Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[Rule Tuning] Linux DR Tuning - 1 #5122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: main
Choose a base branch
Loading
from
+71 −39
Draft

[Rule Tuning] Linux DR Tuning - 1 #5122

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b0866d4
[Rule Tuning] Linux DR Tuning - 1
Aegrah Sep 16, 2025
a8b6b5b
Added integrations
Aegrah Sep 16, 2025
aaaef40
Update command_and_control_git_repo_or_file_download_to_sus_dir.toml
Aegrah Sep 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 15 additions & 7 deletions 22 rules/linux/collection_linux_clipboard_activity.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,24 @@
[metadata]
creation_date = "2023/07/27"
integration = ["endpoint", "auditd_manager"]
integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/09/16"

[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group
leader. Adversaries may collect data stored in the clipboard from users copying information within or between
applications.
This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process parent.
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
index = [
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"endgame-*",
"auditbeat-*",
"logs-auditd_manager.auditd-*",
]
language = "kuery"
license = "Elastic License v2"
name = "Linux Clipboard Activity Detected"
Expand All @@ -27,6 +33,8 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
Expand Down Expand Up @@ -88,7 +96,7 @@ reference = "https://attack.mitre.org/tactics/TA0009/"

[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.group_leader.executable"]
value = ["host.id", "process.parent.executable"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't think CS support process.parent.executable as per the Linux EDR matrix, cc @w0rk3r


[[rule.new_terms.history_window_start]]
field = "history_window_start"
Expand Down
37 changes: 27 additions & 10 deletions 37 rules/linux/command_and_control_aws_cli_endpoint_url_used.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,27 @@
[metadata]
creation_date = "2024/08/21"
integration = ["endpoint"]
integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/09/16"

[rule]
author = ["Elastic"]
description = """
Detects the use of the AWS CLI with the `--endpoint-url` argument, which allows users to specify a custom endpoint URL for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise of legitimate AWS operations.
Detects the use of the AWS CLI with the "--endpoint-url" argument, which allows users to specify a custom endpoint URL
for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints,
potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact
with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise
of legitimate AWS operations.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*"]
index = [
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"endgame-*",
"auditbeat-*",
"logs-auditd_manager.auditd-*",
]
language = "kuery"
license = "Elastic License v2"
name = "AWS CLI Command with Custom Endpoint URL"
Expand All @@ -21,17 +32,23 @@ risk_score = 47
rule_id = "349276c0-5fcf-11ef-b1a9-f661ea17fbce"
severity = "medium"
tags = [
"Data Source: Elastic Defend",
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
]
type = "new_terms"
timestamp_override = "event.ingested"
query = '''
host.os.type: "linux" and event.category: "process" and process.name: "aws" and process.args: "--endpoint-url"
host.os.type:"linux" and event.category:"process" and
event.action:("exec" or "exec_event" or "executed" or "process_started") and
process.name:"aws" and process.args:"--endpoint-url"
'''
note = """## Triage and analysis

Expand Down Expand Up @@ -71,21 +88,21 @@ The AWS CLI allows users to interact with AWS services via command-line, offerin

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1102"
name = "Web Service"
reference = "https://attack.mitre.org/techniques/T1102/"


[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"


[rule.new_terms]
field = "new_terms_fields"
value = ["user.name"]
value = ["host.id"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure if host.id is mapped correctly


[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"
value = "now-3d"
23 changes: 11 additions & 12 deletions 23 rules/linux/command_and_control_cat_network_activity.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2023/09/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/02/04"
updated_date = "2025/09/16"

[transform]
[[transform.osquery]]
Expand All @@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"


[rule]
author = ["Elastic"]
description = """
Expand Down Expand Up @@ -138,42 +137,42 @@ tags = [
"Resources: Investigation Guide",
]
type = "eql"

query = '''
sequence by host.id, process.entity_id with maxspan=1s
sequence by host.id, process.entity_id with maxspan=3s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name == "cat" and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
[network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and
process.name == "cat" and not (destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
"192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
"192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
"FF00::/8"
process.name == "cat" and not (
destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
"192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
"192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
"FF00::/8"
)
)]
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"

21 changes: 13 additions & 8 deletions 21 rules/linux/command_and_control_curl_socks_proxy_detected.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,21 +2,21 @@
creation_date = "2024/11/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/02/04"
updated_date = "2025/09/16"

[rule]
author = ["Elastic"]
description = """
This rule detects the use of the `curl` command-line tool with SOCKS proxy options, launched from an unusual parent
process. Attackers may use `curl` to establish a SOCKS proxy connection to bypass network restrictions and exfiltrate
This rule detects the use of the "curl" command-line tool with SOCKS proxy options, launched from an unusual parent
process. Attackers may use "curl" to establish a SOCKS proxy connection to bypass network restrictions and exfiltrate
data or communicate with C2 servers.
"""
from = "now-9m"
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Curl SOCKS Proxy Activity from Unusual Parent"
risk_score = 21
risk_score = 47
rule_id = "734239fe-eda8-48c0-bca8-9e3dafd81a88"
setup = """## Setup

Expand Down Expand Up @@ -56,7 +56,7 @@ In order to capture this behavior, this rule requires a specific configuration o
After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.
For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).
"""
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
Expand All @@ -71,13 +71,18 @@ query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name == "curl" and (
process.parent.executable like (
"/dev/shm/*", "/tmp/*", "/var/tmp/*", "/var/run/*", "/root/*", "/boot/*", "/var/www/html/*", "/opt/.*"
"/dev/shm/*", "/tmp/*", "/var/tmp/*", "/var/run/*", "/root/*", "/boot/*", "/var/www/*", "/opt/.*",
"/home/*"
) or
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or
process.parent.name like ".*"
) and (
process.args like ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or
process.args == "-x" or
process.env_vars like ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*")
process.env_vars like~ ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*")
) and not (
process.parent.args == "/opt/rudder/share/commands/agent-run" or
process.args == "http://localhost:8080/rudder/api/status"
)
'''
note = """## Triage and analysis
Expand Down
7 changes: 5 additions & 2 deletions 7 rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2025/04/25"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/07/07"
updated_date = "2025/09/16"

[rule]
author = ["Elastic"]
Expand All @@ -12,7 +12,7 @@ the creation of files in suspicious directories such as /tmp, /var/tmp, or /dev/
attempt to download a payload, exploit or tool.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.process*", "logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "Git Repository or File Download to Suspicious Directory"
Expand Down Expand Up @@ -106,6 +106,9 @@ sequence by process.entity_id, host.id with maxspan=10s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
(process.name == "git" and process.args == "clone") or
(process.name in ("wget", "curl") and process.command_line like~ "*github*")
) and not (
process.parent.name in ("git", "cmake") or
process.parent.args like "/root/.ansible/tmp/ansible*"
)]
[file where host.os.type == "linux" and event.type == "creation" and file.path like ("/tmp/*", "/var/tmp/*", "/dev/shm/*")]
'''
Expand Down
Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.