diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index 989283a3641..92f07b4a59a 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/10/24" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/07" [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ Monitors for the deletion of the kernel ring buffer events through dmesg. Attack to evade detection after installing a Linux kernel module (LKM). """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Attempt to Clear Kernel Ring Buffer" @@ -51,12 +53,14 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name == "dmesg" and process.args == "-c" ''' diff --git a/rules/linux/defense_evasion_directory_creation_in_bin.toml b/rules/linux/defense_evasion_directory_creation_in_bin.toml index dc6eb9300ff..a38e54d6203 100644 --- a/rules/linux/defense_evasion_directory_creation_in_bin.toml +++ b/rules/linux/defense_evasion_directory_creation_in_bin.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/11/01" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/11/01" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/07" [rule] author = ["Elastic"] @@ -12,7 +14,7 @@ files that are required for the system to function properly. The creation of dir attempt to hide malicious files or executables, as these /bin directories usually just contain binaries. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Directory Creation in /bin directory" @@ -51,12 +53,16 @@ tags = [ "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "mkdir" and -process.args like ("/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/sbin/*", "/usr/sbin/*", "/usr/local/sbin/*") and +process where host.os.type == "linux" and event.type == "start" and + event.action in ("exec", "start", "ProcessRollup2", "exec_event") and process.name == "mkdir" and + process.args like ("/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/sbin/*", "/usr/sbin/*", "/usr/local/sbin/*") and not process.args in ("/bin/mkdir", "/usr/bin/mkdir", "/usr/local/bin/mkdir") ''' diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index 9fb904d39f3..3c61939ffe3 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/08/28" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/08/08" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/07" [rule] author = ["Elastic"] @@ -12,7 +14,7 @@ fine-grained access control policies to restrict the actions and resources that access. Adversaries may disable security tools to avoid possible detection of their tools and activities. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Disabling of AppArmor" @@ -52,12 +54,15 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") - and ( +process where host.os.type == "linux" and event.type == "start" and + event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and + ( (process.name == "systemctl" and process.args in ("stop", "disable", "kill") and process.args in ("apparmor", "apparmor.service")) or (process.name == "service" and process.args == "apparmor" and process.args == "stop") or (process.name == "chkconfig" and process.args == "apparmor" and process.args == "off") or diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 3de937008a8..491a0e169ca 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/04/22" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/07" [rule] author = ["Elastic"] @@ -12,7 +14,7 @@ support access control policies. Adversaries may disable security tools to avoid activities. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Disabling of SELinux" @@ -64,13 +66,16 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") - and process.name == "setenforce" and process.args == "0" +process where host.os.type == "linux" and event.type == "start" and + event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and + process.name == "setenforce" and process.args == "0" ''' diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index e51936b4a4f..6bf55b5f216 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/04/11" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/07" [rule] author = ["Elastic"] @@ -14,7 +16,7 @@ their presence in the touch command arguments may indicate that a threat actor i of VM-related files and configurations on the system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "ESXI Timestomping using Touch Command" @@ -57,14 +59,16 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") - and process.name == "touch" and process.args == "-r" and -process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") +process where host.os.type == "linux" and event.type == "start" and + event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and + process.name == "touch" and process.args == "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") ''' diff --git a/rules/linux/defense_evasion_hex_payload_execution.toml b/rules/linux/defense_evasion_hex_payload_execution.toml index 1ddc1204235..2077dd5f76e 100644 --- a/rules/linux/defense_evasion_hex_payload_execution.toml +++ b/rules/linux/defense_evasion_hex_payload_execution.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/11/04" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/11/04" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/07" [rule] author = ["Elastic"] @@ -11,7 +13,7 @@ This rule detects potential hex payload execution on Linux systems. Adversaries and evade detection mechanisms. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] +index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Hex Payload Execution" @@ -50,18 +52,23 @@ tags = [ "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( - (process.name == "xxd" and process.args like ("-r*", "-p*")) or - (process.name like "python*" and process.command_line like "*fromhex*" and process.command_line like ("*decode*", "*encode*")) or - (process.name like "php*" and process.command_line like "*hex2bin*") or - (process.name like "ruby*" and process.command_line like "*].pack(\"H*\")*") or - (process.name like "perl*" and process.command_line like "*pack(\"H*\",*") or - (process.name like "lua*" and process.command_line like "*tonumber(cc, 16)*") -) +process where host.os.type == "linux" and event.type == "start" and + event.action in ("exec", "exec_event", "start", "ProcessRollup2") and + ( + (process.name == "xxd" and process.args like ("-r*", "-p*")) or + (process.name like "python*" and process.command_line like "*fromhex*" and process.command_line like ("*decode*", "*encode*")) or + (process.name like "php*" and process.command_line like "*hex2bin*") or + (process.name like "ruby*" and process.command_line like "*].pack(\"H*\")*") or + (process.name like "perl*" and process.command_line like "*pack(\"H*\",*") or + (process.name like "lua*" and process.command_line like "*tonumber(cc, 16)*") + ) ''' [[rule.threat]] diff --git a/rules/linux/defense_evasion_hidden_directory_creation.toml b/rules/linux/defense_evasion_hidden_directory_creation.toml index 079b1f1292e..621d5aa8d1d 100644 --- a/rules/linux/defense_evasion_hidden_directory_creation.toml +++ b/rules/linux/defense_evasion_hidden_directory_creation.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/11/01" -integration = ["endpoint"] +integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/11/01" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/07" [rule] author = ["Elastic"] @@ -18,7 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Hidden Directory Creation via Unusual Parent" @@ -57,11 +59,13 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Tactic: Persistence", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "exec_event") and process.name == "mkdir" and process.parent.executable like ( "/dev/shm/*", "/tmp/*", "/var/tmp/*", "/var/run/*", "/root/*", "/boot/*", "/var/www/html/*", "/opt/.*" ) and process.args like (".*", "/*/.*") and process.args_count <= 3 and not ( diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 4e4bc435648..3b7b0ffd12f 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/04/24" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/17" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/07" [rule] author = ["Elastic"] @@ -18,7 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Kernel Module Removal" @@ -58,14 +60,19 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( - process.name == "rmmod" or - (process.name == "modprobe" and process.args in ("--remove", "-r")) -) and process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") +process where host.os.type == "linux" and event.type == "start" and + event.action in ("exec", "exec_event", "start", "ProcessRollup2") and + ( + process.name == "rmmod" or + (process.name == "modprobe" and process.args in ("--remove", "-r")) + ) and + process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ''' [[rule.threat]] diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index 01b696e0dac..af5551a5132 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2024/02/01" -integration = ["endpoint"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/05/21" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/07" [rule] author = ["Elastic"] @@ -12,7 +14,7 @@ as kthreadd and kworker typically do not have process.executable fields associat hide their malicious programs by masquerading as legitimate kernel processes. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Executable Masquerading as Kernel Process" @@ -53,12 +55,14 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.name : ("kworker*", "kthread*") and process.executable != null ''' diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index a4581ac9f04..9d6d2c01c6b 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2023/04/11" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2024/10/17" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +updated_date = "2025/01/07" [rule] author = ["Elastic"] @@ -16,7 +18,7 @@ hidepid option all the user has to do is remount the /proc filesystem with the o detected. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "Potential Hidden Process via Mount Hidepid" @@ -57,14 +59,15 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager", + "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and -event.action in ("exec", "exec_event", "executed", "process_started") and -process.name == "mount" and process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" and -not process.parent.command_line like "/opt/cloudlinux/*" + event.action in ("exec", "exec_event", "start", "executed", "process_started") and + process.name == "mount" and process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" and + not process.parent.command_line like "/opt/cloudlinux/*" ''' [[rule.threat]]