From b0866d49525d0d512d5bd936961d8cbc7e87932a Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Tue, 16 Sep 2025 14:54:02 +0200 Subject: [PATCH 1/3] [Rule Tuning] Linux DR Tuning - 1 --- .../collection_linux_clipboard_activity.toml | 20 +++++++---- ...and_control_aws_cli_endpoint_url_used.toml | 35 ++++++++++++++----- ...mand_and_control_cat_network_activity.toml | 23 ++++++------ ...and_control_curl_socks_proxy_detected.toml | 21 ++++++----- ..._git_repo_or_file_download_to_sus_dir.toml | 7 ++-- 5 files changed, 69 insertions(+), 37 deletions(-) diff --git a/rules/linux/collection_linux_clipboard_activity.toml b/rules/linux/collection_linux_clipboard_activity.toml index a647398f892..056dbe4d393 100644 --- a/rules/linux/collection_linux_clipboard_activity.toml +++ b/rules/linux/collection_linux_clipboard_activity.toml @@ -2,17 +2,23 @@ creation_date = "2023/07/27" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/16" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group -leader. Adversaries may collect data stored in the clipboard from users copying information within or between -applications. +This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process parent. +Adversaries may collect data stored in the clipboard from users copying information within or between applications. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] +index = [ + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*", + ] language = "kuery" license = "Elastic License v2" name = "Linux Clipboard Activity Detected" @@ -27,6 +33,8 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -88,7 +96,7 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.group_leader.executable"] +value = ["host.id", "process.parent.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml index 06eacbf8b12..869a61e1a10 100644 --- a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml +++ b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml @@ -2,15 +2,26 @@ creation_date = "2024/08/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/16" [rule] author = ["Elastic"] description = """ -Detects the use of the AWS CLI with the `--endpoint-url` argument, which allows users to specify a custom endpoint URL for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise of legitimate AWS operations. +Detects the use of the AWS CLI with the "--endpoint-url" argument, which allows users to specify a custom endpoint URL +for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, +potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact +with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise +of legitimate AWS operations. """ from = "now-9m" -index = ["logs-endpoint.events.process-*"] +index = [ + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*", + ] language = "kuery" license = "Elastic License v2" name = "AWS CLI Command with Custom Endpoint URL" @@ -21,17 +32,23 @@ risk_score = 47 rule_id = "349276c0-5fcf-11ef-b1a9-f661ea17fbce" severity = "medium" tags = [ - "Data Source: Elastic Defend", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", ] type = "new_terms" timestamp_override = "event.ingested" query = ''' -host.os.type: "linux" and event.category: "process" and process.name: "aws" and process.args: "--endpoint-url" +host.os.type:"linux" and event.category:"process" and +event.action:("exec" or "exec_event" or "executed" or "process_started") and +process.name:"aws" and process.args:"--endpoint-url" ''' note = """## Triage and analysis @@ -71,21 +88,21 @@ The AWS CLI allows users to interact with AWS services via command-line, offerin [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [rule.new_terms] field = "new_terms_fields" -value = ["user.name"] +value = ["host.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-10d" +value = "now-3d" diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index e0ce29eee9d..cab972324d4 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/09/16" [transform] [[transform.osquery]] @@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Process Info" query = "SELECT name, cmdline, parent, path, uid FROM processes" - [rule] author = ["Elastic"] description = """ @@ -138,23 +137,22 @@ tags = [ "Resources: Investigation Guide", ] type = "eql" - query = ''' -sequence by host.id, process.entity_id with maxspan=1s +sequence by host.id, process.entity_id with maxspan=3s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "cat" and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and - process.name == "cat" and not (destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch( - destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", - "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", - "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", - "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", - "FF00::/8" + process.name == "cat" and not ( + destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch( + destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", + "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", + "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", + "FF00::/8" ) )] ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -162,6 +160,7 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -169,6 +168,7 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -176,4 +176,3 @@ framework = "MITRE ATT&CK" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/linux/command_and_control_curl_socks_proxy_detected.toml b/rules/linux/command_and_control_curl_socks_proxy_detected.toml index 6fc18eaaca8..cfdde4aab58 100644 --- a/rules/linux/command_and_control_curl_socks_proxy_detected.toml +++ b/rules/linux/command_and_control_curl_socks_proxy_detected.toml @@ -2,13 +2,13 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/09/16" [rule] author = ["Elastic"] description = """ -This rule detects the use of the `curl` command-line tool with SOCKS proxy options, launched from an unusual parent -process. Attackers may use `curl` to establish a SOCKS proxy connection to bypass network restrictions and exfiltrate +This rule detects the use of the "curl" command-line tool with SOCKS proxy options, launched from an unusual parent +process. Attackers may use "curl" to establish a SOCKS proxy connection to bypass network restrictions and exfiltrate data or communicate with C2 servers. """ from = "now-9m" @@ -16,7 +16,7 @@ index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Curl SOCKS Proxy Activity from Unusual Parent" -risk_score = 21 +risk_score = 47 rule_id = "734239fe-eda8-48c0-bca8-9e3dafd81a88" setup = """## Setup @@ -56,7 +56,7 @@ In order to capture this behavior, this rule requires a specific configuration o After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -71,13 +71,18 @@ query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "curl" and ( process.parent.executable like ( - "/dev/shm/*", "/tmp/*", "/var/tmp/*", "/var/run/*", "/root/*", "/boot/*", "/var/www/html/*", "/opt/.*" + "/dev/shm/*", "/tmp/*", "/var/tmp/*", "/var/run/*", "/root/*", "/boot/*", "/var/www/*", "/opt/.*", + "/home/*" ) or - process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or + process.parent.name like ".*" ) and ( process.args like ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or process.args == "-x" or - process.env_vars like ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*") + process.env_vars like~ ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*") +) and not ( + process.parent.args == "/opt/rudder/share/commands/agent-run" or + process.args == "http://localhost:8080/rudder/api/status" ) ''' note = """## Triage and analysis diff --git a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml index 8b5187ecb2b..60b05996b2d 100644 --- a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml +++ b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/09/16" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ the creation of files in suspicious directories such as /tmp, /var/tmp, or /dev/ attempt to download a payload, exploit or tool. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*", "logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Git Repository or File Download to Suspicious Directory" @@ -106,6 +106,9 @@ sequence by process.entity_id, host.id with maxspan=10s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.name == "git" and process.args == "clone") or (process.name in ("wget", "curl") and process.command_line like~ "*github*") + ) and not ( + process.parent.name in ("git", "cmake", "trufflehog") or + process.parent.args like "/root/.ansible/tmp/ansible*" )] [file where host.os.type == "linux" and event.type == "creation" and file.path like ("/tmp/*", "/var/tmp/*", "/dev/shm/*")] ''' From a8b6b5b817095fc74db65fb2984b106d772c43fd Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Tue, 16 Sep 2025 15:38:05 +0200 Subject: [PATCH 2/3] Added integrations --- rules/linux/collection_linux_clipboard_activity.toml | 2 +- rules/linux/command_and_control_aws_cli_endpoint_url_used.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/collection_linux_clipboard_activity.toml b/rules/linux/collection_linux_clipboard_activity.toml index 056dbe4d393..8405123d085 100644 --- a/rules/linux/collection_linux_clipboard_activity.toml +++ b/rules/linux/collection_linux_clipboard_activity.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2023/07/27" -integration = ["endpoint", "auditd_manager"] +integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" updated_date = "2025/09/16" diff --git a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml index 869a61e1a10..34a66025f8a 100644 --- a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml +++ b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2024/08/21" -integration = ["endpoint"] +integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" updated_date = "2025/09/16" From aaaef40b465e8559b7526ef1412f6e4e53e73dac Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 16 Sep 2025 22:07:29 +0200 Subject: [PATCH 3/3] Update command_and_control_git_repo_or_file_download_to_sus_dir.toml --- ...ommand_and_control_git_repo_or_file_download_to_sus_dir.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml index 60b05996b2d..8e5b77e396f 100644 --- a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml +++ b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml @@ -107,7 +107,7 @@ sequence by process.entity_id, host.id with maxspan=10s (process.name == "git" and process.args == "clone") or (process.name in ("wget", "curl") and process.command_line like~ "*github*") ) and not ( - process.parent.name in ("git", "cmake", "trufflehog") or + process.parent.name in ("git", "cmake") or process.parent.args like "/root/.ansible/tmp/ansible*" )] [file where host.os.type == "linux" and event.type == "creation" and file.path like ("/tmp/*", "/var/tmp/*", "/dev/shm/*")]