[Rule Tuning] Q2 Linux DR Tuning - CP (#4170)

* [Rule Tuning] Q2 Linux DR Tuning - CP

* Update command_and_control_non_standard_ssh_port.toml

(cherry picked from commit 09bd4ce)

Author: Aegrah

rules/cross-platform/command_and_control_non_standard_ssh_port.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/10/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/18"
 
 [rule]
 author = ["Elastic"]
@@ -37,30 +37,35 @@ tags = [
     "Data Source: Elastic Defend",
 ]
 type = "eql"
-
 query = '''
 sequence by process.entity_id with maxspan=1m
-  [process where event.action == "exec" and process.name:"ssh" and not process.parent.name in (
+  [process where event.action == "exec" and process.name in ("ssh", "sshd") and not process.parent.name in (
    "rsync", "pyznap", "git", "ansible-playbook", "scp", "pgbackrest", "git-lfs", "expect", "Sourcetree", "ssh-copy-id",
    "run"
    )
   ]
   [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and 
-   destination.port != 22 and destination.ip != "127.0.0.1" and network.transport: "tcp"
+   destination.port != 22 and network.transport == "tcp" and not (
+     destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
+       destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
+       "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
+       "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
+       "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
+       "FF00::/8"
+     )
+   )
   ]
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1571"
 name = "Non-Standard Port"
 reference = "https://attack.mitre.org/techniques/T1571/"
 
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-

rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/05/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/18"
 
 [rule]
 author = ["Elastic"]
@@ -39,7 +39,6 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where
 /* net, sc or wmic stopping or deleting Elastic Agent on Windows */
@@ -52,7 +51,7 @@ or
 (event.type == "end" and
   (process.name : ("systemctl", "service") and
     process.args : "elastic-agent" and
-    process.args : "stop")
+    process.args : ("stop", "disable"))
   or
   /* pkill , killall used to stop Elastic Agent on Linux */
   ( event.type == "end" and process.name : ("pkill", "killall") and process.args: "elastic-agent")
@@ -63,22 +62,20 @@ or
     event.action : "end"))
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
 name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/10/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/18"
 
 [rule]
 author = ["Elastic"]
@@ -42,30 +42,31 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
-process where host.os.type:("linux","macos") and
-  event.type == "start" and
-  (process.executable regex~ """/[a-z0-9\s_\-\\./]+\s""") and not
-  process.name in ("ls", "find", "grep", "xkbcomp")
+process where host.os.type:("linux","macos") and event.type == "start" and
+process.executable regex~ """/[a-z0-9\s_\-\\./]+\s""" and not (
+  process.name in ("ls", "find", "grep", "xkbcomp") or
+  process.executable like ("/opt/nessus_agent/*", "/opt/gitlab/sv/gitlab-exporter/*", "/tmp/ansible-admin/*") or
+  process.parent.args in (
+    "./check_rubrik", "/usr/bin/check_mk_agent", "/etc/rubrik/start_stop_bootstrap.sh", "/etc/rubrik/start_stop_agent.sh"
+  )
+)
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1036"
 name = "Masquerading"
 reference = "https://attack.mitre.org/techniques/T1036/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1036.006"
 name = "Space after Filename"
 reference = "https://attack.mitre.org/techniques/T1036/006/"
 
-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/cross-platform/discovery_security_software_grep.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/12/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/18"
 
 [rule]
 author = ["Elastic"]
@@ -68,7 +68,6 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where event.type == "start" and
 process.name : "grep" and user.id != "0" and
@@ -106,6 +105,7 @@ process.name : "grep" and user.id != "0" and
           ) and
    not (
      (process.args : "Avast" and process.args : "Passwords") or
+     (process.args == "osquery.conf") or 
      (process.parent.args : "/opt/McAfee/agent/scripts/ma" and process.parent.args : "checkhealth") or
      (process.command_line : (
        "grep ESET Command-line scanner, version %s -A2",
@@ -121,22 +121,20 @@ process.name : "grep" and user.id != "0" and
     )
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1518"
 name = "Software Discovery"
 reference = "https://attack.mitre.org/techniques/T1518/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1518.001"
 name = "Security Software Discovery"
 reference = "https://attack.mitre.org/techniques/T1518/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
-

rules/cross-platform/execution_python_script_in_cmdline.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/19"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/18"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Suspicious JAVA Child Process"
+name = "Deprecated - Suspicious JAVA Child Process"
 note = """## Triage and analysis
 
 ### Investigating Suspicious Java Child Process
@@ -85,20 +85,19 @@ event.category:process and event.type:("start" or "process_started") and process
 )
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1059.007"
 name = "JavaScript"
 reference = "https://attack.mitre.org/techniques/T1059/007/"
 
-
-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
@@ -107,8 +106,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
 [rule.new_terms]
 field = "new_terms_fields"
 value = ["host.id", "process.command_line"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-14d"
-
-