[Rule Tuning] Linux DR Tuning - 5

Author: Aegrah

rules/linux/defense_evasion_hidden_directory_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/11/01"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -98,44 +98,44 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "exec_event") and
 process.name == "mkdir" and process.parent.executable like (
   "/dev/shm/*", "/tmp/*", "/var/tmp/*", "/var/run/*", "/root/*", "/boot/*", "/var/www/html/*", "/opt/.*"
-) and process.args like (".*", "/*/.*") and process.args_count <= 3 and not (
-  process.parent.executable like ("/tmp/newroot/*", "/run/containerd/*") or
+) and process.args like (".*", "/*/.*") and process.args_count <= 3 and
+not (
   process.command_line like ("mkdir -p .", "mkdir ./*") or
-  process.args == "/root/.ssh" or
+  process.args like ("/root/.ssh", "/home/*/.ssh", "/root/.cache/install4j") or
   process.parent.executable like (
-    "/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img", "/tmp/snap.rootfs_*"
-  )
+    "/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img", "/tmp/snap.rootfs_*",
+    "/root/.acme.sh/acme.sh", "/tmp/buildpacks/*go/bin/test-compile", "/tmp/newroot/*", "/run/containerd/*"
+  ) or
+  process.parent.name in ("libtool", "jpenable", "configure")
 )
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1564"
 name = "Hide Artifacts"
 reference = "https://attack.mitre.org/techniques/T1564/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1564.001"
 name = "Hidden Files and Directories"
 reference = "https://attack.mitre.org/techniques/T1564/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-

rules/linux/defense_evasion_hidden_file_dir_tmp.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/04/29"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "Creation of Hidden Files and Directories via CommandLine"
-risk_score = 47
+risk_score = 21
 rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae"
 setup = """## Setup
 
@@ -65,7 +65,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
 #### Custom Ingest Pipeline
 For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
 """
-severity = "medium"
+severity = "low"
 tags = [
     "Domain: Endpoint",
     "OS: Linux",
@@ -80,9 +80,10 @@ query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
 process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
-not process.name in (
-  "ls", "find", "grep", "git", "jq", "basename", "check_snmp", "snmpget", "snmpwalk", "cc1plus", "snap",
-  "command-not-found", "sqlite", "apk", "fgrep", "locate", "objdump"
+process.name like (
+  "touch", "tee", "cp", "mv", "install", "dd", "vi", "vim", "nano", "truncate", "sed", "awk", "curl", "wget",
+  "ftp", "scp", "rsync", "sftp", "tar", "unzip", "gunzip", "7z", "bzip2", "xz", "python*", "php*", "perl*",
+  "ruby*", "node*", "java", "printf", "echo", "cat", ".*"
 )
 '''
 note = """## Triage and analysis

rules/linux/defense_evasion_hidden_shared_object.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/07/20"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -106,28 +106,26 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
-file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and
-not process.name in ("dockerd", "azcopy", "podman")
+file where host.os.type == "linux" and event.type == "creation" and
+(file.extension:"so" or file.name:*.so.*) and file.name : ".*.so" and
+not process.name in ("dockerd", "azcopy", "podman", "opencode") and not file.name like "._*"
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1564"
 name = "Hide Artifacts"
 reference = "https://attack.mitre.org/techniques/T1564/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1564.001"
 name = "Hidden Files and Directories"
 reference = "https://attack.mitre.org/techniques/T1564/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/linux/defense_evasion_interactive_shell_from_system_user.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/11/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/24"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,8 @@ index = ["logs-endpoint.events.process*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Unusual Interactive Shell Launched from System User"
-risk_score = 21
+references = ["https://www.elastic.co/security-labs/continuation-on-persistence-mechanisms"]
+risk_score = 47
 rule_id = "9c5b2382-19d2-4b5d-8f14-9e1631a3acdb"
 setup = """## Setup
 
@@ -44,15 +45,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
         "Domain: Endpoint",
         "OS: Linux",
         "Use Case: Threat Detection",
         "Tactic: Defense Evasion",
         "Data Source: Elastic Defend",
         "Resources: Investigation Guide"
-        ]
+]
 timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
@@ -65,11 +66,22 @@ event.category:process and host.os.type:linux and event.type:start and event.act
   process.parent.name:(
     apt-key or apt-config or gpgv or gpgconf or man-db.postinst or sendmail or rpm or nullmailer-inject
   ) or
-  process.args:(/etc/apt/trusted.gpg.d/* or /tmp/apt-key-gpg*) or
+  process.args:(/etc/apt/trusted.gpg.d/* or /tmp/apt-key-gpg* or "/usr/bin/dnf") or
   process.name:(awk or apt-config or dpkg or grep or gpgv or sed) or
   (user.name:_apt and process.name:(sqv or apt-key or gpgconf or sort or mktemp or find or cmp or gpg-connect-agent)) or
   (user.name:man and process.name:mandb) or
-  (user.name:daemon and process.name:at)
+  (user.name:daemon and process.name:at) or
+  process.parent.args:("/usr/bin/apt-key" or "/var/lib/dpkg/info/man-db.postinst") or
+  process.parent.executable:(
+    "/usr/lib/polkit-1/polkitd" or "./runc" or "/usr/bin/apt-get" or "/opt/gitlab/embedded/bin/bundle" or "/run/podman-init" or
+    /tmp/newroot/* or /var/lib/docker/overlay2/* or /usr/libexec/platform-python*
+  ) or
+  process.parent.command_line:"runc init" or
+  process.executable:(
+    "/opt/gitlab/embedded/bin/bundle" or "/usr/bin/env" or "/usr/bin/readlink" or "/usr/bin/date" or "/usr/bin/dircolors" or
+    "/usr/sbin/sendmail" or "/usr/bin/atrm" or "/usr/bin/atq" or "/run/podman-init" or "/usr/bin/basename" or "/usr/bin/locale" or
+    "/usr/bin/tr"
+  )
 )
 '''
 note = """## Triage and analysis
@@ -108,6 +120,7 @@ In Linux environments, system users are typically non-interactive and serve spec
 - Implement stricter access controls and monitoring for system user accounts to prevent unauthorized interactive shell launches in the future.
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 - Update detection mechanisms and rules to enhance monitoring for similar threats, ensuring that any future attempts are quickly identified and addressed."""
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
@@ -132,4 +145,4 @@ value = ["process.executable"]
 
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
+value = "now-5d"

rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/02/21"
 integration = ["endpoint", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -52,7 +52,7 @@ Base64 encoding is a method to encode binary data into ASCII text, often used fo
 - Implement enhanced monitoring and logging for base64 decoding activities and interpreter executions to detect similar threats in the future.
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if broader organizational impacts exist.
 """
-risk_score = 47
+risk_score = 73
 rule_id = "5bdad1d5-5001-4a13-ae99-fa8619500f1a"
 setup = """## Setup
 
@@ -79,7 +79,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "medium"
+severity = "high"
 tags = [
   "Domain: Endpoint",
   "OS: Linux",
@@ -106,9 +106,18 @@ sequence by host.id, process.parent.entity_id with maxspan=3s
   )]
  [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.name like~ (
     "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl*", "ruby*", "lua*", "php*"
- )]
+  ) and
+  not (
+    ?process.parent.command_line in ("bash ./run_tests.sh unit-integration", "/bin/sh /var/lib/dpkg/info/nmap-common.postinst configure") or
+    process.command_line == "/usr/bin/perl /usr/bin/shasum -a 256" or
+    ?process.working_directory like (
+      "/usr/local/zeek", "/opt/zeek", "/var/lib/docker/overlay2/*/opt/zeek", "/usr/local/zeek_old_install",
+      "/var/lib/docker/overlay2/*/usr/local/zeek", "/proc/self/fd/*/usr/local/zeek"
+    ) or
+    (?process.parent.name == "zsh" and ?process.parent.command_line like "*extendedglob*") or
+    (process.name like "python*" and ?process.parent.name == "python*")
+  )]
 '''
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 

rules/linux/defense_evasion_journalctl_clear_logs.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/10/01"
 integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/10/06"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -55,7 +55,7 @@ This detection flags attempts to purge systemd journal logs by invoking journalc
 - Preserve evidence by archiving remaining /var/log/journal entries, journald.conf and its mtime, modified unit files under /etc/systemd/system, and shell/auth logs, and capture a disk snapshot before making further changes.
 - Escalate to incident response if root executed "journalctl --vacuum-time/size/files" outside a documented maintenance window, if Storage=volatile was set or retention reduced below policy, or if the same actor performed vacuums on multiple hosts within 24 hours.
 """
-risk_score = 21
+risk_score = 47
 rule_id = "09073bf4-a8ea-4bce-9fd5-2bb56b4d31f4"
 setup = """## Setup
 
@@ -82,7 +82,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Linux",
@@ -100,7 +100,8 @@ type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
-process.name == "journalctl" and process.args like ("--vacuum-time=*", "--vacuum-size=*", "--vacuum-files=*")
+process.name == "journalctl" and process.args like ("--vacuum-time=*", "--vacuum-size=*", "--vacuum-files=*") and
+not process.parent.args == "/etc/cron.daily/clean-journal-logs"
 '''
 
 [[rule.threat]]