
 """
-from = "now-119m"
+from = "now-9m"
 index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
-interval = "60m"
 language = "eql"
 license = "Elastic License v2"
 name = "Hidden Files and Directories via Hidden Flag"
@@ -26,34 +24,30 @@ tags = [
     "OS: macOS",
     "Use Case: Threat Detection",
     "Tactic: Defense Evasion",
-    "Rule Type: BBR",
     "Data Source: Elastic Defend",
     "Data Source: Elastic Endgame",
     "Data Source: Auditd Manager",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
-file where event.type == "creation" and process.name == "chflags"
+file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags"
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1564"
 name = "Hide Artifacts"
 reference = "https://attack.mitre.org/techniques/T1564/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1564.001"
 name = "Hidden Files and Directories"
 reference = "https://attack.mitre.org/techniques/T1564/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-
diff --git a/rules/linux/discovery_suspicious_memory_grep_activity.toml b/rules/linux/discovery_suspicious_memory_grep_activity.toml
@@ -1,13 +1,11 @@
 [metadata]
-bypass_bbr_timing = true
 creation_date = "2024/02/05"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/18"
 
 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
 Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a
 specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may
@@ -27,29 +25,25 @@ tags = [
     "OS: Linux",
     "Use Case: Threat Detection",
     "Tactic: Discovery",
-    "Rule Type: BBR",
     "Data Source: Elastic Defend",
     "Data Source: Elastic Endgame",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
 process.name in ("grep", "egrep", "fgrep", "rgrep") and process.args in ("[stack]", "[vdso]", "[heap]")
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1057"
 name = "Process Discovery"
 reference = "https://attack.mitre.org/techniques/T1057/"
 
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
-
diff --git a/rules/linux/execution_unix_socket_communication.toml b/rules/linux/execution_unix_socket_communication.toml
@@ -1,13 +1,11 @@
 [metadata]
-bypass_bbr_timing = true
 creation_date = "2023/09/04"
 integration = ["endpoint", "auditd_manager"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/18"
 
 [rule]
 author = ["Elastic"]
-building_block_type = "default"
 description = """
 This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local
 Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate
@@ -28,34 +26,31 @@ tags = [
     "Use Case: Threat Detection",
     "Tactic: Execution",
     "Data Source: Elastic Defend",
-    "Rule Type: BBR",
     "Data Source: Elastic Endgame",
     "Data Source: Auditd Manager",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
  and (
   (process.name in ("nc", "ncat", "netcat", "nc.openbsd") and 
    process.args == "-U" and process.args : ("/usr/local/*", "/run/*", "/var/run/*")) or
   (process.name == "socat" and 
    process.args == "-" and process.args : ("UNIX-CLIENT:/usr/local/*", "UNIX-CLIENT:/run/*", "UNIX-CLIENT:/var/run/*"))
-)
+) and
+not process.args == "/var/run/libvirt/libvirt-sock"
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1559"
 name = "Inter-Process Communication"
 reference = "https://attack.mitre.org/techniques/T1559/"
 
-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
