Merge branch 'main' into 4891-fr-dac-add-arbitrary-file-location-support-for-local-creation-date

eric-forte-elastic · web-flow · commit 56767c675d99 · 2025-07-16T22:53:33.000-04:00
diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/04/13"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/07/14"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ advantage of these configurations to execute commands as other users or spawn pr
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Sudoers File Modification"
 references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
@@ -29,12 +29,13 @@ tags = [
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
-type = "new_terms"
-
+type = "eql"
 query = '''
-event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) and
-not process.name:(dpkg or platform-python or puppet or yum or dnf) and
-not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)
+file where host.os.type in ("linux", "macos") and event.type in ("creation", "change") and
+file.path like ("/etc/sudoers*", "/private/etc/sudoers*") and not (
+  process.name in ("dpkg", "platform-python", "puppet", "yum", "dnf") or
+  process.executable in ("/opt/chef/embedded/bin/ruby", "/opt/puppetlabs/puppet/bin/ruby", "/usr/bin/dockerd")
+)
 '''
 note = """## Triage and analysis
 
@@ -71,30 +72,20 @@ The sudoers file is crucial in Unix-like systems, defining user permissions for
 - Implement additional monitoring on the affected system and similar systems to detect any further attempts to modify the sudoers file or other privilege escalation activities.
 - Review and update security policies and configurations to prevent similar incidents, ensuring that only authorized processes can modify the sudoers file."""
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1548"
 name = "Abuse Elevation Control Mechanism"
 reference = "https://attack.mitre.org/techniques/T1548/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1548.003"
 name = "Sudo and Sudo Caching"
 reference = "https://attack.mitre.org/techniques/T1548/003/"
 
-
-
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
-
-[rule.new_terms]
-field = "new_terms_fields"
-value = ["host.id", "process.executable", "file.path"]
-[[rule.new_terms.history_window_start]]
-field = "history_window_start"
-value = "now-7d"
-
-
diff --git a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml
@@ -2,20 +2,19 @@
 creation_date = "2025/04/16"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/04/16"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
 description = """
-Detects use of sensitive AWS STS or IAM API operations using temporary credentials (session tokens starting with 'ASIA').
-This may indicate credential theft or abuse of elevated access via a stolen session. It is not common for legitimate users to perform sensitive IAM operations with temporary session tokens.
+Detects use of sensitive AWS IAM API operations using temporary credentials (session tokens starting with 'ASIA'). This may indicate credential theft or abuse of elevated access via a stolen session. It is not common for legitimate users to perform sensitive IAM operations with temporary session tokens.
 """
 false_positives = [
     """
     Some CI/CD pipelines or administrative users may use session tokens. Review user context, IP, and timing to validate.
     """,
 ]
-from = "now-9m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
@@ -29,15 +28,15 @@ This rule detects sensitive IAM API operations performed using temporary AWS cre
 
 #### Possible investigation steps:
 
-- Review aws.cloudtrail.user_identity.arn to determine which IAM user or assumed role initiated the request.
-- Check aws.cloudtrail.user_identity.access_key_id to confirm if the credential starts with 'ASIA', indicating a temporary session token.
-- Examine aws.cloudtrail.user_identity.session_context.mfa_authenticated to verify whether MFA was present during session creation.
-- Investigate source.ip to assess whether the request originated from a known network, office IP, or corporate VPN.
-- Look at user_agent.original to determine if the API call came from a known CLI version or unexpected tool (e.g., unknown SDK, custom script).
+- Review `aws.cloudtrail.user_identity.arn` to determine which IAM user or assumed role initiated the request.
+- Check `aws.cloudtrail.user_identity.access_key_id` to confirm if the credential starts with 'ASIA', indicating a temporary session token.
+- Examine `aws.cloudtrail.user_identity.session_context.mfa_authenticated` to verify whether MFA was present during session creation.
+- Investigate `source.ip` to assess whether the request originated from a known network, office IP, or corporate VPN.
+- Look at `user_agent.original` to determine if the API call came from a known CLI version or unexpected tool (e.g., unknown SDK, custom script).
 - Confirm whether a recent sts:GetSessionToken, sts:AssumeRole, or AWS SSO login event issued the temporary credential.
 - Correlate other events using the same access key ID to identify additional privileged actions, such as iam:CreateAccessKey, iam:PutUserPolicy, or iam:EnableMFADevice.
 - Analyze timing via @timestamp to determine if the action occurred during off-hours or deviates from normal user behavior.
-- Review the event.outcome to check if the API call was successful or failed, which may indicate unauthorized access attempts.
+- Review the `event.outcome` to check if the API call was successful or failed, which may indicate unauthorized access attempts.
 - Check for related events in the same session, such as iam:CreateUser, iam:AttachUserPolicy, or sts:GetCallerIdentity, to identify potential lateral movement or privilege escalation.
 
 ### False positive analysis:
@@ -77,10 +76,27 @@ type = "new_terms"
 query = '''
 event.dataset: aws.cloudtrail
     and event.provider: ("iam.amazonaws.com")
+    and event.outcome: "success"
     and aws.cloudtrail.user_identity.type: "IAMUser"
     and aws.cloudtrail.user_identity.access_key_id: ASIA*
 '''
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters"
+]
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
