[Rule Tuning] Linux DR Tuning - 3

rules/linux/credential_access_aws_creds_search_inside_container.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/03/12"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/03/12"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ language = "eql"
 license = "Elastic License v2"
 name = "AWS Credentials Searched For Inside A Container"
 references = ["https://sysdig.com/blog/threat-detection-aws-cloud-containers/"]
-risk_score = 47
+risk_score = 73
 rule_id = "5749282b-7524-4c9d-af9a-e2b3e814e5d4"
 setup = """## Setup
 
@@ -45,7 +45,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Container",
     "OS: Linux",
@@ -59,7 +59,7 @@ type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 process.entry_leader.entry_meta.type == "container" and
-process.name in ("grep", "egrep", "fgrep", "find", "locate", "mlocate") and
+process.name in ("grep", "egrep", "fgrep", "find", "locate", "mlocate", "cat", "sed") and
 process.command_line like~ (
   "*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*",
   "*access_key*", "*.aws/credentials*"

rules/linux/credential_access_collection_sensitive_files.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/12/22"
-integration = ["endpoint"]
+integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,13 @@ Identifies the use of a compression utility to collect known files containing se
 and system configurations.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
+index = [
+    "auditbeat-*",
+    "endgame-*",
+    "logs-auditd_manager.auditd-*",
+    "logs-endpoint.events.process*",
+    "logs-sentinel_one_cloud_funnel.*",
+]
 language = "kuery"
 license = "Elastic License v2"
 name = "Sensitive Files Compression"
@@ -68,15 +74,17 @@ tags = [
     "Tactic: Credential Access",
     "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
+    "Data Source: SentinelOne",
+    "Data Source: Auditd Manager",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"
-
 query = '''
 event.category:process and host.os.type:linux and event.type:start and
-  process.name:(zip or tar or gzip or hdiutil or 7z) and
-  process.args:
+event.action:("exec" or "exec_event" or "start" or "executed" or "process_started") and
+process.name:(zip or tar or gzip or hdiutil or 7z) and
+process.args:
     (
       /root/.ssh/id_rsa or
       /root/.ssh/id_rsa.pub or
@@ -142,47 +150,46 @@ Compression utilities like zip, tar, and gzip are essential for efficiently mana
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 - Implement enhanced monitoring and logging for compression utilities and sensitive file access to detect and respond to similar threats more effectively in the future."""
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1552"
 name = "Unsecured Credentials"
 reference = "https://attack.mitre.org/techniques/T1552/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1552.001"
 name = "Credentials In Files"
 reference = "https://attack.mitre.org/techniques/T1552/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1560"
 name = "Archive Collected Data"
 reference = "https://attack.mitre.org/techniques/T1560/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1560.001"
 name = "Archive via Utility"
 reference = "https://attack.mitre.org/techniques/T1560/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0009"
 name = "Collection"
 reference = "https://attack.mitre.org/tactics/TA0009/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["host.id", "process.command_line", "process.parent.executable"]
+value = ["agent.id", "process.command_line", "process.parent.executable"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-10d"
-
-
+value = "now-5d"

rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/03/12"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/03/12"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Sensitive Files Compression Inside A Container"
-risk_score = 47
+risk_score = 73
 rule_id = "d9faf1ba-a216-4c29-b8e0-a05a9d14b027"
 setup = """## Setup
 
@@ -43,7 +43,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Container",
     "OS: Linux",

rules/linux/credential_access_credential_dumping.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/02/27"
 integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -58,7 +58,7 @@ Unshadow is a utility within the John the Ripper suite, used to merge `/etc/shad
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 - Implement enhanced monitoring and logging for similar activities across the network to detect and respond to future credential dumping attempts promptly."""
 references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"]
-risk_score = 47
+risk_score = 73
 rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c"
 setup = """## Setup
 
@@ -85,7 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Linux",
@@ -99,28 +99,25 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
 process.name == "unshadow" and process.args_count >= 3
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1003.008"
 name = "/etc/passwd and /etc/shadow"
 reference = "https://attack.mitre.org/techniques/T1003/008/"
 
-
-
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
-

rules/linux/credential_access_gdb_init_process_hooking.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/08/30"
-integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -13,10 +13,12 @@ dumping techniques to attempt secret extraction from privileged processes. Tools
 """
 from = "now-9m"
 index = [
+    "auditbeat-*",
     "endgame-*",
     "logs-crowdstrike.fdr*",
     "logs-endpoint.events.process*",
     "logs-sentinel_one_cloud_funnel.*",
+    "logs-auditd_manager.auditd-*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -56,7 +58,7 @@ In Linux, the init process (PID 1) is the first process started by the kernel an
 - Escalate the incident to the security operations team for a comprehensive investigation and to determine if further forensic analysis is required.
 - Update and enhance detection rules and monitoring systems to better identify and alert on similar unauthorized memory access attempts in the future."""
 references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"]
-risk_score = 47
+risk_score = 73
 rule_id = "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f"
 setup = """## Setup
 
@@ -83,7 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Endpoint",
     "OS: Linux",
@@ -93,32 +95,30 @@ tags = [
     "Data Source: Elastic Endgame",
     "Data Source: Crowdstrike",
     "Data Source: SentinelOne",
+    "Data Source: Auditd Manager",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
-process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 process.name == "gdb" and process.args in ("--pid", "-p") and process.args == "1"
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1003"
 name = "OS Credential Dumping"
 reference = "https://attack.mitre.org/techniques/T1003/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1003.007"
 name = "Proc Filesystem"
 reference = "https://attack.mitre.org/techniques/T1003/007/"
 
-
-
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
-

rules/linux/credential_access_gh_auth_via_nodejs.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/09/18"
 integration = ["endpoint", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ may use this technique to access GitHub repositories and potentially exfiltrate
 perform malicious actions. This activity was observed in the wild as part of the Shai-Hulud worm.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
+index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "GitHub Authentication Token Access via Node.js"
@@ -55,13 +55,14 @@ tags = [
   "Tactic: Credential Access",
   "Tactic: Discovery",
   "Data Source: Elastic Defend",
-  "Resources: Investigation Guide",
+  "Data Source: Elastic Endgame",
   "Data Source: Crowdstrike",
+  "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.parent.name == "node" and
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2", "exec_event") and process.parent.name == "node" and
 process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "gh auth token"
 '''
 

rules/linux/credential_access_kubernetes_service_account_secret_access.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/06/17"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/07/07"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -107,8 +107,27 @@ process where host.os.type == "linux" and event.type == "start" and event.action
       "/var/run/secrets/kubernetes.io/serviceaccount",
       "/secrets/kubernetes.io/serviceaccount"
     ) and
-    process.args in ("ca.crt", "token", "namespace")
+    process.args in ("ca.crt", "token")
   )
+) and
+not (
+  process.command_line like "*/bin/test*" or
+  process.args in (
+    "/var/run/secrets/kubernetes.io/serviceaccount/namespace",
+    "/run/secrets/kubernetes.io/serviceaccount/namespace",
+    "/secrets/kubernetes.io/serviceaccount/namespace"
+  ) or
+  process.command_line == "/usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat /var/run/secrets/kubernetes.io/serviceaccount/token" or
+  process.parent.command_line == "runc init" or
+  (process.parent.name == "px-oci-mon" and process.name == "rsync") or
+  (
+    process.parent.command_line == "sh /install-cni.sh" and
+    process.working_directory like (
+      "/opt/cni/bin", "/run/containerd/io.containerd.runtime.v2.task/k8s.io/*/opt/cni/bin"
+    )
+  ) or
+  (process.working_directory like "/home/runner/_work/*" and process.parent.args like "/home/runner/_work/_temp/*.sh") or
+  process.working_directory == "/opt/cni/bin"
 )
 '''