[Rule Tuning] Misc. DR Rule Tuning (#3904)

* [Rule Tuning] Misc. DR Rule Tuning

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml

* I love KQL validation

Author: Aegrah

…al_linux_ransomware_file_encryption.toml …al_linux_ransomware_file_encryption.tomlrules/linux/impact_potential_linux_ransomware_file_encryption.toml renamed to rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml rules/linux/impact_potential_linux_ransomware_file_encryption.toml renamed to rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml

@@ -1,8 +1,9 @@
 [metadata]
 creation_date = "2023/03/20"
+deprecation_date = "2024/07/18"
 integration = ["endpoint"]
-maturity = "production"
-updated_date = "2024/05/21"
+maturity = "deprecated"
+updated_date = "2024/07/18"
 
 [rule]
 author = ["Elastic"]

rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2024/05/24"
+updated_date = "2024/07/18"
 
 [transform]
 [[transform.osquery]]
@@ -181,46 +181,44 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and 
+host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and
 process.executable:(
-  (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or 
-   /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/* or
-   /var/log/*
-  ) and not (/tmp/newroot/* or /tmp/snap.rootfs*)
- ) and 
-source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and 
+  (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or
+  /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/lib/update-notifier/* or /var/log/* or /var/tmp/*
+) and
+not (/tmp/newroot/* or /tmp/snap.rootfs*) and
+not /etc/cron.hourly/BitdefenderRedline) and
+source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and
 not process.name:(
- apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or
- saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform*
-) and 
+  apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or kited or node
+  or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or php* or pip* or python*
+  or steam* or terraform*
+) and
 not destination.ip:(
-   10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or 
-   192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or 
-   192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or 
-   198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" or 0.0.0.0
+  0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or
+  192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or 192.168.0.0/16 or
+  192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or 198.51.100.0/24 or 203.0.113.0/24
+  or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8"
 )
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1071"
 name = "Application Layer Protocol"
 reference = "https://attack.mitre.org/techniques/T1071/"
 
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["host.id", "process.executable"]
+value = ["process.executable"]
 
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
-
-
+value = "now-20d"

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/08/29"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/06/03"
+updated_date = "2024/07/18"
 
 [rule]
 author = ["Elastic"]
@@ -71,7 +71,9 @@ file.Ext.original.path : (
     "/usr/bin/update-alternatives", "/bin/update-alternatives", "/usr/sbin/update-alternatives",
     "/sbin/update-alternatives", "/usr/bin/pip3", "/bin/pip3", "/usr/local/bin/pip3", "/usr/local/bin/node",
     "/bin/node", "/usr/bin/node", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/pip", "/bin/pip",
-    "/usr/local/bin/pip"
+    "/usr/local/bin/pip", "/usr/libexec/platform-python", "/usr/bin/platform-python", "/bin/platform-python",
+    "/usr/lib/systemd/systemd", "/usr/sbin/sshd", "/sbin/sshd", "/usr/local/sbin/sshd", "/usr/sbin/crond", "/sbin/crond",
+    "/usr/local/sbin/crond", "/usr/sbin/gdm", 
   ) or
   file.Ext.original.path : (
     "/bin/*.tmp", "/usr/bin/*.tmp", "/usr/local/bin/*.tmp", "/sbin/*.tmp", "/usr/sbin/*.tmp", "/usr/local/sbin/*.tmp"

rules/linux/execution_suspicious_executable_running_system_commands.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/06/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/18"
 
 [rule]
 author = ["Elastic"]
@@ -58,41 +58,47 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and 
+host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and
 process.executable:(
-  /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or
-  /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or 
-  /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*) 
-  and process.args:(whoami or id or hostname or uptime or top or ifconfig or netstat or route or ps or pwd or ls) and 
-  not process.name:(sudo or which or whoami or id or hostname or uptime or top or netstat or ps or pwd or ls or apt or 
-  dpkg or yum or rpm or dnf or dockerd or docker or snapd or snap) and
-  not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*)
+  (/etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or
+  /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or
+  /usr/share/* or /var/tmp/*) and not /tmp/go-build*
+) and
+process.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and
+not process.name:(
+  apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or snapd
+  or sudo or top or uptime or which or whoami or yum
+) and
+not process.parent.executable:(
+  /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or
+  /opt/puppetlabs/puppet/bin/puppet or /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or
+  /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or /etc/network/* or /opt/Elastic/* or
+  /run/k3s/* or /tmp/newroot/* or /usr/bin/*
+)
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1059.004"
 name = "Unix Shell"
 reference = "https://attack.mitre.org/techniques/T1059/004/"
 
-
-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["host.id", "user.id", "process.executable"]
+value = ["process.parent.executable"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-14d"
-
-

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/03/13"
 integration = ["auditd_manager"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/18"
 
 [rule]
 author = ["Elastic"]
@@ -50,33 +50,36 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7
+event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 and not (
+  process.executable:(
+    "/usr/share/kibana/node/bin/node" or "/usr/share/elasticsearch/jdk/bin/java" or "/usr/sbin/apache2"
+  ) or
+  process.name:httpd
+)
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1059.004"
 name = "Unix Shell"
 reference = "https://attack.mitre.org/techniques/T1059/004/"
 
-
-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["host.id", "process.executable"]
+value = ["process.executable"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-7d"
-
-

rules/linux/impact_potential_linux_ransomware_note_detected.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/03/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/18"
 
 [rule]
 author = ["Elastic"]
@@ -54,18 +54,17 @@ tags = [
     "Data Source: Elastic Defend",
 ]
 type = "eql"
-
 query = '''
 sequence by process.entity_id, host.id with maxspan=1s 
   [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" 
-   and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and
+   and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*") and
    file.path : (
      "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", "/var/log/*", "/var/lib/log/*",
      "/var/backup/*", "/var/www/*") and
    not process.name : (
      "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
      "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
-     "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader"
+     "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader", "rustup-init"
     )
   ] with runs=25
   [file where host.os.type == "linux" and event.action == "creation" and file.name : (
@@ -74,17 +73,15 @@ sequence by process.entity_id, host.id with maxspan=1s
   ]
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1486"
 name = "Data Encrypted for Impact"
 reference = "https://attack.mitre.org/techniques/T1486/"
 
-
 [rule.threat.tactic]
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
-

rules/linux/persistence_apt_package_manager_netcon.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/02/01"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/07/09"
+updated_date = "2024/07/18"
 
 [rule]
 author = ["Elastic"]
@@ -65,7 +65,15 @@ sequence by host.id with maxspan=5s
      "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"
     )
   ] by process.entity_id
-  [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start"
+  [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and not (
+     destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
+     destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
+     "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
+     "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
+     "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
+     "FF00::/8", "172.31.0.0/16"
+     )
+   ) and not process.executable == "/usr/bin/apt-listbugs"
   ] by process.parent.entity_id
 '''
 

rules/linux/persistence_cron_job_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/06/09"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/31"
+updated_date = "2024/07/18"
 
 [transform]
 [[transform.osquery]]
@@ -190,13 +190,18 @@ event.action in ("rename", "creation") and file.path : (
     "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet",
     "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
     "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*",  "/usr/bin/pamac-daemon",
-    "/bin/pamac-daemon", "/usr/local/bin/dockerd"
+    "/bin/pamac-daemon", "/usr/local/bin/dockerd", "/opt/elasticbeanstalk/bin/platform-engine",
+    "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/opt/imunify360/venv/bin/python3",
+    "/opt/eset/efs/lib/utild", "/usr/sbin/anacron", "/usr/bin/podman", "/kaniko/kaniko-executor"
   ) or
   file.path : "/var/spool/cron/crontabs/tmp.*" or
   file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
   file.Ext.original.extension == "dpkg-new" or
-  process.executable : ("/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*") or
+  process.executable : (
+    "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/libexec/platform-python*"
+  ) or
   process.executable == null or
+  process.name in ("crontab", "crond", "executor", "puppet", "droplet-agent.postinst", "cf-agent") or
   (process.name == "sed" and file.name : "sed*") or
   (process.name == "perl" and file.name : "e2scrub_all.tmp*") 
 )

rules/linux/persistence_kde_autostart_modification.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/06"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/18"
 
 [transform]
 [[transform.osquery]]
@@ -221,7 +221,7 @@ file where host.os.type == "linux" and event.type != "deletion" and
       "/etc/xdg/autostart/*", "/usr/share/autostart/*"
     ) and
     not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd", 
-    "rpm", "pacman", "podman", "nautilus", "remmina", "cinnamon-settings.py")
+    "rpm", "pacman", "podman", "nautilus", "remmina", "cinnamon-settings.py", "executor")
 '''