diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 172affef9da..8a26cef9bb0 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/10/17" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -126,8 +126,9 @@ file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and ) or process.name : ( go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or vzctl or ifup or - rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or - s6-ipcserver-socketbinder or xinetd + rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or libvirt_leaseshelper or + s6-ipcserver-socketbinder or xinetd or libvirtd or veeamdeploymentsvc or dnsmasq or virtlogd or lynis or + veeamtransport ) or file.name : ( jem.*.pid or lynis.pid or redis.pid or yum.pid or MFS.pid or jenkins.pid or nvmupdate.pid or openlitespeed.pid or diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index dc3d20a657e..1a9f053b7e3 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -65,9 +65,10 @@ sequence by host.id, user.id with maxspan=1m "/tmp/VeeamApp*", "/tmp/rajh/spack-stage/*", "plz-out/bin/vault/bridge/test/e2e/base/bridge-dev", "/usr/bin/ranlib", "/usr/bin/ar", "plz-out/bin/vault/bridge/test/e2e/base/local-k8s" )] by process.name - [file where host.os.type == "linux" and event.action == "deletion" and not process.name in ("rm", "ld") and - file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", - "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name + [file where host.os.type == "linux" and event.action == "deletion" and + file.path : ( + "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*" + ) and not process.name in ("rm", "ld", "conftest", "link", "gcc", "getarch", "ld")] by file.name ''' note = """## Triage and analysis diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 25e19b5e3d4..47330570bc6 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/17" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -136,7 +136,8 @@ sequence by process.entity_id or process.args:(">","<") /* file transfer via pipe */ or (process.args:("|") and process.args:("nc","ncat")) - )] + ) and + not process.command_line like~ ("*127.0.0.1*", "*localhost*")] [network where host.os.type == "linux" and (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or process.name == "netcat.openbsd" or process.name == "netcat.traditional")] ''' diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index 50f27e2bf4c..e8f276243a4 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ sequence by host.id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec"] by process.name [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip != null and not ( cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1") or - process.name in ("simpleX", "conftest", "ssh", "python", "ispnull", "pvtui") + process.name in ("simpleX", "conftest", "ssh", "python", "ispnull", "pvtui", "npreal2d", "ruby", "source", "ssh") )] by process.name ''' note = """## Triage and analysis diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index e67bf9a0b80..2d9d6ec7f5f 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -65,7 +65,10 @@ event.action in ("exec", "exec_event", "fork", "fork_event") and user.name == "p (process.args : "*sh" and process.args : "echo*") ) and not ( process.parent.name == "puppet" or - process.command_line like "*BECOME-SUCCESS-*" or + process.command_line like ( + "*BECOME-SUCCESS-*", "bash -c while true; do sleep 1;*", "df -l", "sleep 1", "who", "head -v -n *", "tail -v -n *", + "/bin/sh -c echo BECOME-SUCCESS*", "/usr/bin/python3 /var/tmp/ansible-tmp*" + ) or process.parent.command_line like "*BECOME-SUCCESS-*" ) ''' diff --git a/rules/linux/execution_shell_openssl_client_or_server.toml b/rules/linux/execution_shell_openssl_client_or_server.toml index a2787024de8..5fce4337ccf 100644 --- a/rules/linux/execution_shell_openssl_client_or_server.toml +++ b/rules/linux/execution_shell_openssl_client_or_server.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -65,7 +65,9 @@ process where host.os.type == "linux" and event.type == "start" and event.action (process.args == "s_client" and process.args : ("-connect", "*:*") and not process.args == "-showcerts") or (process.args == "s_server" and process.args == "-port") ) and - not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/opt/antidot-svc/nrpe/plugins/check_cert") + not process.parent.executable in ( + "/pro/xymon/client/ext/awsXymonCheck.sh", "/opt/antidot-svc/nrpe/plugins/check_cert", "/etc/zabbix/scripts/check_dane_tlsa.sh" + ) ''' note = """## Triage and analysis diff --git a/rules/linux/execution_unix_socket_communication.toml b/rules/linux/execution_unix_socket_communication.toml index a5e42ae18ba..f788067e6fe 100644 --- a/rules/linux/execution_unix_socket_communication.toml +++ b/rules/linux/execution_unix_socket_communication.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -45,7 +45,10 @@ process where host.os.type == "linux" and event.type == "start" and (process.name == "socat" and process.args == "-" and process.args : ("UNIX-CLIENT:/usr/local/*", "UNIX-CLIENT:/run/*", "UNIX-CLIENT:/var/run/*")) ) and -not process.args == "/var/run/libvirt/libvirt-sock" +not ( + process.args == "/var/run/libvirt/libvirt-sock" or + process.parent.name in ("bundle", "ruby", "haproxystatus.sh") +) ''' note = """## Triage and analysis diff --git a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml index 39646ab47e1..a233dec2824 100644 --- a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml +++ b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ event.category:process and host.os.type:linux and auditd.data.syscall:mprotect a process.executable:( "/usr/share/kibana/node/bin/node" or "/usr/share/elasticsearch/jdk/bin/java" or "/usr/sbin/apache2" ) or - process.name:httpd + process.name:(httpd or java) ) ''' note = """## Triage and analysis diff --git a/rules/linux/execution_unusual_path_invocation_from_command_line.toml b/rules/linux/execution_unusual_path_invocation_from_command_line.toml index 45c95706e3a..5991e33240a 100644 --- a/rules/linux/execution_unusual_path_invocation_from_command_line.toml +++ b/rules/linux/execution_unusual_path_invocation_from_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -58,8 +58,8 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' event.category:process and host.os.type:linux and event.type:start and event.action:exec and -process.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) and -process.args:-c and process.command_line:*PATH=* +process.name:(bash or csh or dash or fish or ksh or sh or tcsh or zsh) and process.args:-c and +process.command_line:(*PATH=* and not sh*/run/motd.dynamic.new) ''' note = """## Triage and analysis diff --git a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml index fa5595870a5..7cf613d4335 100644 --- a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml +++ b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ process where host.os.type == "linux" and event.type == "start" and ) ) and not ( - process.parent.name in ("apport", "overlayroot") or + process.parent.name in ("apport", "overlayroot", "nessus-agent-module") or process.args like ( "if=/tmp/nvim*", "if=/boot/*", "if=/dev/random", "if=/dev/urandom", "/dev/mapper/*", "if=*.iso", "of=/dev/stdout", "if=/dev/zero", "if=/dev/sda", "/proc/sys/kernel/*" diff --git a/rules/linux/impact_memory_swap_modification.toml b/rules/linux/impact_memory_swap_modification.toml index 941216f631f..07c7b897207 100644 --- a/rules/linux/impact_memory_swap_modification.toml +++ b/rules/linux/impact_memory_swap_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -72,7 +72,8 @@ process.name in ("swapon", "swapoff") or ( process.command_line like "*echo *" ) ) -) +) and +not process.parent.name in ("lynis", "systemd", "end-zram-swapping", "SyxsenseResponder", "tuned", "platform-python", "timeout") ''' note = """## Triage and analysis diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index 3ff4f9b3e8c..8d1787e9789 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/01/24" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ sequence by process.entity_id, host.id with maxspan=1s not process.name : ( "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git", - "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader", "rustup-init" + "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader", "rustup-init", "bun" ) ] with runs=25 [file where host.os.type == "linux" and event.action == "creation" and