[Rule Tuning] Linux DR Tuning - 2

rules/linux/command_and_control_ip_forwarding_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/11/04"
 integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -67,7 +67,6 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "exec_event", "ProcessRollup2") and
 ?process.parent.executable != null and process.command_line like (
@@ -80,20 +79,25 @@ process where host.os.type == "linux" and event.type == "start" and event.action
     process.command_line like "*echo *"
   )
 ) and
-not process.parent.name like~ ("privsep-helper", "platform-python*", "init.ipv6-global", "wsl-bootstrap")
+not (
+  process.parent.name like~ ("privsep-helper", "platform-python*", "init.ipv6-global", "wsl-bootstrap") or
+  ?process.parent.executable == "/usr/sbin/sshd" or
+  ?process.parent.args in (
+    "/usr/lib/pritunl/usr/bin/pritunl", "/usr/bin/dockerd-rootless.sh", "/etc/rc.d/init.d/network", "/etc/rc0.d/K90network"
+  )  or
+  ?process.parent.args like "/etc/untangle/post-network-hook.d/*"
+)
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1572"
 name = "Protocol Tunneling"
 reference = "https://attack.mitre.org/techniques/T1572/"
 
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-

rules/linux/command_and_control_linux_chisel_client_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/08/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/12/17"
 
 [transform]
 [[transform.osquery]]
@@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
 label = "Osquery - Retrieve Process Info"
 query = "SELECT name, cmdline, parent, path, uid FROM processes"
 
-
 [rule]
 author = ["Elastic"]
 description = """
@@ -146,18 +145,19 @@ tags = [
     "Resources: Investigation Guide",
 ]
 type = "eql"
-
 query = '''
 sequence by host.id, process.entity_id with maxspan=3s
   [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
-   process.args == "client" and process.args : ("R*", "*:*", "*socks*", "*.*") and process.args_count >= 4 and 
+   process.args == "client" and process.args : ("R*", "*:*", "*socks*") and process.args_count >= 4 and 
    process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
    not process.name in ("velociraptor", "nbemmcmd", "redis-cli", "ipa")]
   [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and 
    destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and 
    not process.name : (
      "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet",
-     "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd")]
+     "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "kubectl*",
+     "clickhouse"
+   )]
 '''
 
 [[rule.threat]]

rules/linux/command_and_control_linux_chisel_server_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/08/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/12/17"
 
 [transform]
 [[transform.osquery]]
@@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
 label = "Osquery - Retrieve Process Info"
 query = "SELECT name, cmdline, parent, path, uid FROM processes"
 
-
 [rule]
 author = ["Elastic"]
 description = """
@@ -43,10 +42,10 @@ from = "now-9m"
 index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Potential Protocol Tunneling via Chisel Server"
+name = "Deprecated - Potential Protocol Tunneling via Chisel Server"
 note = """## Triage and analysis
 
-### Investigating Potential Protocol Tunneling via Chisel Server
+### Investigating Deprecated - Potential Protocol Tunneling via Chisel Server
 
 Attackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.
 
@@ -146,7 +145,6 @@ tags = [
     "Resources: Investigation Guide",
 ]
 type = "eql"
-
 query = '''
 sequence by host.id, process.entity_id with maxspan=1m
   [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
@@ -159,17 +157,15 @@ sequence by host.id, process.entity_id with maxspan=1m
      "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")]
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1572"
 name = "Protocol Tunneling"
 reference = "https://attack.mitre.org/techniques/T1572/"
 
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-

rules/linux/command_and_control_linux_proxychains_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/08/23"
 integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"
 
 [transform]
 [[transform.osquery]]
@@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
 label = "Osquery - Retrieve Process Info"
 query = "SELECT name, cmdline, parent, path, uid FROM processes"
 
-
 [rule]
 author = ["Elastic"]
 description = """
@@ -131,23 +130,21 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
-process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started")
- and process.name == "proxychains"
+process where host.os.type == "linux" and event.type == "start" and
+event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+process.name == "proxychains"
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1572"
 name = "Protocol Tunneling"
 reference = "https://attack.mitre.org/techniques/T1572/"
 
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-

rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/08/23"
 integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"
 
 [transform]
 [[transform.osquery]]
@@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
 label = "Osquery - Retrieve Process Info"
 query = "SELECT name, cmdline, parent, path, uid FROM processes"
 
-
 [rule]
 author = ["Elastic"]
 description = """
@@ -115,7 +114,7 @@ This rule looks for a list of suspicious processes spawned through `proxychains`
 - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
 references = ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"]
-risk_score = 21
+risk_score = 47
 rule_id = "6ace94ba-f02c-4d55-9f53-87d99b6f9af4"
 setup = """## Setup
 
@@ -142,7 +141,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Linux",
@@ -157,27 +156,25 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
-process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started")
- and process.name == "proxychains" and process.args : (
+process where host.os.type == "linux" and event.type == "start" and
+event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+process.name == "proxychains" and process.args : (
   "ssh", "sshd", "sshuttle", "socat", "iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng",
   "ssf", "3proxy", "ngrok", "gost", "pivotnacci", "chisel*", "nmap", "ping", "python*", "php*", "perl", "ruby",
   "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", "ftp", "curl", "wget"
 )
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1572"
 name = "Protocol Tunneling"
 reference = "https://attack.mitre.org/techniques/T1572/"
 
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-

rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/08/23"
 integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"]
 maturity = "production"
-updated_date = "2025/12/12"
+updated_date = "2025/12/17"
 
 [transform]
 [[transform.osquery]]
@@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
 label = "Osquery - Retrieve Process Info"
 query = "SELECT name, cmdline, parent, path, uid FROM processes"
 
-
 [rule]
 author = ["Elastic"]
 description = """
@@ -160,15 +159,14 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and (
   (
     // gost & pivotnacci - spawned without process.parent.name
     (process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or (
     // ssh
     (process.name == "ssh" and (process.args in ("-R", "-L", "-D", "-w") and process.args_count >= 4 and 
-     not process.args : "chmod")) or
+     not (process.args == "chmod" or process.command_line like "*rungencmd*"))) or
     // sshuttle
     (process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or
     // socat
@@ -181,17 +179,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action
 )
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1572"
 name = "Protocol Tunneling"
 reference = "https://attack.mitre.org/techniques/T1572/"
 
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-

rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/25"
 integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/07/07"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -107,9 +107,14 @@ process.name in ("ssh", "sshd") and process.args == "-o" and
 process.command_line like~ (
   "*ProxyCommand*", "*LocalForward*", "*RemoteForward*", "*DynamicForward*", "*Tunnel*", "*GatewayPorts*",
   "*ExitOnForwardFailure*", "*ProxyCommand*", "*ProxyJump*"
+) and 
+not (
+  ?process.parent.args == "/usr/bin/pvedaemon" or
+  ?process.parent.command_line in ("pvedaemon", "pve-ha-lrm") or
+  ?process.working_directory like "*ansible*" or
+  process.command_line like "*ansible*"
 )
 '''
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 

rules/linux/command_and_control_telegram_api_request.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/04/29"
-integration = ["endpoint", "crowdstrike"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,14 @@ This rule detects when a process executes the curl or wget command with an argum
 api.telegram.org domain. This may indicate command and control behavior.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "auditbeat-*",
+    "logs-auditd_manager.auditd-*",
+]
 language = "eql"
 license = "Elastic License v2"
 name = "Linux Telegram API Request"
@@ -49,7 +56,7 @@ Telegram's API allows applications to interact with its messaging platform, ofte
 - Update and patch the affected system to the latest security standards to mitigate vulnerabilities that could be exploited in similar attacks.
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 """
-risk_score = 21
+risk_score = 47
 rule_id = "af1e36fe-0abd-4463-b5ec-4e276dec0b26"
 setup = """## Setup
 
@@ -89,20 +96,24 @@ In order to capture this behavior, this rule requires a specific configuration o
 After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.
 For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
   "Domain: Endpoint",
   "OS: Linux",
   "Use Case: Threat Detection",
   "Tactic: Command and Control",
   "Data Source: Elastic Defend",
-  "Resources: Investigation Guide",
+  "Data Source: Elastic Endgame",
   "Data Source: Crowdstrike",
+  "Data Source: SentinelOne",
+  "Data Source: Auditd Manager",
+  "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and
+process where host.os.type == "linux" and event.type == "start" and
+event.action in ("exec", "start", "exec_event", "ProcessRollup2", "executed", "exec_event", "process_started") and
 process.name in ("curl", "wget") and process.command_line like "*api.telegram.org*"
 '''