diff --git a/rules/linux/command_and_control_ip_forwarding_activity.toml b/rules/linux/command_and_control_ip_forwarding_activity.toml index 5b2be331515..f810448aa2e 100644 --- a/rules/linux/command_and_control_ip_forwarding_activity.toml +++ b/rules/linux/command_and_control_ip_forwarding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -67,7 +67,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "exec_event", "ProcessRollup2") and ?process.parent.executable != null and process.command_line like ( @@ -80,20 +79,25 @@ process where host.os.type == "linux" and event.type == "start" and event.action process.command_line like "*echo *" ) ) and -not process.parent.name like~ ("privsep-helper", "platform-python*", "init.ipv6-global", "wsl-bootstrap") +not ( + process.parent.name like~ ("privsep-helper", "platform-python*", "init.ipv6-global", "wsl-bootstrap") or + ?process.parent.executable == "/usr/sbin/sshd" or + ?process.parent.args in ( + "/usr/lib/pritunl/usr/bin/pritunl", "/usr/bin/dockerd-rootless.sh", "/etc/rc.d/init.d/network", "/etc/rc0.d/K90network" + ) or + ?process.parent.args like "/etc/untangle/post-network-hook.d/*" +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index f946aaaa5b8..2f6eb95ac5b 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/12/17" [transform] [[transform.osquery]] @@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ @@ -146,18 +145,19 @@ tags = [ "Resources: Investigation Guide", ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=3s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and - process.args == "client" and process.args : ("R*", "*:*", "*socks*", "*.*") and process.args_count >= 4 and + process.args == "client" and process.args : ("R*", "*:*", "*socks*") and process.args_count >= 4 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not process.name in ("velociraptor", "nbemmcmd", "redis-cli", "ipa")] [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and not process.name : ( "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", - "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd")] + "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "kubectl*", + "clickhouse" + )] ''' [[rule.threat]] diff --git a/rules/linux/command_and_control_linux_chisel_server_activity.toml b/rules/linux/command_and_control_linux_chisel_server_activity.toml index c277cc52b06..387aa85ec2f 100644 --- a/rules/linux/command_and_control_linux_chisel_server_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_server_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/12/17" [transform] [[transform.osquery]] @@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ @@ -43,10 +42,10 @@ from = "now-9m" index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" -name = "Potential Protocol Tunneling via Chisel Server" +name = "Deprecated - Potential Protocol Tunneling via Chisel Server" note = """## Triage and analysis -### Investigating Potential Protocol Tunneling via Chisel Server +### Investigating Deprecated - Potential Protocol Tunneling via Chisel Server Attackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems. @@ -146,7 +145,6 @@ tags = [ "Resources: Investigation Guide", ] type = "eql" - query = ''' sequence by host.id, process.entity_id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -159,17 +157,15 @@ sequence by host.id, process.entity_id with maxspan=1m "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/command_and_control_linux_proxychains_activity.toml b/rules/linux/command_and_control_linux_proxychains_activity.toml index f71f59a1770..1b4985a9c01 100644 --- a/rules/linux/command_and_control_linux_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_proxychains_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [transform] [[transform.osquery]] @@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ @@ -131,23 +130,21 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") - and process.name == "proxychains" +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and +process.name == "proxychains" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index b200f9576d9..6af65daf2cc 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [transform] [[transform.osquery]] @@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ @@ -115,7 +114,7 @@ This rule looks for a list of suspicious processes spawned through `proxychains` - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"] -risk_score = 21 +risk_score = 47 rule_id = "6ace94ba-f02c-4d55-9f53-87d99b6f9af4" setup = """## Setup @@ -142,7 +141,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -157,27 +156,25 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") - and process.name == "proxychains" and process.args : ( +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and +process.name == "proxychains" and process.args : ( "ssh", "sshd", "sshuttle", "socat", "iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok", "gost", "pivotnacci", "chisel*", "nmap", "ping", "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", "ftp", "curl", "wget" ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index d4458ab38db..f02f90b1363 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/12" +updated_date = "2025/12/17" [transform] [[transform.osquery]] @@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ @@ -160,7 +159,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and ( ( @@ -168,7 +166,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action (process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or ( // ssh (process.name == "ssh" and (process.args in ("-R", "-L", "-D", "-w") and process.args_count >= 4 and - not process.args : "chmod")) or + not (process.args == "chmod" or process.command_line like "*rungencmd*"))) or // sshuttle (process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or // socat @@ -181,17 +179,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml b/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml index 852199fc685..e9971815fc4 100644 --- a/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml +++ b/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -107,9 +107,14 @@ process.name in ("ssh", "sshd") and process.args == "-o" and process.command_line like~ ( "*ProxyCommand*", "*LocalForward*", "*RemoteForward*", "*DynamicForward*", "*Tunnel*", "*GatewayPorts*", "*ExitOnForwardFailure*", "*ProxyCommand*", "*ProxyJump*" +) and +not ( + ?process.parent.args == "/usr/bin/pvedaemon" or + ?process.parent.command_line in ("pvedaemon", "pve-ha-lrm") or + ?process.working_directory like "*ansible*" or + process.command_line like "*ansible*" ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/command_and_control_telegram_api_request.toml b/rules/linux/command_and_control_telegram_api_request.toml index 6f9d44ccde8..7c6867e61ea 100644 --- a/rules/linux/command_and_control_telegram_api_request.toml +++ b/rules/linux/command_and_control_telegram_api_request.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/04/29" -integration = ["endpoint", "crowdstrike"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -11,7 +11,14 @@ This rule detects when a process executes the curl or wget command with an argum api.telegram.org domain. This may indicate command and control behavior. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", + "auditbeat-*", + "logs-auditd_manager.auditd-*", +] language = "eql" license = "Elastic License v2" name = "Linux Telegram API Request" @@ -49,7 +56,7 @@ Telegram's API allows applications to interact with its messaging platform, ofte - Update and patch the affected system to the latest security standards to mitigate vulnerabilities that could be exploited in similar attacks. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. """ -risk_score = 21 +risk_score = 47 rule_id = "af1e36fe-0abd-4463-b5ec-4e276dec0b26" setup = """## Setup @@ -89,20 +96,24 @@ In order to capture this behavior, this rule requires a specific configuration o After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Data Source: Elastic Endgame", "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Auditd Manager", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "start", "exec_event", "ProcessRollup2", "executed", "exec_event", "process_started") and process.name in ("curl", "wget") and process.command_line like "*api.telegram.org*" ''' diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index 67530824eca..be519817da2 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/04/12" -integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [transform] [[transform.osquery]] @@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ @@ -41,6 +40,7 @@ from = "now-9m" index = [ "auditbeat-*", "endgame-*", + "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*", @@ -113,7 +113,7 @@ references = [ "http://rootkiter.com/EarthWorm/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", ] -risk_score = 47 +risk_score = 73 rule_id = "9f1c4ca3-44b5-481d-ba42-32dc215a2769" setup = """## Setup @@ -153,7 +153,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -163,27 +163,26 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Crowdstrike", "Data Source: SentinelOne", + "Data Source: Auditd Manager", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and - process.args : "-s" and process.args : "-d" and process.args : "rssocks" +event.action in ("exec", "start", "exec_event", "ProcessRollup2", "executed", "exec_event", "process_started") and +process.args : "-s" and process.args : "-d" and process.args : "rssocks" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -