Merge pull request #3246 from splunk/xorddos

xorddos

Author: patel-bhavin

detections/endpoint/linux_add_files_in_known_crontab_directories.yml

@@ -1,16 +1,30 @@
 name: Linux Add Files In Known Crontab Directories
 id: 023f3452-5f27-11ec-bf00-acde48001122
-version: 3
-date: '2024-09-30'
+version: '4'
+date: '2024-12-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects unauthorized file creation in known crontab directories on Unix-based systems. It leverages filesystem data to identify new files in directories such as /etc/cron* and /var/spool/cron/*. This activity is significant as it may indicate an attempt by threat actors or malware to establish persistence on a compromised host. If confirmed malicious, this could allow attackers to execute arbitrary code at scheduled intervals, potentially leading to further system compromise and unauthorized access to sensitive information.
+description: The following analytic detects unauthorized file creation in known crontab
+  directories on Unix-based systems. It leverages filesystem data to identify new
+  files in directories such as /etc/cron* and /var/spool/cron/*. This activity is
+  significant as it may indicate an attempt by threat actors or malware to establish
+  persistence on a compromised host. If confirmed malicious, this could allow attackers
+  to execute arbitrary code at scheduled intervals, potentially leading to further
+  system compromise and unauthorized access to sensitive information.
 data_source:
 - Sysmon for Linux EventID 11
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/cron*", "*/var/spool/cron/*") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_add_files_in_known_crontab_directories_filter`'
-how_to_implement: To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.
-known_false_positives: Administrator or network operator can create file in crontab folders for automation purposes. Please update the filter macros to remove false positives.
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/cron*",
+  "*/var/spool/cron/*") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name
+  Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)`
+  | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_add_files_in_known_crontab_directories_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the file name, file path, and process_guid executions from your endpoints.
+  If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.
+known_false_positives: Administrator or network operator can create file in crontab
+  folders for automation purposes. Please update the filter macros to remove false
+  positives.
 references:
 - https://www.sandflysecurity.com/blog/detecting-cronrat-malware-on-linux-instantly/
 - https://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/
@@ -20,15 +34,21 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 tags:
   analytic_story:
-  - Linux Privilege Escalation
-  - Linux Persistence Techniques
+  - XorDDos
   - Linux Living Off The Land
+  - Linux Privilege Escalation
   - Scheduled Tasks
+  - Linux Persistence Techniques
   asset_type: Endpoint
   confidence: 50
   impact: 50

detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml

@@ -1,16 +1,37 @@
 name: Linux Auditd File Permission Modification Via Chmod
 id: 5f1d2ea7-eec0-4790-8b24-6875312ad492
-version: 3
-date: '2024-12-02'
-author: Teoderick Contreras, Splunk, Ivar Nygård
+version: '4'
+date: '2024-12-17'
+author: "Teoderick Contreras, Splunk, Ivar Nyg\xE5rd"
 status: production
 type: Anomaly
-description: The following analytic detects suspicious file permission modifications using the `chmod` command, which may indicate an attacker attempting to alter access controls on critical files or directories. Such modifications can be used to grant unauthorized users elevated privileges or to conceal malicious activities by restricting legitimate access. By monitoring for unusual or unauthorized `chmod` usage, this analytic helps identify potential security breaches, allowing security teams to respond promptly to prevent privilege escalation, data tampering, or other unauthorized actions on the system.
+description: The following analytic detects suspicious file permission modifications
+  using the `chmod` command, which may indicate an attacker attempting to alter access
+  controls on critical files or directories. Such modifications can be used to grant
+  unauthorized users elevated privileges or to conceal malicious activities by restricting
+  legitimate access. By monitoring for unusual or unauthorized `chmod` usage, this
+  analytic helps identify potential security breaches, allowing security teams to
+  respond promptly to prevent privilege escalation, data tampering, or other unauthorized
+  actions on the system.
 data_source:
 - Linux Auditd Proctitle
-search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest  | where LIKE(process_exec, "%chmod%") AND (LIKE(process_exec, "% 777 %") OR LIKE(process_exec, "% 755 %") OR LIKE(process_exec, "%+%x%") OR LIKE(process_exec, "% 754 %") OR LIKE(process_exec, "% 700 %")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_permission_modification_via_chmod_filter`'
-how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names  to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed
-known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.
+search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host
+  as dest  | where LIKE(process_exec, "%chmod%") AND (LIKE(process_exec, "% 777 %")
+  OR LIKE(process_exec, "% 755 %") OR LIKE(process_exec, "%+%x%") OR LIKE(process_exec,
+  "% 754 %") OR LIKE(process_exec, "% 700 %")) | stats count min(_time) as firstTime
+  max(_time) as lastTime by process_exec proctitle dest | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`| `linux_auditd_file_permission_modification_via_chmod_filter`'
+how_to_implement: To implement this detection, the process begins by ingesting auditd
+  data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
+  executions and process details on Unix/Linux systems. These logs should be ingested
+  and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833),
+  which is essential for correctly parsing and categorizing the data. The next step
+  involves normalizing the field names  to match the field names set by the Splunk
+  Common Information Model (CIM) to ensure consistency across different data sources
+  and enhance the efficiency of data modeling. This approach enables effective monitoring
+  and detection of linux endpoints where auditd is deployed
+known_false_positives: Administrator or network operator can use this application
+  for automation purposes. Please update the filter macros to remove false positives.
 references:
 - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
 drilldown_searches:
@@ -19,19 +40,26 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 tags:
   analytic_story:
+  - XorDDos
   - Linux Living Off The Land
+  - Compromised Linux Host
   - Linux Privilege Escalation
   - Linux Persistence Techniques
-  - Compromised Linux Host
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: A [$process_exec$] event occurred on host - [$dest$] to modify file permissions using the "chmod" command.
+  message: A [$process_exec$] event occurred on host - [$dest$] to modify file permissions
+    using the "chmod" command.
   mitre_attack_id:
   - T1222.002
   - T1222

detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml

@@ -1,16 +1,34 @@
 name: Linux Auditd Insert Kernel Module Using Insmod Utility
 id: bc0ca53f-dea6-4906-9b12-09c396fdf1d3
-version: 2
-date: '2024-09-30'
+version: '3'
+date: '2024-12-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects the insertion of a Linux kernel module using the insmod utility. It leverages data from Linux Auditd, focusing on process execution logs that include process names and command-line details. This activity is significant as it may indicate the installation of a rootkit or malicious kernel module, potentially allowing an attacker to gain elevated privileges and bypass security detections. If confirmed malicious, this could lead to unauthorized code execution, persistent access, and severe compromise of the affected system.
+description: The following analytic detects the insertion of a Linux kernel module
+  using the insmod utility. It leverages data from Linux Auditd, focusing on process
+  execution logs that include process names and command-line details. This activity
+  is significant as it may indicate the installation of a rootkit or malicious kernel
+  module, potentially allowing an attacker to gain elevated privileges and bypass
+  security detections. If confirmed malicious, this could lead to unauthorized code
+  execution, persistent access, and severe compromise of the affected system.
 data_source:
 - Linux Auditd Syscall
-search: '`linux_auditd` type=SYSCALL comm=insmod | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid pid success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_insert_kernel_module_using_insmod_utility_filter`'
-how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names  to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed
-known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives.
+search: '`linux_auditd` type=SYSCALL comm=insmod | rename host as dest | stats count
+  min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid pid
+  success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|
+  `linux_auditd_insert_kernel_module_using_insmod_utility_filter`'
+how_to_implement: To implement this detection, the process begins by ingesting auditd
+  data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
+  executions and process details on Unix/Linux systems. These logs should be ingested
+  and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833),
+  which is essential for correctly parsing and categorizing the data. The next step
+  involves normalizing the field names  to match the field names set by the Splunk
+  Common Information Model (CIM) to ensure consistency across different data sources
+  and enhance the efficiency of data modeling. This approach enables effective monitoring
+  and detection of linux endpoints where auditd is deployed
+known_false_positives: Administrator or network operator can execute this command.
+  Please update the filter macros to remove false positives.
 references:
 - https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/
 - https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup
@@ -21,19 +39,26 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 - name: View risk events for the last 7 days for - "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 tags:
   analytic_story:
-  - Linux Privilege Escalation
+  - XorDDos
   - Linux Rootkit
-  - Linux Persistence Techniques
   - Compromised Linux Host
+  - Linux Privilege Escalation
+  - Linux Persistence Techniques
   asset_type: Endpoint
   confidence: 80
   impact: 80
-  message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to insert a Linux kernel module using the insmod utility.
+  message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to insert a
+    Linux kernel module using the insmod utility.
   mitre_attack_id:
   - T1547.006
   - T1547