diff --git a/rules/linux/credential_access_aws_creds_search_inside_container.toml b/rules/linux/credential_access_aws_creds_search_inside_container.toml index a7cb2b14a59..77439cd442d 100644 --- a/rules/linux/credential_access_aws_creds_search_inside_container.toml +++ b/rules/linux/credential_access_aws_creds_search_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/12" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ language = "eql" license = "Elastic License v2" name = "AWS Credentials Searched For Inside A Container" references = ["https://sysdig.com/blog/threat-detection-aws-cloud-containers/"] -risk_score = 47 +risk_score = 73 rule_id = "5749282b-7524-4c9d-af9a-e2b3e814e5d4" setup = """## Setup @@ -45,7 +45,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Container", "OS: Linux", @@ -59,7 +59,7 @@ type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.entry_leader.entry_meta.type == "container" and -process.name in ("grep", "egrep", "fgrep", "find", "locate", "mlocate") and +process.name in ("grep", "egrep", "fgrep", "find", "locate", "mlocate", "cat", "sed", "awk") and process.command_line like~ ( "*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 8c21bac366e..4cb60f589c1 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/12/22" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -11,7 +11,13 @@ Identifies the use of a compression utility to collect known files containing se and system configurations. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] language = "kuery" license = "Elastic License v2" name = "Sensitive Files Compression" @@ -68,15 +74,17 @@ tags = [ "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Auditd Manager", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' event.category:process and host.os.type:linux and event.type:start and - process.name:(zip or tar or gzip or hdiutil or 7z) and - process.args: +event.action:("exec" or "exec_event" or "start" or "executed" or "process_started") and +process.name:(zip or tar or gzip or hdiutil or 7z) and +process.args: ( /root/.ssh/id_rsa or /root/.ssh/id_rsa.pub or @@ -142,37 +150,37 @@ Compression utilities like zip, tar, and gzip are essential for efficiently mana - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for compression utilities and sensitive file access to detect and respond to similar threats more effectively in the future.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.001" name = "Credentials In Files" reference = "https://attack.mitre.org/techniques/T1552/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" + [[rule.threat.technique.subtechnique]] id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" @@ -180,9 +188,8 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.command_line", "process.parent.executable"] +value = ["agent.id", "process.command_line", "process.parent.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-10d" - - +value = "now-5d" diff --git a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml index 8903e78c926..417321d89b0 100644 --- a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml +++ b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/12" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Sensitive Files Compression Inside A Container" -risk_score = 47 +risk_score = 73 rule_id = "d9faf1ba-a216-4c29-b8e0-a05a9d14b027" setup = """## Setup @@ -43,7 +43,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Container", "OS: Linux", diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index fdbfae8b553..777c602f05e 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ Unshadow is a utility within the John the Ripper suite, used to merge `/etc/shad - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for similar activities across the network to detect and respond to future credential dumping attempts promptly.""" references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"] -risk_score = 47 +risk_score = 73 rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c" setup = """## Setup @@ -85,7 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -99,28 +99,25 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.name == "unshadow" and process.args_count >= 3 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index 8108fc8429d..646c05881fc 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/08/30" -integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -13,10 +13,12 @@ dumping techniques to attempt secret extraction from privileged processes. Tools """ from = "now-9m" index = [ + "auditbeat-*", "endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*", + "logs-auditd_manager.auditd-*", ] language = "eql" license = "Elastic License v2" @@ -56,7 +58,7 @@ In Linux, the init process (PID 1) is the first process started by the kernel an - Escalate the incident to the security operations team for a comprehensive investigation and to determine if further forensic analysis is required. - Update and enhance detection rules and monitoring systems to better identify and alert on similar unauthorized memory access attempts in the future.""" references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"] -risk_score = 47 +risk_score = 73 rule_id = "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f" setup = """## Setup @@ -83,7 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -93,32 +95,30 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Crowdstrike", "Data Source: SentinelOne", + "Data Source: Auditd Manager", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name == "gdb" and process.args in ("--pid", "-p") and process.args == "1" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_gh_auth_via_nodejs.toml b/rules/linux/credential_access_gh_auth_via_nodejs.toml index cb8eb06c211..1ab982a0861 100644 --- a/rules/linux/credential_access_gh_auth_via_nodejs.toml +++ b/rules/linux/credential_access_gh_auth_via_nodejs.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ may use this technique to access GitHub repositories and potentially exfiltrate perform malicious actions. This activity was observed in the wild as part of the Shai-Hulud worm. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] +index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "GitHub Authentication Token Access via Node.js" @@ -55,13 +55,14 @@ tags = [ "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend", - "Resources: Investigation Guide", + "Data Source: Elastic Endgame", "Data Source: Crowdstrike", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.parent.name == "node" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2", "exec_event") and process.parent.name == "node" and process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "gh auth token" ''' diff --git a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml index 5520c41b400..b4054ccf7f8 100644 --- a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml +++ b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -107,8 +107,27 @@ process where host.os.type == "linux" and event.type == "start" and event.action "/var/run/secrets/kubernetes.io/serviceaccount", "/secrets/kubernetes.io/serviceaccount" ) and - process.args in ("ca.crt", "token", "namespace") + process.args in ("ca.crt", "token") ) +) and +not ( + process.command_line like "*/bin/test*" or + process.args in ( + "/var/run/secrets/kubernetes.io/serviceaccount/namespace", + "/run/secrets/kubernetes.io/serviceaccount/namespace", + "/secrets/kubernetes.io/serviceaccount/namespace" + ) or + process.command_line == "/usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat /var/run/secrets/kubernetes.io/serviceaccount/token" or + process.parent.command_line == "runc init" or + (process.parent.name == "px-oci-mon" and process.name == "rsync") or + ( + process.parent.command_line == "sh /install-cni.sh" and + process.working_directory like ( + "/opt/cni/bin", "/run/containerd/io.containerd.runtime.v2.task/k8s.io/*/opt/cni/bin" + ) + ) or + (process.working_directory like "/home/runner/_work/*" and process.parent.args like "/home/runner/_work/_temp/*.sh") or + process.working_directory == "/opt/cni/bin" ) ''' diff --git a/rules/linux/credential_access_manual_memory_dumping.toml b/rules/linux/credential_access_manual_memory_dumping.toml index 4e8e11e7af4..d6f5ffe2135 100644 --- a/rules/linux/credential_access_manual_memory_dumping.toml +++ b/rules/linux/credential_access_manual_memory_dumping.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/04/25" -integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -13,7 +13,9 @@ of a process, potentially extracting sensitive information such as credentials o """ from = "now-9m" index = [ + "auditbeat-*", "endgame-*", + "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*", @@ -57,7 +59,7 @@ The proc filesystem in Linux is a virtual interface providing detailed insights - Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to determine if the threat is part of a larger attack campaign. - Implement additional security controls, such as restricting access to the proc filesystem and employing application whitelisting, to prevent unauthorized memory dumping activities in the future. """ -risk_score = 21 +risk_score = 73 rule_id = "6505e02e-28dd-41cd-b18f-64e649caa4e2" setup = """## Setup @@ -84,7 +86,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -95,12 +97,13 @@ tags = [ "Data Source: SentinelOne", "Data Source: Crowdstrike", "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name in ("cat", "grep", "tail", "less", "more", "egrep", "fgrep") and process.command_line like "/proc/*/mem" ''' diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index a83e64aca7c..e65d41c8580 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -12,8 +12,8 @@ short time interval. Adversaries might brute force login attempts across differe set of customly crafted passwords in an attempt to gain access to these accounts. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] -language = "eql" +interval = "8m" +language = "esql" license = "Elastic License v2" name = "Potential Linux Local Account Brute Force Detected" risk_score = 47 @@ -52,16 +52,32 @@ tags = [ "Data Source: Elastic Defend", "Resources: Investigation Guide", ] -type = "eql" - +timestamp_override = "event.ingested" +type = "esql" query = ''' -sequence by host.id, process.parent.executable, user.id with maxspan=1s - [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and - not process.parent.name in ( - "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server", "ma", "gitlab-runner", - "updatedb.findutils", "cron", "perl", "sudo", "java", "cloud-app-identify", "ambari-sudo.sh" - ) - ] with runs=10 +from logs-endpoint.events.process* metadata _id, _index, _version +| mv_expand event.action +| where + event.category == "process" and event.type == "start" and event.action == "exec" and process.name == "su" and + process.parent.name not in ( + "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server", "ma", "gitlab-runner", + "updatedb.findutils", "cron", "perl", "sudo", "java", "cloud-app-identify", "ambari-sudo.sh", "runc", + "cau9sat.exe", "git-pull.sh", "distributor-pulltabs-devel-live", "p_ctmag", "backup_agent_main", "sshd", + "nxpgsql", "cau9cli.exe", "autopostgresqlbackup" + ) and + not process.parent.command_line == "runc init" +| stats + Esql.event_count = count(*), + Esql.process_command_line_values = values(process.command_line), + Esql.process_parent_command_line_values = values(process.parent.command_line), + Esql.user_name_values = values(user.name), + Esql.agent_id_values = values(agent.id), + Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_namespace_values = values(data_stream.namespace) + + by process.parent.executable, agent.id, user.id + +| where Esql.event_count >= 25 ''' note = """## Triage and analysis @@ -97,22 +113,20 @@ In Linux environments, the 'su' command is used to switch user accounts, often r - Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected. - Enhance monitoring and logging on the affected host and similar systems to detect and respond to future brute force attempts more effectively.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" reference = "https://attack.mitre.org/techniques/T1110/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index 4b29c61c900..0bc4c6a716b 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -12,10 +12,9 @@ short time interval. Adversaries will often brute force login attempts across mu password, in an attempt to gain access to these accounts. """ from = "now-9m" -index = ["filebeat-*", "logs-system.auth-*"] -language = "eql" +interval = "8m" +language = "esql" license = "Elastic License v2" -max_signals = 5 name = "Potential External Linux SSH Brute Force Detected" note = """## Triage and analysis @@ -77,27 +76,51 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] -type = "eql" - +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" +] +timestamp_override = "event.ingested" +type = "esql" query = ''' -sequence by host.id, source.ip, user.name with maxspan=15s - [ authentication where host.os.type == "linux" and - event.action in ("ssh_login", "user_login") and event.outcome == "failure" and - not cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", - "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", - "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", - "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", - "::1", "FE80::/10", "FF00::/8") ] with runs = 10 +from "filebeat-*", "logs-system.auth-*" metadata _id, _index, _version +| mv_expand event.action +| where + event.category == "authentication" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and + source.ip is not null and + not cidr_match( + source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/4", + "240.0.0.0/4", "::1","FE80::/10", "FF00::/8" + ) +| stats + Esql.event_count = count(*), + Esql.process_name_values = values(process.name), + Esql.process_command_line_values = values(process.command_line), + Esql.source_ip_values = values(source.ip), + Esql.user_name_values = values(user.name), + Esql.agent_id_values = values(agent.id), + Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_namespace_values = values(data_stream.namespace) + + by source.ip, agent.id, user.name + +| where Esql.event_count >= 25 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -108,10 +131,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index b11e36ba5ed..0bc734faa55 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -12,10 +12,9 @@ short time interval. Adversaries will often brute force login attempts across mu password, in an attempt to gain access to these accounts. """ from = "now-9m" -index = ["filebeat-*", "logs-system.auth-*"] -language = "eql" +interval = "8m" +language = "esql" license = "Elastic License v2" -max_signals = 5 name = "Potential Internal Linux SSH Brute Force Detected" note = """## Triage and analysis @@ -73,27 +72,51 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] -type = "eql" - +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" +] +timestamp_override = "event.ingested" +type = "esql" query = ''' -sequence by host.id, source.ip, user.name with maxspan=15s - [ authentication where host.os.type == "linux" and - event.action in ("ssh_login", "user_login") and event.outcome == "failure" and - cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", - "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", - "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", - "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", - "::1", "FE80::/10", "FF00::/8") ] with runs = 10 +from "filebeat-*", "logs-system.auth-*" metadata _id, _index, _version +| mv_expand event.action +| where + event.category == "authentication" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and + source.ip is not null and + cidr_match( + source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/4", + "240.0.0.0/4", "::1","FE80::/10", "FF00::/8" + ) +| stats + Esql.event_count = count(*), + Esql.process_name_values = values(process.name), + Esql.process_command_line_values = values(process.command_line), + Esql.source_ip_values = values(source.ip), + Esql.user_name_values = values(user.name), + Esql.agent_id_values = values(agent.id), + Esql.event_dataset_values = values(event.dataset), + Esql.data_stream_namespace_values = values(data_stream.namespace) + + by source.ip, agent.id, user.name + +| where Esql.event_count >= 25 ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -104,10 +127,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml index 34c9edad13e..f4921403d7a 100644 --- a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" -name = "Potential Successful Linux FTP Brute Force Attack Detected" +name = "Deprecated - Potential Successful Linux FTP Brute Force Attack Detected" risk_score = 47 rule_id = "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d" setup = """## Setup @@ -66,7 +66,6 @@ tags = [ "Resources: Investigation Guide", ] type = "eql" - query = ''' sequence by host.id, auditd.data.addr, related.user with maxspan=5s [authentication where host.os.type == "linux" and event.action == "authenticated" and @@ -110,13 +109,14 @@ FTP is a protocol used for transferring files between systems, often requiring a - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems were affected. - Enhance monitoring and alerting for similar brute force patterns by ensuring that detection rules are tuned to capture variations in attack techniques.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -127,10 +127,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml index 44329dec53b..7fc82d0df1c 100644 --- a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" -name = "Potential Successful Linux RDP Brute Force Attack Detected" +name = "Deprecated - Potential Successful Linux RDP Brute Force Attack Detected" risk_score = 47 rule_id = "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0" setup = """## Setup @@ -109,13 +109,14 @@ Remote Desktop Protocol (RDP) enables users to connect to and control remote sys - Monitor the network for any unusual activity or further attempts to exploit RDP, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or relevant security team for further investigation and to ensure comprehensive remediation and recovery actions are taken.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -126,10 +127,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index ef86e1d43e5..8f8c9f7c185 100644 --- a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -79,25 +79,30 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" +] type = "eql" - query = ''' sequence by host.id, source.ip, user.name with maxspan=15s [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and - event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10 - + event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=25 [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" @@ -108,10 +113,7 @@ id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index f3874305266..f543e3ff547 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -13,7 +13,11 @@ known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext c process and extracting lines that have a high probability of containing cleartext passwords. """ from = "now-9m" -index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "endgame-*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*" +] language = "eql" license = "Elastic License v2" name = "Potential Linux Credential Dumping via Proc Filesystem" @@ -57,7 +61,7 @@ references = [ "https://github.com/huntergregal/mimipenguin", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781", ] -risk_score = 47 +risk_score = 73 rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311" setup = """## Setup @@ -84,7 +88,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -97,7 +101,6 @@ tags = [ "Resources: Investigation Guide", ] type = "eql" - query = ''' sequence by host.id, process.parent.name with maxspan=1m [process where host.os.type == "linux" and process.name == "ps" and event.action in ("exec", "start", "exec_event") @@ -106,27 +109,25 @@ sequence by host.id, process.parent.name with maxspan=1m and process.args : "/tmp/*"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" - [[rule.threat.technique]] id = "T1212" name = "Exploitation for Credential Access" reference = "https://attack.mitre.org/techniques/T1212/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml index 21acccf17e7..0b636c1f0b6 100644 --- a/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml +++ b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/12" +updated_date = "2025/12/17" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ process.entry_leader.entry_meta.type == "container" and process.name in ("grep", "egrep", "fgrep", "find", "locate", "mlocate") and process.command_line like~ ( "*BEGIN PRIVATE*", "*BEGIN OPENSSH PRIVATE*", "*BEGIN RSA PRIVATE*", "*BEGIN DSA PRIVATE*", "*BEGIN EC PRIVATE*", - "*pass*", "*ssh*", "*user*", "*id_rsa*", "*id_dsa*" + "*id_rsa*", "*id_dsa*" ) ''' note = """## Triage and analysis diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 8e81a161cfe..aaea2ee594d 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -2,18 +2,23 @@ creation_date = "2020/12/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/17" [rule] author = ["Elastic"] description = """ -Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. -Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to -enable unauthorized access or to log SSH credentials for exfiltration. +Identifies a Secure Shell (SSH) client or server process creating a known SSH backdoor log file. Adversaries may +modify SSH related binaries for persistence or credential access via patching sensitive functions to enable +unauthorized access or to log SSH credentials for exfiltration. """ false_positives = ["Updates to approved and trusted SSH executables can trigger this rule."] from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.file-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = [ + "auditbeat-*", + "logs-endpoint.events.file-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*" +] language = "eql" license = "Elastic License v2" name = "Potential OpenSSH Backdoor Logging Activity" @@ -112,32 +117,27 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and +file where host.os.type == "linux" and event.type == "creation" and process.name in ("ssh", "sshd") and ( - (file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history", ".google_authenticator", - ".jelenv", ".csvignore", ".rtreport")) or + ( + file.name : (".*", "~*", "*~") and not file.name : ( + ".cache", ".viminfo", ".bash_history", ".google_authenticator", ".jelenv", ".csvignore", ".rtreport", ".git*" + ) + ) or file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or file.path : ( - "/private/etc/*--", + "/tmp/*", + "/var/tmp/*", + "/dev/shm/*", "/usr/share/*", "/usr/include/*", "/usr/local/include/*", - "/private/tmp/*", - "/private/var/tmp/*", - "/usr/tmp/*", "/usr/share/man/*", "/usr/local/share/*", "/usr/lib/*.so.*", - "/private/etc/ssh/.sshd_auth", "/usr/bin/ssd", - "/private/var/opt/power", - "/private/etc/ssh/ssh_known_hosts", - "/private/var/html/lol", - "/private/var/log/utmp", - "/private/var/lib", "/var/run/sshd/sshd.pid", "/var/run/nscd/ns.pid", "/var/run/udev/ud.pid", @@ -146,29 +146,28 @@ file where host.os.type == "linux" and event.type == "change" and process.execut ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -