Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add rule docs for 8.3 rule changes #2083

Merged
merged 3 commits into from
Jun 22, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,35 @@ The following lists prebuilt rule updates per release. Only rules with
significant modifications to their query or scope are listed. For detailed
information about a rule's changes, see the rule's description page.

[float]
=== 8.3.0

<<adminsdholder-sdprop-exclusion-added>>

<<attempts-to-brute-force-a-microsoft-365-user-account>>

<<component-object-model-hijacking>>

<<connection-to-commonly-abused-web-services>>

<<emond-rules-creation-or-modification>>

<<microsoft-365-inbox-forwarding-rule-created>>

<<potential-password-spraying-of-microsoft-365-user-accounts>>

<<remote-system-discovery-commands>>

<<ssh-authorized-keys-file-modification>>

<<suspicious-ms-office-child-process>>

<<tampering-of-bash-command-line-history>>

<<unusual-process-execution-temp>>

<<whitespace-padding-in-process-command-line>>

[float]
=== 8.2.0

Expand Down Expand Up @@ -150,8 +179,6 @@ information about a rule's changes, see the rule's description page.

<<incoming-execution-via-winrm-remote-shell>>

<<lateral-tool-transfer>>

<<launchdaemon-creation-or-modification-and-immediate-loading>>

<<mfa-disabled-for-google-workspace-organization>>
Expand All @@ -160,6 +187,8 @@ information about a rule's changes, see the rule's description page.

<<persistence-via-folder-action-script>>

<<potential-lateral-tool-transfer-via-smb-share>>

<<potential-sharprdp-behavior>>

<<powershell-minidump-script>>
Expand Down Expand Up @@ -207,8 +236,6 @@ information about a rule's changes, see the rule's description page.

<<kerberos-traffic-from-unusual-process>>

<<lateral-tool-transfer>>

<<local-scheduled-task-creation>>

<<microsoft-build-engine-started-by-a-script-process>>
Expand All @@ -223,6 +250,8 @@ information about a rule's changes, see the rule's description page.

<<potential-dll-side-loading-via-microsoft-antimalware-service-executable>>

<<potential-lateral-tool-transfer-via-smb-share>>

<<potential-sharprdp-behavior>>

<<potential-windows-error-manager-masquerading>>
Expand Down
402 changes: 199 additions & 203 deletions docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc

Large diffs are not rendered by default.

38 changes: 18 additions & 20 deletions docs/detections/prebuilt-rules/rule-desc-index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ include::rule-details/aws-rds-security-group-creation.asciidoc[]
include::rule-details/aws-rds-security-group-deletion.asciidoc[]
include::rule-details/aws-rds-snapshot-export.asciidoc[]
include::rule-details/aws-rds-snapshot-restored.asciidoc[]
include::rule-details/aws-redshift-cluster-creation.asciidoc[]
include::rule-details/aws-root-login-without-mfa.asciidoc[]
include::rule-details/aws-route-53-domain-transfer-lock-disabled.asciidoc[]
include::rule-details/aws-route-53-domain-transferred-to-another-account.asciidoc[]
Expand All @@ -51,12 +52,13 @@ include::rule-details/aws-security-group-configuration-change-detection.asciidoc
include::rule-details/aws-security-token-service-sts-assumerole-usage.asciidoc[]
include::rule-details/aws-waf-access-control-list-deletion.asciidoc[]
include::rule-details/aws-waf-rule-or-rule-group-deletion.asciidoc[]
include::rule-details/abnormal-process-id-or-lock-file-created.asciidoc[]
include::rule-details/abnormally-large-dns-response.asciidoc[]
include::rule-details/access-of-stored-browser-credentials.asciidoc[]
include::rule-details/access-to-keychain-credentials-directories.asciidoc[]
include::rule-details/account-configured-with-never-expiring-password.asciidoc[]
include::rule-details/account-discovery-command-via-system-account.asciidoc[]
include::rule-details/account-password-reset-remotely.asciidoc[]
include::rule-details/account-configured-with-never-expiring-password.asciidoc[]
include::rule-details/adfind-command-activity.asciidoc[]
include::rule-details/adding-hidden-file-attribute-via-attrib.asciidoc[]
include::rule-details/adminsdholder-backdoor.asciidoc[]
Expand All @@ -67,7 +69,6 @@ include::rule-details/adobe-hijack-persistence.asciidoc[]
include::rule-details/adversary-behavior-detected-elastic-endgame.asciidoc[]
include::rule-details/agent-spoofing-mismatched-agent-id.asciidoc[]
include::rule-details/agent-spoofing-multiple-hosts-using-same-agent.asciidoc[]
include::rule-details/anomalous-kernel-module-activity.asciidoc[]
include::rule-details/anomalous-linux-compiler-activity.asciidoc[]
include::rule-details/anomalous-process-for-a-linux-population.asciidoc[]
include::rule-details/anomalous-process-for-a-windows-population.asciidoc[]
Expand Down Expand Up @@ -142,6 +143,7 @@ include::rule-details/azure-storage-account-key-regenerated.asciidoc[]
include::rule-details/azure-virtual-network-device-modified-or-deleted.asciidoc[]
include::rule-details/base16-or-base32-encoding-decoding-activity.asciidoc[]
include::rule-details/bash-shell-profile-modification.asciidoc[]
include::rule-details/binary-executed-from-shared-memory-directory.asciidoc[]
include::rule-details/bypass-uac-via-event-viewer.asciidoc[]
include::rule-details/clearing-windows-console-history.asciidoc[]
include::rule-details/clearing-windows-event-logs.asciidoc[]
Expand Down Expand Up @@ -185,6 +187,7 @@ include::rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc[
include::rule-details/dumping-account-hashes-via-built-in-commands.asciidoc[]
include::rule-details/dumping-of-keychain-content-via-security-command.asciidoc[]
include::rule-details/eggshell-backdoor-execution.asciidoc[]
include::rule-details/elastic-agent-service-terminated.asciidoc[]
include::rule-details/emond-rules-creation-or-modification.asciidoc[]
include::rule-details/enable-host-network-discovery-via-netsh.asciidoc[]
include::rule-details/encoded-executable-stored-in-the-registry.asciidoc[]
Expand Down Expand Up @@ -273,26 +276,13 @@ include::rule-details/kerberos-pre-authentication-disabled-for-user.asciidoc[]
include::rule-details/kerberos-traffic-from-unusual-process.asciidoc[]
include::rule-details/kernel-module-removal.asciidoc[]
include::rule-details/keychain-password-retrieval-via-command-line.asciidoc[]
include::rule-details/kubernetes-user-exec-into-pod.asciidoc[]
include::rule-details/lsass-memory-dump-creation.asciidoc[]
include::rule-details/lsass-memory-dump-handle-access.asciidoc[]
include::rule-details/lateral-movement-via-startup-folder.asciidoc[]
include::rule-details/lateral-tool-transfer.asciidoc[]
include::rule-details/launch-agent-creation-or-modification-and-immediate-loading.asciidoc[]
include::rule-details/launchdaemon-creation-or-modification-and-immediate-loading.asciidoc[]
include::rule-details/linux-restricted-shell-breakout-via-apt-apt-get-changelog-escape.asciidoc[]
include::rule-details/linux-restricted-shell-breakout-via-awk-commands.asciidoc[]
include::rule-details/linux-restricted-shell-breakout-via-busybox-shell-evasion.asciidoc[]
include::rule-details/linux-restricted-shell-breakout-via-c89-c99-shell-evasion.asciidoc[]
include::rule-details/linux-restricted-shell-breakout-via-cpulimit-shell-evasion.asciidoc[]
include::rule-details/linux-restricted-shell-breakout-via-crash-shell-evasion.asciidoc[]
include::rule-details/linux-restricted-shell-breakout-via-env-shell-evasion.asciidoc[]
include::rule-details/linux-restricted-shell-breakout-via-flock-shell-evasion.asciidoc[]
include::rule-details/linux-restricted-shell-breakout-via-the-expect-command.asciidoc[]
include::rule-details/linux-restricted-shell-breakout-via-the-find-command.asciidoc[]
include::rule-details/linux-restricted-shell-breakout-via-the-gcc-command.asciidoc[]
include::rule-details/linux-restricted-shell-breakout-via-the-mysql-command.asciidoc[]
include::rule-details/linux-restricted-shell-breakout-via-the-ssh-command.asciidoc[]
include::rule-details/linux-restricted-shell-breakout-via-the-vi-command.asciidoc[]
include::rule-details/linux-restricted-shell-breakout-via-linux-binarys.asciidoc[]
include::rule-details/local-scheduled-task-creation.asciidoc[]
include::rule-details/mfa-disabled-for-google-workspace-organization.asciidoc[]
include::rule-details/ms-office-macro-security-registry-modifications.asciidoc[]
Expand Down Expand Up @@ -404,11 +394,14 @@ include::rule-details/potential-dns-tunneling-via-nslookup.asciidoc[]
include::rule-details/potential-disabling-of-selinux.asciidoc[]
include::rule-details/potential-evasion-via-filter-manager.asciidoc[]
include::rule-details/potential-hidden-local-user-account-creation.asciidoc[]
include::rule-details/potential-invoke-mimikatz-powershell-script.asciidoc[]
include::rule-details/potential-java-jndi-exploitation-attempt.asciidoc[]
include::rule-details/potential-kerberos-attack-via-bifrost.asciidoc[]
include::rule-details/potential-lsa-authentication-package-abuse.asciidoc[]
include::rule-details/potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc[]
include::rule-details/potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc[]
include::rule-details/potential-lateral-tool-transfer-via-smb-share.asciidoc[]
include::rule-details/potential-local-ntlm-relay-via-http.asciidoc[]
include::rule-details/potential-microsoft-office-sandbox-evasion.asciidoc[]
include::rule-details/potential-modification-of-accessibility-binaries.asciidoc[]
include::rule-details/potential-openssh-backdoor-logging-activity.asciidoc[]
Expand All @@ -421,6 +414,7 @@ include::rule-details/potential-port-monitor-or-print-processor-registration-abu
include::rule-details/potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc[]
include::rule-details/potential-privacy-control-bypass-via-tccdb-modification.asciidoc[]
include::rule-details/potential-privilege-escalation-via-installerfiletakeover.asciidoc[]
include::rule-details/potential-privilege-escalation-via-local-kerberos-relay-over-ldap.asciidoc[]
include::rule-details/potential-privilege-escalation-via-pkexec.asciidoc[]
include::rule-details/potential-privilege-escalation-via-sudoers-file-modification.asciidoc[]
include::rule-details/potential-privileged-escalation-via-samaccountname-spoofing.asciidoc[]
Expand Down Expand Up @@ -455,6 +449,7 @@ include::rule-details/process-execution-from-an-unusual-directory.asciidoc[]
include::rule-details/process-injection-detected-elastic-endgame.asciidoc[]
include::rule-details/process-injection-prevented-elastic-endgame.asciidoc[]
include::rule-details/process-injection-by-the-microsoft-build-engine.asciidoc[]
include::rule-details/process-started-from-process-id-pid-file.asciidoc[]
include::rule-details/process-termination-followed-by-deletion.asciidoc[]
include::rule-details/program-files-directory-masquerading.asciidoc[]
include::rule-details/prompt-for-credentials-with-osascript.asciidoc[]
Expand All @@ -469,6 +464,7 @@ include::rule-details/rare-aws-error-code.asciidoc[]
include::rule-details/rare-user-logon.asciidoc[]
include::rule-details/registry-persistence-via-appcert-dll.asciidoc[]
include::rule-details/registry-persistence-via-appinit-dll.asciidoc[]
include::rule-details/remote-computer-account-dnshostname-update.asciidoc[]
include::rule-details/remote-desktop-enabled-in-windows-firewall-by-netsh.asciidoc[]
include::rule-details/remote-execution-via-file-shares.asciidoc[]
include::rule-details/remote-file-copy-to-a-hidden-share.asciidoc[]
Expand Down Expand Up @@ -499,10 +495,11 @@ include::rule-details/sensitive-files-compression.asciidoc[]
include::rule-details/sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc[]
include::rule-details/service-command-lateral-movement.asciidoc[]
include::rule-details/service-control-spawned-via-script-interpreter.asciidoc[]
include::rule-details/service-creation-via-local-kerberos-authentication.asciidoc[]
include::rule-details/setuid-setgid-bit-set-via-chmod.asciidoc[]
include::rule-details/sharepoint-malware-file-upload.asciidoc[]
include::rule-details/shell-execution-via-apple-scripting.asciidoc[]
include::rule-details/signed-proxy-execution-via-ms-workfolders.asciidoc[]
include::rule-details/signed-proxy-execution-via-ms-work-folders.asciidoc[]
include::rule-details/softwareupdate-preferences-modification.asciidoc[]
include::rule-details/solarwinds-process-disabling-services-via-registry.asciidoc[]
include::rule-details/spike-in-aws-error-messages.asciidoc[]
Expand All @@ -529,6 +526,7 @@ include::rule-details/suspicious-calendar-file-modification.asciidoc[]
include::rule-details/suspicious-certutil-commands.asciidoc[]
include::rule-details/suspicious-child-process-of-adobe-acrobat-reader-update-service.asciidoc[]
include::rule-details/suspicious-cmd-execution-via-wmi.asciidoc[]
include::rule-details/suspicious-crontab-creation-or-modification.asciidoc[]
include::rule-details/suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc[]
include::rule-details/suspicious-emond-child-process.asciidoc[]
include::rule-details/suspicious-endpoint-security-parent-process.asciidoc[]
Expand All @@ -543,6 +541,8 @@ include::rule-details/suspicious-java-child-process.asciidoc[]
include::rule-details/suspicious-ms-office-child-process.asciidoc[]
include::rule-details/suspicious-ms-outlook-child-process.asciidoc[]
include::rule-details/suspicious-managed-code-hosting-process.asciidoc[]
include::rule-details/suspicious-microsoft-diagnostics-wizard-execution.asciidoc[]
include::rule-details/suspicious-network-connection-attempt-by-root.asciidoc[]
include::rule-details/suspicious-pdf-reader-child-process.asciidoc[]
include::rule-details/suspicious-portable-executable-encoded-in-powershell-script.asciidoc[]
include::rule-details/suspicious-powershell-engine-imageload.asciidoc[]
Expand Down Expand Up @@ -602,15 +602,13 @@ include::rule-details/unusual-hour-for-a-user-to-logon.asciidoc[]
include::rule-details/unusual-linux-network-activity.asciidoc[]
include::rule-details/unusual-linux-network-connection-discovery.asciidoc[]
include::rule-details/unusual-linux-network-port-activity.asciidoc[]
include::rule-details/unusual-linux-network-service.asciidoc[]
include::rule-details/unusual-linux-process-calling-the-metadata-service.asciidoc[]
include::rule-details/unusual-linux-process-discovery-activity.asciidoc[]
include::rule-details/unusual-linux-system-information-discovery-activity.asciidoc[]
include::rule-details/unusual-linux-system-network-configuration-discovery.asciidoc[]
include::rule-details/unusual-linux-system-owner-or-user-discovery-activity.asciidoc[]
include::rule-details/unusual-linux-user-calling-the-metadata-service.asciidoc[]
include::rule-details/unusual-linux-username.asciidoc[]
include::rule-details/unusual-linux-web-activity.asciidoc[]
include::rule-details/unusual-login-activity.asciidoc[]
include::rule-details/unusual-network-activity-from-a-windows-system-binary.asciidoc[]
include::rule-details/unusual-network-connection-via-dllhost.asciidoc[]
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
[[abnormal-process-id-or-lock-file-created]]
=== Abnormal Process ID or Lock File Created

Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.

*Rule type*: eql

*Rule indices*:

* logs-endpoint.events.*

*Severity*: medium

*Risk score*: 43

*Runs every*: 5 minutes

*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)

*Maximum alerts per execution*: 100

*References*:

* https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/
* https://twitter.com/GossiTheDog/status/1522964028284411907
* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf

*Tags*:

* Elastic
* Host
* Linux
* Threat Detection
* Execution
* BPFDoor

*Version*: 1

*Added ({stack} release)*: 8.3.0

*Rule authors*: Elastic

*Rule license*: Elastic License v2

==== Potential false positives

False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious.

==== Investigation guide


[source,markdown]
----------------------------------
## Triage and analysis

### Investigating Abnormal Process ID or Lock File Created
Detection alerts from this rule indicate that an unusual PID file was created and could potentially have alternate purposes during an intrusion. Here are some possible avenues of investigation:
- Run the following in Osquery to quickly identify unsual PID file size: "SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%pid';"
- Examine the history of this file creation and from which process it was created by using the "lsof" command.
- Examine the contents of the PID file itself, simply by running the "cat" command to determine if the expected process ID integer exists and if not, the PID file is not legitimate.
- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation.
----------------------------------


==== Rule query


[source,js]
----------------------------------
/* add file size filters when data is available */ file where
event.type == "creation" and user.id == "0" and file.path regex~
"""/var/run/\w+\.(pid|lock|reboot)""" and file.extension in
("pid","lock","reboot") and /* handle common legitimate files */
not file.name in ( "auditd.pid", "python*", "apport.pid",
"apport.lock", "kworker*", "gdm3.pid", "sshd.pid",
"acpid.pid", "unattended-upgrades.lock", "unattended-
upgrades.pid", "cmd.pid", "cron*.pid" )
----------------------------------

==== Threat mapping

*Framework*: MITRE ATT&CK^TM^

* Tactic:
** Name: Execution
** ID: TA0002
** Reference URL: https://attack.mitre.org/tactics/TA0002/
* Technique:
** Name: Native API
** ID: T1106
** Reference URL: https://attack.mitre.org/techniques/T1106/
Loading