diff --git a/rules/linux/credential_access_aws_creds_search_inside_container.toml b/rules/linux/credential_access_aws_creds_search_inside_container.toml index a7cb2b14a59..77439cd442d 100644 --- a/rules/linux/credential_access_aws_creds_search_inside_container.toml +++ b/rules/linux/credential_access_aws_creds_search_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/12" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ language = "eql" license = "Elastic License v2" name = "AWS Credentials Searched For Inside A Container" references = ["https://sysdig.com/blog/threat-detection-aws-cloud-containers/"] -risk_score = 47 +risk_score = 73 rule_id = "5749282b-7524-4c9d-af9a-e2b3e814e5d4" setup = """## Setup @@ -45,7 +45,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Container", "OS: Linux", @@ -59,7 +59,7 @@ type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.entry_leader.entry_meta.type == "container" and -process.name in ("grep", "egrep", "fgrep", "find", "locate", "mlocate") and +process.name in ("grep", "egrep", "fgrep", "find", "locate", "mlocate", "cat", "sed", "awk") and process.command_line like~ ( "*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 8c21bac366e..4cb60f589c1 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/12/22" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -11,7 +11,13 @@ Identifies the use of a compression utility to collect known files containing se and system configurations. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "kuery" license = "Elastic License v2" name = "Sensitive Files Compression" @@ -68,15 +74,17 @@ tags = [ "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Auditd Manager", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' event.category:process and host.os.type:linux and event.type:start and - process.name:(zip or tar or gzip or hdiutil or 7z) and - process.args: +event.action:("exec" or "exec_event" or "start" or "executed" or "process_started") and +process.name:(zip or tar or gzip or hdiutil or 7z) and +process.args: ( /root/.ssh/id_rsa or /root/.ssh/id_rsa.pub or @@ -142,37 +150,37 @@ Compression utilities like zip, tar, and gzip are essential for efficiently mana - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for compression utilities and sensitive file access to detect and respond to similar threats more effectively in the future.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.001" name = "Credentials In Files" reference = "https://attack.mitre.org/techniques/T1552/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" + [[rule.threat.technique.subtechnique]] id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" @@ -180,9 +188,8 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.command_line", "process.parent.executable"] +value = ["agent.id", "process.command_line", "process.parent.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-10d" - - +value = "now-5d" diff --git a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml index 8903e78c926..417321d89b0 100644 --- a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml +++ b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/12" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Sensitive Files Compression Inside A Container" -risk_score = 47 +risk_score = 73 rule_id = "d9faf1ba-a216-4c29-b8e0-a05a9d14b027" setup = """## Setup @@ -43,7 +43,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Container", "OS: Linux", diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index fdbfae8b553..777c602f05e 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ Unshadow is a utility within the John the Ripper suite, used to merge `/etc/shad - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for similar activities across the network to detect and respond to future credential dumping attempts promptly.""" references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"] -risk_score = 47 +risk_score = 73 rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c" setup = """## Setup @@ -85,7 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -99,28 +99,25 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.name == "unshadow" and process.args_count >= 3 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index 8108fc8429d..646c05881fc 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/08/30" -integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -13,10 +13,12 @@ dumping techniques to attempt secret extraction from privileged processes. Tools """ from = "now-9m" index = [ + "auditbeat-*", "endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*", + "logs-auditd_manager.auditd-*", ] language = "eql" license = "Elastic License v2" @@ -56,7 +58,7 @@ In Linux, the init process (PID 1) is the first process started by the kernel an - Escalate the incident to the security operations team for a comprehensive investigation and to determine if further forensic analysis is required. - Update and enhance detection rules and monitoring systems to better identify and alert on similar unauthorized memory access attempts in the future.""" references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"] -risk_score = 47 +risk_score = 73 rule_id = "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f" setup = """## Setup @@ -83,7 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -93,32 +95,30 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", + "Data Source: Auditd Manager", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name == "gdb" and process.args in ("--pid", "-p") and process.args == "1" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_gh_auth_via_nodejs.toml b/rules/linux/credential_access_gh_auth_via_nodejs.toml index cb8eb06c211..1ab982a0861 100644 --- a/rules/linux/credential_access_gh_auth_via_nodejs.toml +++ b/rules/linux/credential_access_gh_auth_via_nodejs.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ may use this technique to access GitHub repositories and potentially exfiltrate perform malicious actions. This activity was observed in the wild as part of the Shai-Hulud worm. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] +index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "GitHub Authentication Token Access via Node.js" @@ -55,13 +55,14 @@ tags = [ "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Data Source: Elastic Endgame", "Data Source: Crowdstrike", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.parent.name == "node" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2", "exec_event") and process.parent.name == "node" and process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "gh auth token" ''' diff --git a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml index 5520c41b400..b4054ccf7f8 100644 --- a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml +++ b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -107,8 +107,27 @@ process where host.os.type == "linux" and event.type == "start" and event.action "/var/run/secrets/kubernetes.io/serviceaccount", "/secrets/kubernetes.io/serviceaccount" ) and - process.args in ("ca.crt", "token", "namespace") + process.args in ("ca.crt", "token") ) +) and +not ( + process.command_line like "*/bin/test*" or + process.args in ( + "/var/run/secrets/kubernetes.io/serviceaccount/namespace", + "/run/secrets/kubernetes.io/serviceaccount/namespace", + "/secrets/kubernetes.io/serviceaccount/namespace" + ) or + process.command_line == "/usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat /var/run/secrets/kubernetes.io/serviceaccount/token" or + process.parent.command_line == "runc init" or + (process.parent.name == "px-oci-mon" and process.name == "rsync") or + ( + process.parent.command_line == "sh /install-cni.sh" and + process.working_directory like ( + "/opt/cni/bin", "/run/containerd/io.containerd.runtime.v2.task/k8s.io/*/opt/cni/bin" + ) + ) or + (process.working_directory like "/home/runner/_work/*" and process.parent.args like "/home/runner/_work/_temp/*.sh") or + process.working_directory == "/opt/cni/bin" ) ''' diff --git a/rules/linux/credential_access_manual_memory_dumping.toml b/rules/linux/credential_access_manual_memory_dumping.toml index 4e8e11e7af4..d6f5ffe2135 100644 --- a/rules/linux/credential_access_manual_memory_dumping.toml +++ b/rules/linux/credential_access_manual_memory_dumping.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/04/25" -integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -13,7 +13,9 @@ of a process, potentially extracting sensitive information such as credentials o """ from = "now-9m" index = [ + "auditbeat-*", "endgame-*", + "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*", @@ -57,7 +59,7 @@ The proc filesystem in Linux is a virtual interface providing detailed insights - Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to determine if the threat is part of a larger attack campaign. - Implement additional security controls, such as restricting access to the proc filesystem and employing application whitelisting, to prevent unauthorized memory dumping activities in the future. """ -risk_score = 21 +risk_score = 73 rule_id = "6505e02e-28dd-41cd-b18f-64e649caa4e2" setup = """## Setup @@ -84,7 +86,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -95,12 +97,13 @@ tags = [ "Data Source: SentinelOne", "Data Source: Crowdstrike", "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name in ("cat", "grep", "tail", "less", "more", "egrep", "fgrep") and process.command_line like "/proc/*/mem" ''' diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index a83e64aca7c..61a7c6faa1b 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -12,8 +12,8 @@ short time interval. Adversaries might brute force login attempts across differe set of customly crafted passwords in an attempt to gain access to these accounts. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] -language = "eql" +interval = "8m" +language = "esql" license = "Elastic License v2" name = "Potential Linux Local Account Brute Force Detected" risk_score = 47 @@ -52,16 +52,55 @@ tags = [ "Data Source: Elastic Defend", "Resources: Investigation Guide", ] -type = "eql" - +timestamp_override = "event.ingested" +type = "esql" query = ''' -sequence by host.id, process.parent.executable, user.id with maxspan=1s - [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and - not process.parent.name in ( - "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server", "ma", "gitlab-runner", - "updatedb.findutils", "cron", "perl", "sudo", "java", "cloud-app-identify", "ambari-sudo.sh" - ) - ] with runs=10 +from logs-endpoint.events.process* metadata _id, _index, _version + +// Create 1-minute time buckets +| eval Esql.time_window_date_trunc = date_trunc(1 minute, @timestamp) + +// Ensure event.action values in a list are expanded +| mv_expand event.action + +| where + event.category == "process" and event.type == "start" and event.action == "exec" and process.name == "su" and + process.parent.name not in ( + "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server", "ma", "gitlab-runner", + "updatedb.findutils", "cron", "perl", "sudo", "java", "cloud-app-identify", "ambari-sudo.sh", "runc", + "cau9sat.exe", "git-pull.sh", "distributor-pulltabs-devel-live", "p_ctmag", "backup_agent_main", "sshd", + "nxpgsql", "cau9cli.exe", "autopostgresqlbackup" + ) and + not process.parent.command_line == "runc init" + +// Keep relevant fields +| keep + @timestamp, + event.action, + event.category, + event.type, + process.name, + process.parent.name, + process.parent.command_line, + process.command_line, + user.name, + event.dataset, + data_stream.namespace, + process.parent.executable, + agent.id, + user.id + +| stats + Esql.event_count = count(*), + Esql.process_command_line_values = values(process.command_line), + Esql.process_parent_command_line_values = values(process.parent.command_line), + Esql.user_name_values = values(user.name), + Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_namespace_values = values(data_stream.namespace) + + by process.parent.executable, agent.id, user.id + +| where Esql.event_count >= 10 ''' note = """## Triage and analysis @@ -97,22 +136,20 @@ In Linux environments, the 'su' command is used to switch user accounts, often r - Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected. - Enhance monitoring and logging on the affected host and similar systems to detect and respond to future brute force attempts more effectively.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" reference = "https://attack.mitre.org/techniques/T1110/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index 4b29c61c900..1fa0c560619 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -12,10 +12,9 @@ short time interval. Adversaries will often brute force login attempts across mu password, in an attempt to gain access to these accounts. """ from = "now-9m" -index = ["filebeat-*", "logs-system.auth-*"] -language = "eql" +interval = "8m" +language = "esql" license = "Elastic License v2" -max_signals = 5 name = "Potential External Linux SSH Brute Force Detected" note = """## Triage and analysis @@ -77,27 +76,71 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] -type = "eql" - +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" +] +timestamp_override = "event.ingested" +type = "esql" query = ''' -sequence by host.id, source.ip, user.name with maxspan=15s - [ authentication where host.os.type == "linux" and - event.action in ("ssh_login", "user_login") and event.outcome == "failure" and - not cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", - "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", - "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", - "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", - "::1", "FE80::/10", "FF00::/8") ] with runs = 10 +from "filebeat-*", "logs-system.auth-*" metadata _id, _index, _version + +// Create 1-minute time buckets +| eval Esql.time_window_date_trunc = date_trunc(1 minute, @timestamp) + +// Ensure event.action values in a list are expanded +| mv_expand event.action + +| where + event.category == "authentication" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and + source.ip is not null and + not cidr_match( + source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/4", + "240.0.0.0/4", "::1","FE80::/10", "FF00::/8" + ) + +// Keep relevant fields +| keep + @timestamp, + _id, + _index, + _version, + event.category, + event.action, + event.outcome, + source.ip, + process.name, + user.name, + event.dataset, + data_stream.namespace, + agent.id, + user.id + +| stats + Esql.event_count = count(*), + Esql.process_name_values = values(process.name), + Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_namespace_values = values(data_stream.namespace) + + by source.ip, agent.id, user.name + +| where Esql.event_count >= 60 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -108,10 +151,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index b11e36ba5ed..062ef3efe9f 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -12,10 +12,9 @@ short time interval. Adversaries will often brute force login attempts across mu password, in an attempt to gain access to these accounts. """ from = "now-9m" -index = ["filebeat-*", "logs-system.auth-*"] -language = "eql" +interval = "8m" +language = "esql" license = "Elastic License v2" -max_signals = 5 name = "Potential Internal Linux SSH Brute Force Detected" note = """## Triage and analysis @@ -73,27 +72,73 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] -type = "eql" - +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" +] +timestamp_override = "event.ingested" +type = "esql" query = ''' -sequence by host.id, source.ip, user.name with maxspan=15s - [ authentication where host.os.type == "linux" and - event.action in ("ssh_login", "user_login") and event.outcome == "failure" and - cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", - "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", - "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", - "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", - "::1", "FE80::/10", "FF00::/8") ] with runs = 10 +from "filebeat-*", "logs-system.auth-*" metadata _id, _index, _version + +// Create 1-minute time buckets +| eval Esql.time_window_date_trunc = date_trunc(1 minute, @timestamp) + +// Ensure event.action values in a list are expanded +| mv_expand event.action + +| where + event.category == "authentication" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and + source.ip is not null and + not cidr_match( + source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/4", + "240.0.0.0/4", "::1","FE80::/10", "FF00::/8" + ) + +// Keep relevant fields +| keep + @timestamp, + _id, + _index, + _version, + event.category, + event.action, + event.outcome, + source.ip, + process.name, + process.command_line, + user.name, + event.dataset, + data_stream.namespace, + agent.id, + user.id + +| stats + Esql.event_count = count(*), + Esql.process_name_values = values(process.name), + Esql.process_command_line_values = values(process.command_line), + Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_namespace_values = values(data_stream.namespace) + + by source.ip, agent.id, user.name + +| where Esql.event_count >= 60 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -104,10 +149,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml index 34c9edad13e..e3c0081ff25 100644 --- a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -18,7 +18,40 @@ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" -name = "Potential Successful Linux FTP Brute Force Attack Detected" +name = "Deprecated - Potential Successful Linux FTP Brute Force Attack Detected" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Deprecated - Potential Successful Linux FTP Brute Force Attack Detected + +FTP is a protocol used for transferring files between systems, often requiring authentication. Adversaries exploit this by attempting numerous username-password combinations to gain unauthorized access, potentially leading to data breaches. The detection rule identifies a pattern of repeated failed login attempts from a single source, followed by a successful login, indicating a possible brute force attack. + +### Possible investigation steps + +- Review the source IP address (auditd.data.addr) involved in the failed and successful login attempts to determine if it is known or associated with previous malicious activity. +- Analyze the timeline of the failed login attempts followed by the successful login to assess the likelihood of a brute force attack, considering the maxspan of 5 seconds. +- Check the user account (related.user) targeted by the login attempts to determine if it is a high-value account or has been involved in previous security incidents. +- Investigate the host (host.id) where the login attempts occurred to identify any other suspicious activities or anomalies around the time of the alert. +- Correlate the detected activity with other logs or alerts from the same time period to identify potential lateral movement or further compromise within the network. + +### False positive analysis + +- Repeated failed logins from automated scripts or monitoring tools can trigger false positives. Identify and whitelist IP addresses of known internal systems or services that perform regular FTP checks. +- Users with incorrect credentials saved in FTP clients may cause multiple failed attempts before a successful login. Educate users on updating saved credentials and consider excluding specific user accounts from the rule if they frequently trigger alerts. +- Scheduled tasks or cron jobs that attempt to connect with outdated credentials can result in false positives. Review and update scheduled tasks to ensure they use current credentials, and exclude these tasks from monitoring if they are non-threatening. +- High-volume legitimate FTP traffic from trusted partners or vendors might mimic brute force patterns. Establish a list of trusted external IP addresses and exclude them from the rule to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Reset the compromised user account's password and any other accounts that may have been accessed using the same credentials. +- Review and analyze the logs from the affected system to identify any unauthorized changes or data access that occurred during the breach. +- Implement IP blocking or rate limiting for the source address identified in the alert to prevent further brute force attempts from the same origin. +- Conduct a thorough security assessment of the FTP server configuration to ensure it adheres to best practices, such as disabling anonymous access and enforcing strong password policies. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems were affected. +- Enhance monitoring and alerting for similar brute force patterns by ensuring that detection rules are tuned to capture variations in attack techniques.""" risk_score = 47 rule_id = "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d" setup = """## Setup @@ -66,7 +99,6 @@ tags = [ "Resources: Investigation Guide", ] type = "eql" - query = ''' sequence by host.id, auditd.data.addr, related.user with maxspan=5s [authentication where host.os.type == "linux" and event.action == "authenticated" and @@ -76,47 +108,15 @@ sequence by host.id, auditd.data.addr, related.user with maxspan=5s auditd.data.terminal == "ftp" and event.outcome == "success" and auditd.data.addr != null and auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] | tail 1 ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Successful Linux FTP Brute Force Attack Detected - -FTP is a protocol used for transferring files between systems, often requiring authentication. Adversaries exploit this by attempting numerous username-password combinations to gain unauthorized access, potentially leading to data breaches. The detection rule identifies a pattern of repeated failed login attempts from a single source, followed by a successful login, indicating a possible brute force attack. - -### Possible investigation steps - -- Review the source IP address (auditd.data.addr) involved in the failed and successful login attempts to determine if it is known or associated with previous malicious activity. -- Analyze the timeline of the failed login attempts followed by the successful login to assess the likelihood of a brute force attack, considering the maxspan of 5 seconds. -- Check the user account (related.user) targeted by the login attempts to determine if it is a high-value account or has been involved in previous security incidents. -- Investigate the host (host.id) where the login attempts occurred to identify any other suspicious activities or anomalies around the time of the alert. -- Correlate the detected activity with other logs or alerts from the same time period to identify potential lateral movement or further compromise within the network. - -### False positive analysis - -- Repeated failed logins from automated scripts or monitoring tools can trigger false positives. Identify and whitelist IP addresses of known internal systems or services that perform regular FTP checks. -- Users with incorrect credentials saved in FTP clients may cause multiple failed attempts before a successful login. Educate users on updating saved credentials and consider excluding specific user accounts from the rule if they frequently trigger alerts. -- Scheduled tasks or cron jobs that attempt to connect with outdated credentials can result in false positives. Review and update scheduled tasks to ensure they use current credentials, and exclude these tasks from monitoring if they are non-threatening. -- High-volume legitimate FTP traffic from trusted partners or vendors might mimic brute force patterns. Establish a list of trusted external IP addresses and exclude them from the rule to prevent unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Reset the compromised user account's password and any other accounts that may have been accessed using the same credentials. -- Review and analyze the logs from the affected system to identify any unauthorized changes or data access that occurred during the breach. -- Implement IP blocking or rate limiting for the source address identified in the alert to prevent further brute force attempts from the same origin. -- Conduct a thorough security assessment of the FTP server configuration to ensure it adheres to best practices, such as disabling anonymous access and enforcing strong password policies. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems were affected. -- Enhance monitoring and alerting for similar brute force patterns by ensuring that detection rules are tuned to capture variations in attack techniques.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -127,10 +127,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml index 44329dec53b..8959ca3bbe6 100644 --- a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -18,7 +18,41 @@ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" -name = "Potential Successful Linux RDP Brute Force Attack Detected" +name = "Deprecated - Potential Successful Linux RDP Brute Force Attack Detected" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Deprecated - Potential Successful Linux RDP Brute Force Attack Detected + +Remote Desktop Protocol (RDP) enables users to connect to and control remote systems, often used for administrative tasks. Adversaries exploit RDP by attempting numerous login attempts to gain unauthorized access, potentially leading to data breaches or further network infiltration. The detection rule identifies a pattern of failed login attempts followed by a successful one, indicating a possible brute force attack, thus alerting security teams to investigate and mitigate the threat. + +### Possible investigation steps + +- Review the authentication logs on the affected Linux host to identify the specific user account targeted by the failed and successful login attempts, focusing on entries with event.action as "authenticated" and auditd.data.terminal containing "*rdp*". +- Analyze the source IP addresses associated with the failed and successful login attempts to determine if they originate from known or suspicious locations. +- Check for any unusual activity or changes on the compromised system following the successful login, such as new user accounts, modified files, or unexpected network connections. +- Correlate the timestamps of the authentication events with other security logs to identify any concurrent suspicious activities or anomalies within the network. +- Investigate the user account's recent activity and permissions to assess potential impacts and determine if the account has been used for unauthorized access or lateral movement within the network. +- Evaluate the risk score and severity of the alert in the context of the organization's security posture and prioritize response actions accordingly. + +### False positive analysis + +- Legitimate administrative activities may trigger the rule if administrators frequently log in using RDP for system management. To handle this, create exceptions for known administrator accounts or IP addresses that regularly perform these tasks. +- Automated scripts or services that use RDP for routine operations can cause false positives. Identify these scripts and whitelist their associated user accounts or IPs to prevent unnecessary alerts. +- Scheduled tasks or cron jobs that involve RDP connections might be misinterpreted as brute force attempts. Exclude these tasks by specifying their user accounts or terminal identifiers in the rule configuration. +- Security testing or penetration testing activities can mimic brute force patterns. Coordinate with security teams to exclude these activities during testing periods by temporarily adjusting the rule parameters or adding exceptions for testing IP ranges. + +### Response and remediation + +- Immediately isolate the affected Linux host from the network to prevent further unauthorized access or lateral movement by the attacker. +- Reset the compromised user account's password and any other accounts that may have been accessed using the same credentials to prevent further unauthorized access. +- Conduct a thorough review of the affected system for any signs of additional compromise, such as unauthorized software installations or changes to system configurations, and remove any malicious artifacts. +- Implement multi-factor authentication (MFA) for RDP access to enhance security and reduce the risk of future brute force attacks. +- Review and tighten firewall rules to restrict RDP access to only trusted IP addresses and consider using a VPN for remote access. +- Monitor the network for any unusual activity or further attempts to exploit RDP, using enhanced logging and alerting mechanisms. +- Escalate the incident to the security operations center (SOC) or relevant security team for further investigation and to ensure comprehensive remediation and recovery actions are taken.""" risk_score = 47 rule_id = "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0" setup = """## Setup @@ -74,48 +108,15 @@ sequence by host.id, related.user with maxspan=5s [authentication where host.os.type == "linux" and event.action == "authenticated" and auditd.data.terminal : "*rdp*" and event.outcome == "success"] | tail 1 ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Successful Linux RDP Brute Force Attack Detected - -Remote Desktop Protocol (RDP) enables users to connect to and control remote systems, often used for administrative tasks. Adversaries exploit RDP by attempting numerous login attempts to gain unauthorized access, potentially leading to data breaches or further network infiltration. The detection rule identifies a pattern of failed login attempts followed by a successful one, indicating a possible brute force attack, thus alerting security teams to investigate and mitigate the threat. - -### Possible investigation steps - -- Review the authentication logs on the affected Linux host to identify the specific user account targeted by the failed and successful login attempts, focusing on entries with event.action as "authenticated" and auditd.data.terminal containing "*rdp*". -- Analyze the source IP addresses associated with the failed and successful login attempts to determine if they originate from known or suspicious locations. -- Check for any unusual activity or changes on the compromised system following the successful login, such as new user accounts, modified files, or unexpected network connections. -- Correlate the timestamps of the authentication events with other security logs to identify any concurrent suspicious activities or anomalies within the network. -- Investigate the user account's recent activity and permissions to assess potential impacts and determine if the account has been used for unauthorized access or lateral movement within the network. -- Evaluate the risk score and severity of the alert in the context of the organization's security posture and prioritize response actions accordingly. - -### False positive analysis - -- Legitimate administrative activities may trigger the rule if administrators frequently log in using RDP for system management. To handle this, create exceptions for known administrator accounts or IP addresses that regularly perform these tasks. -- Automated scripts or services that use RDP for routine operations can cause false positives. Identify these scripts and whitelist their associated user accounts or IPs to prevent unnecessary alerts. -- Scheduled tasks or cron jobs that involve RDP connections might be misinterpreted as brute force attempts. Exclude these tasks by specifying their user accounts or terminal identifiers in the rule configuration. -- Security testing or penetration testing activities can mimic brute force patterns. Coordinate with security teams to exclude these activities during testing periods by temporarily adjusting the rule parameters or adding exceptions for testing IP ranges. - -### Response and remediation - -- Immediately isolate the affected Linux host from the network to prevent further unauthorized access or lateral movement by the attacker. -- Reset the compromised user account's password and any other accounts that may have been accessed using the same credentials to prevent further unauthorized access. -- Conduct a thorough review of the affected system for any signs of additional compromise, such as unauthorized software installations or changes to system configurations, and remove any malicious artifacts. -- Implement multi-factor authentication (MFA) for RDP access to enhance security and reduce the risk of future brute force attacks. -- Review and tighten firewall rules to restrict RDP access to only trusted IP addresses and consider using a VPN for remote access. -- Monitor the network for any unusual activity or further attempts to exploit RDP, using enhanced logging and alerting mechanisms. -- Escalate the incident to the security operations center (SOC) or relevant security team for further investigation and to ensure comprehensive remediation and recovery actions are taken.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -126,10 +127,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index ef86e1d43e5..8f8c9f7c185 100644 --- a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -79,25 +79,30 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" +] type = "eql" - query = ''' sequence by host.id, source.ip, user.name with maxspan=15s [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and - event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10 - + event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=25 [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -108,10 +113,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index f3874305266..f543e3ff547 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -13,7 +13,11 @@ known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext c process and extracting lines that have a high probability of containing cleartext passwords. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*" +] language = "eql" license = "Elastic License v2" name = "Potential Linux Credential Dumping via Proc Filesystem" @@ -57,7 +61,7 @@ references = [ "https://github.com/huntergregal/mimipenguin", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781", ] -risk_score = 47 +risk_score = 73 rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311" setup = """## Setup @@ -84,7 +88,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -97,7 +101,6 @@ tags = [ "Resources: Investigation Guide", ] type = "eql" - query = ''' sequence by host.id, process.parent.name with maxspan=1m [process where host.os.type == "linux" and process.name == "ps" and event.action in ("exec", "start", "exec_event") @@ -106,27 +109,25 @@ sequence by host.id, process.parent.name with maxspan=1m and process.args : "/tmp/*"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" - [[rule.threat.technique]] id = "T1212" name = "Exploitation for Credential Access" reference = "https://attack.mitre.org/techniques/T1212/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml index 21acccf17e7..0b636c1f0b6 100644 --- a/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml +++ b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/12" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ process.entry_leader.entry_meta.type == "container" and process.name in ("grep", "egrep", "fgrep", "find", "locate", "mlocate") and process.command_line like~ ( "*BEGIN PRIVATE*", "*BEGIN OPENSSH PRIVATE*", "*BEGIN RSA PRIVATE*", "*BEGIN DSA PRIVATE*", "*BEGIN EC PRIVATE*", - "*pass*", "*ssh*", "*user*", "*id_rsa*", "*id_dsa*" + "*id_rsa*", "*id_dsa*" ) ''' note = """## Triage and analysis diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 8e81a161cfe..1a136471d12 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -2,18 +2,22 @@ creation_date = "2020/12/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] description = """ -Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. -Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to -enable unauthorized access or to log SSH credentials for exfiltration. +Identifies a Secure Shell (SSH) client or server process creating a known SSH backdoor log file. Adversaries may +modify SSH related binaries for persistence or credential access via patching sensitive functions to enable +unauthorized access or to log SSH credentials for exfiltration. """ false_positives = ["Updates to approved and trusted SSH executables can trigger this rule."] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.file-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "logs-endpoint.events.file-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*" +] language = "eql" license = "Elastic License v2" name = "Potential OpenSSH Backdoor Logging Activity" @@ -112,32 +116,27 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and +file where host.os.type == "linux" and event.type == "creation" and process.name in ("ssh", "sshd") and ( - (file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history", ".google_authenticator", - ".jelenv", ".csvignore", ".rtreport")) or + ( + file.name : (".*", "~*", "*~") and not file.name : ( + ".cache", ".viminfo", ".bash_history", ".google_authenticator", ".jelenv", ".csvignore", ".rtreport", ".git*" + ) + ) or file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or file.path : ( - "/private/etc/*--", + "/tmp/*", + "/var/tmp/*", + "/dev/shm/*", "/usr/share/*", "/usr/include/*", "/usr/local/include/*", - "/private/tmp/*", - "/private/var/tmp/*", - "/usr/tmp/*", "/usr/share/man/*", "/usr/local/share/*", "/usr/lib/*.so.*", - "/private/etc/ssh/.sshd_auth", "/usr/bin/ssd", - "/private/var/opt/power", - "/private/etc/ssh/ssh_known_hosts", - "/private/var/html/lol", - "/private/var/log/utmp", - "/private/var/lib", "/var/run/sshd/sshd.pid", "/var/run/nscd/ns.pid", "/var/run/udev/ud.pid", @@ -146,29 +145,28 @@ file where host.os.type == "linux" and event.type == "change" and process.execut ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -