Merge branch 'main' into terrancedejesus/issue5216

terrancedejesus · web-flow · commit d19232b41734 · 2025-10-17T09:55:10.000-04:00
diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml b/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/07/03"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/10/06"
 
 [rule]
 author = ["Elastic"]
@@ -18,10 +18,10 @@ from = "now-9m"
 index = ["filebeat-*", "logs-azure.signinlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Suspicious Entra ID OAuth User Impersonation Scope Detected"
+name = "Entra ID OAuth user_impersonation Scope for Unusual User and Client"
 note = """## Triage and Analysis
 
-### Investigating Suspicious Entra ID OAuth User Impersonation Scope Detected
+### Investigating Entra ID OAuth user_impersonation Scope for Unusual User and Client
 
 Identifies rare occurrences of OAuth workflow for a user principal that is single factor authenticated, with an OAuth scope containing `user_impersonation`, and a token issuer type of `AzureAD`. This rule is designed to detect suspicious
 OAuth user impersonation attempts in Microsoft Entra ID, particularly those involving the `user_impersonation` scope, which is often used by adversaries to gain unauthorized access to user accounts. The rule focuses on sign-in events where
@@ -82,9 +82,42 @@ event.dataset: azure.signinlogs and
     azure.signinlogs.properties.token_issuer_type: "AzureAD" and
     azure.signinlogs.properties.token_protection_status_details.sign_in_session_status: "unbound" and
     azure.signinlogs.properties.user_type: "Member" and
+    azure.signinlogs.properties.conditional_access_status: "notApplied" and
+    not user_agent.original: Mozilla*PKeyAuth/1.0 and
+    not azure.signinlogs.properties.device_detail.operating_system: (Ios* or Android*) and
     event.outcome: "success"
+    and not azure.signinlogs.properties.app_id: (
+        "a5f63c0-b750-4f38-a71c-4fc0d58b89e2" or
+        "6bc3b958-689b-49f5-9006-36d165f30e00" or
+        "66a88757-258c-4c72-893c-3e8bed4d6899" or
+        "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe" or
+        "0000000c-0000-0000-c000-000000000000"
+    )
 '''
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "azure.correlation_id",
+    "azure.signinlogs.category",
+    "azure.signinlogs.identity",
+    "azure.signinlogs.properties.app_display_name",
+    "azure.signinlogs.properties.app_id",
+    "azure.signinlogs.properties.app_owner_tenant_id",
+    "azure.signinlogs.properties.authentication_requirement",
+    "azure.signinlogs.properties.client_credential_type",
+    "azure.signinlogs.properties.conditional_access_status",
+    "azure.signinlogs.properties.device_detail.operating_system",
+    "azure.signinlogs.properties.is_interactive",
+    "azure.signinlogs.properties.session_id",
+    "azure.signinlogs.properties.user_principal_name",
+    "azure.signinlogs.properties.user_type",
+    "azure.signinlogs.result_signature",
+    "azure.tenant_id",
+    "source.address",
+    "user.id"
+]
+
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
diff --git a/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml b/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/10/01"
 integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/10/01"
+updated_date = "2025/10/15"
 
 [rule]
 author = ["Elastic"]
@@ -38,7 +38,7 @@ This rule highlights sudo invoked with the chroot (-R/--chroot) option outside n
 - Extract the chroot target path from the event and enumerate its etc and lib directories for attacker-seeded NSS artifacts (nsswitch.conf, libnss_*, ld.so.preload) and fake passwd/group files, noting recent mtime, ownership, and world-writable files.
 - Pivot to file-creation and modification telemetry to identify processes and users that populated that path shortly before execution (e.g., curl, wget, tar, git, gcc), linking them to the invoking user to establish intent.
 - Review session and process details to see if a shell or interpreter was launched inside the chroot and whether an euid transition to 0 occurred, indicating a successful privilege escalation.
-- Confirm sudo’s package version and build options and the user’s sudoers policy (secure_path/env_* settings and any NOPASSWD allowances) to assess exploitability and whether chroot usage was authorized.
+- Confirm sudo's package version and build options and the user’s sudoers policy (secure_path/env_* settings and any NOPASSWD allowances) to assess exploitability and whether chroot usage was authorized.
 - Collect and preserve the chroot directory contents and relevant audit/log artifacts, and scope by searching for similar chroot invocations or NSS file seeds across the host and fleet.
 
 ### False positive analysis
@@ -105,7 +105,7 @@ type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "start", "executed", "process_started", "ProcessRollup2") and
-process.name == "sudo" and process.args in ("-R", "--chroot") and
+process.name == "sudo" and process.args like ("-R", "--chroot*") and
 // To enforce the -R and --chroot arguments to be for sudo specifically, while wildcarding potential full sudo paths
 process.command_line like ("*sudo -R*", "*sudo --chroot*") 
 '''
