[Rule Tuning] Tuning 'Unusual Instance Metadata Service (IMDS) API Request' (#4169)

terrancedejesus · Aegrah · web-flow · commit d0225c37dfbc · 2024-10-18T11:50:57.000-04:00
* tuning 'Unusual Instance Metadata Service (IMDS) API Request'

* added missing bracket

* linted

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

* removed intelephense whitelisting

---------

Co-authored-by: Ruben Groenewoud &lt;78494512+Aegrah@users.noreply.github.com&gt;
diff --git a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml
@@ -2,16 +2,15 @@
 creation_date = "2024/08/22"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/08/28"
+updated_date = "2024/10/17"
 
 [rule]
 author = ["Elastic"]
 description = """
 This rule identifies potentially malicious processes attempting to access the cloud service provider's instance metadata
-service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as
-instance ID, public IP address, and even temporary security credentials if role's are assumed by that instance. The rule
-monitors for various tools and scripts like curl, wget, python, and perl that might be used to interact with the
-metadata API.
+service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as instance ID,
+public IP address, and even temporary security credentials if role's are assumed by that instance. The rule monitors for
+various tools and scripts like curl, wget, python, and perl that might be used to interact with the metadata API.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
@@ -42,14 +41,26 @@ sequence by host.id,  process.parent.entity_id with maxspan=1s
       "/etc/cron*", "/etc/update-motd.d/*", "/boot/*", "/srv/*", "/run/*", "/etc/rc.local"
     ) or
     process.command_line: "*169.254.169.254*" and
-    not process.working_directory: (
-      "/opt/rapid7*",
-      "/opt/nessus*",
-      "/snap/amazon-ssm-agent*",
-      "/srv/snp/docker/overlay2*",
-      "/var/log/amazon/ssm*"
-    )]
-[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip == "169.254.169.254"]
+    not (process.working_directory: (
+          "/opt/rapid7*",
+          "/opt/nessus*",
+          "/snap/amazon-ssm-agent*",
+          "/var/snap/amazon-ssm-agent/*",
+          "/var/log/amazon/ssm/*",
+          "/srv/snp/docker/overlay2*",
+          "/opt/nessus_agent/var/nessus/*") or
+        process.executable: (
+          "/opt/rumble/bin/rumble-agent*",
+          "/opt/aws/inspector/bin/inspectorssmplugin") or
+        process.parent.executable: (
+          "/usr/bin/setup-policy-routes",
+          "/usr/share/ec2-instance-connect/*",
+          "/var/lib/amazon/ssm/*")
+        )
+]
+[network where host.os.type == "linux"
+  and event.action == "connection_attempted"
+  and destination.ip == "169.254.169.254"]
 '''
 
 
