[Rule Tuning] Linux DR Tuning - Part 5

rules/linux/persistence_kworker_file_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [transform]
 [[transform.osquery]]
@@ -174,7 +174,8 @@ file where host.os.type == "linux" and event.action in ("creation", "file_create
     (file.path : (
       "/var/log/*", "/var/crash/*", "/var/run/*", "/var/lib/systemd/coredump/*", "/var/spool/*",
       "/var/lib/nfs/nfsdcltrack/main.sqlite-journal", "/proc/*/cwd/core.*", "/var/run/apport.lock",
-      "/var/spool/abrt/ccpp-*"
+      "/var/spool/abrt/ccpp-*", "/var/lib/dynatrace/oneagent/*", "/var/lib/nfs*", "/run/user/*/.bubblewrap/*",
+      "/etc/localtime/*", "/proc/*/cwd/core.*"
       )
     )
   )

rules/linux/persistence_message_of_the_day_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/02/28"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2025/01/24"
 
 [transform]
 [[transform.osquery]]
@@ -166,6 +166,7 @@ file.path : "/etc/update-motd.d/*" and not (
     "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*"
   ) or
   process.executable == null or
+  process.name in ("executor", "dockerd", "crio") or
   (process.name == "sed" and file.name : "sed*") or
   (process.name == "perl" and file.name : "e2scrub_all.tmp*") 
 )

rules/linux/persistence_potential_persistence_script_executable_bit_set.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/22"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -85,7 +85,10 @@ process.args : (
 ) and (
   (process.name == "chmod" and process.args : ("+x*", "1*", "3*", "5*", "7*")) or
   (process.name == "install" and process.args : "-m*" and process.args : ("7*", "5*", "3*", "1*"))
-) and not process.parent.executable : "/var/lib/dpkg/*"
+) and not (
+  process.parent.executable : "/var/lib/dpkg/*" or
+  process.command_line in ("chmod 777 /etc/update-motd.d/", "chmod 755 /etc/update-motd.d/")
+)
 '''
 note = """## Triage and analysis
 

rules/linux/persistence_rc_script_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/02/28"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2025/01/24"
 
 [transform]
 [[transform.osquery]]
@@ -162,6 +162,7 @@ file.path in ("/etc/rc.local", "/etc/rc.common") and not (
     "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*"
   ) or
   process.executable == null or
+  process.name in ("ssm-agent-worker", "convert2rhel", "platform-python*") or
   (process.name == "sed" and file.name : "sed*") or
   (process.name == "perl" and file.name : "e2scrub_all.tmp*") 
 )

rules/linux/persistence_shadow_file_modification.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/07/05"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ from = "now-9m"
 index = ["logs-endpoint.events.file*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Shadow File Modification"
+name = "Shadow File Modification by Unusual Process"
 references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
 risk_score = 21
 rule_id = "cdf1a39b-1ca5-4e2a-9739-17fc4d026029"
@@ -59,14 +59,17 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and
-file.path == "/etc/shadow" and file.Ext.original.path != null
+file.path == "/etc/shadow" and file.Ext.original.path != null and 
+not process.name in (
+  "usermod", "useradd", "passwd", "chage", "systemd-sysusers", "chpasswd", "userdel", "adduser", "update-passwd", "perl"
+)
 '''
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Shadow File Modification
+### Investigating Shadow File Modification by Unusual Process
 
 The Linux shadow file is crucial for storing hashed user passwords, ensuring system security. Adversaries may exploit this by altering the file to add users or change passwords, thus gaining unauthorized access or maintaining persistence. The detection rule identifies suspicious modifications by monitoring changes and renames of the shadow file, flagging potential unauthorized access attempts for further investigation.
 

rules/linux/persistence_shared_object_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/06/09"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [transform]
 [[transform.osquery]]
@@ -168,7 +168,7 @@ file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* an
     "dockerd" or "dpkg" or "rpm" or "snapd" or "yum" or "vmis-launcher" or "pacman" or "apt-get" or "dnf" or "podman" or
     platform-python* or "dnf-automatic" or "unattended-upgrade" or "apk" or "snap-update-ns" or "install" or "exe" or
     "systemd" or "root" or "sshd" or "pip" or "jlink" or python* or "update-alternatives" or pip* or
-    "installer.bin.inst" or "uninstall-bin" or "linux_agent.inst"
+    "installer.bin.inst" or "uninstall-bin" or "linux_agent.inst" or crio or ssm-agent-worker or packagekitd
   ) or 
   (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*) or
   process.executable : (/dev/fd/* or "/" or "/kaniko/executor" or "/usr/bin/buildah")

rules/linux/persistence_shell_configuration_modification.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/04/30"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -94,7 +94,7 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an
     "/usr/libexec/platform-python*"
   ) or
   process.executable == null or
-  process.name in ("adclient", "mkhomedir_helper", "teleport", "mkhomedir", "adduser", "desktopDaemon") or
+  process.name in ("adclient", "mkhomedir_helper", "teleport", "mkhomedir", "adduser", "desktopDaemon", "executor", "crio") or
   (process.name == "sed" and file.name : "sed*") or
   (process.name == "perl" and file.name : "e2scrub_all.tmp*")
 )

rules/linux/persistence_simple_web_server_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -67,7 +67,8 @@ process where host.os.type == "linux" and event.type == "start" and
   (
     (process.name regex~ """php?[0-9]?\.?[0-9]{0,2}""" and process.args == "-S") or
     (process.name like "python*" and process.args in ("--cgi", "CGIHTTPServer"))
-  )
+  ) and
+not process.parent.name in ("check_kmp_wrapper", "naemon")
 '''
 note = """## Triage and analysis
 

rules/linux/persistence_systemd_generator_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/06/19"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -79,6 +79,7 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an
     "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*",  "/usr/bin/pamac-daemon",
     "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/libexec/platform-python"
   ) or
+  process.name like~ ("ssm-agent-worker", "crio", "docker-init", "systemd", "pacman", "python*", "platform-python*") or
   file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
   file.Ext.original.extension == "dpkg-new" or
   process.executable == null

rules/linux/persistence_systemd_scheduled_timer_created.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/02/24"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/10/17"
+updated_date = "2025/01/24"
 
 [transform]
 [[transform.osquery]]
@@ -172,11 +172,11 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an
     "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*",  "/usr/bin/pamac-daemon",
     "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/bin/crio", "/usr/sbin/crond",
     "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/kaniko/kaniko-executor",
-    "/usr/local/bin/dockerd", "/usr/bin/podman", "/bin/install", "/proc/self/exe"
+    "/usr/local/bin/dockerd", "/usr/bin/podman", "/bin/install", "/proc/self/exe", "/kaniko/executor"
   ) or
   process.name like (
     "python*", "crio", "apt-get", "install", "snapd", "cloudflared", "sshd", "convert-usrmerge", "docker-init",
-    "google_metadata_script_runner"
+    "google_metadata_script_runner", "ssm-agent-worker", "pacman", "convert2rhel", "platform-python"
   ) or
   file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
   file.Ext.original.extension == "dpkg-new" or

rules/linux/persistence_systemd_service_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/06/09"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [transform]
 [[transform.osquery]]
@@ -197,8 +197,8 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an
     "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
     "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum",
     "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic",
-    "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk",
-    "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet",
+    "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk",
+    "/usr/local/sbin/apk", "/usr/bin/apt", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet",
     "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
     "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*",  "/usr/bin/pamac-daemon",
     "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/bin/crio", "/usr/sbin/crond",
@@ -216,7 +216,8 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an
   process.name like (
     "ssm-agent-worker", "python*", "platform-python*", "dnf_install", "cloudflared", "lxc-pve-prestart-hook",
     "convert-usrmerge", "elastic-agent", "google_metadata_script_runner", "update-alternatives", "gitlab-runner",
-    "install", "crio", "apt-get", "package-cleanup", "dcservice", "dcregister", "jumpcloud-agent", "executor"
+    "install", "crio", "apt-get", "package-cleanup", "dcservice", "dcregister", "jumpcloud-agent", "executor",
+    "pacman", "convert2rhel", "packagekitd"
   ) or
   (process.name == "sed" and file.name : "sed*") or
   (process.name == "perl" and file.name : "e2scrub_all.tmp*") 

rules/linux/persistence_udev_rule_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/10/26"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -79,7 +79,9 @@ file.path : (
   process.executable : (
     "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/*", "/usr/libexec/*"
   ) or
-  process.name in ("systemd", "netplan", "apt-get", "vmware-config-tools.pl", "systemd-hwdb") or
+  process.name in (
+    "systemd", "netplan", "apt-get", "vmware-config-tools.pl", "systemd-hwdb", "ssm-agent-worker", "crio", "cloud-init", "convert2rhel" 
+  ) or
   (process.name == "sed" and file.name : "sed*") or
   (process.name == "perl" and file.name : "e2scrub_all.tmp*")
 )

rules/linux/persistence_unusual_sshd_child_process.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/12/16"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +33,10 @@ type = "new_terms"
 query = '''
 event.category:process and host.os.type:linux and event.type:start and event.action:exec and
 process.parent.name:(ssh or sshd) and process.args_count:2 and
-not process.command_line:(-bash or -zsh or -sh)
+not (
+  process.command_line:(-bash or -zsh or -sh) or
+  process.name:(ractrans or exectask or tty or tput or ferny-askpass or id or ip)
+)
 '''
 note = """## Triage and analysis
 

rules/linux/persistence_user_or_group_creation_or_modification.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/06/20"
 integration = ["auditd_manager"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -71,7 +71,7 @@ type = "eql"
 
 query = '''
 iam where host.os.type == "linux" and event.type in ("creation", "change") and auditd.result == "success" and
-event.action in ("changed-password", "added-user-account", "added-group-account-to")
+event.action in ("changed-password", "added-user-account", "added-group-account-to") and process.name != null
 '''
 note = """## Triage and analysis
 

rules/linux/persistence_xdg_autostart_netcon.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/06/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -92,8 +92,9 @@ sequence by host.id, process.entity_id with maxspan=1s
        "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
        "FF00::/8", "172.31.0.0/16"
        ) or
-       process.executable in (
-        "/usr/lib64/firefox/firefox", "/usr/lib/firefox/firefox", "/opt/forticlient/fortitraylauncher"
+       process.name in (
+         "telegram-desktop", "firefox", "gnome-calculator", "remmina", "spotify", "librewolf", "fortitraylauncher",
+         "flameshot", "thunderbird", "update-manager", "warp-terminal", "obs", "transmission-gtk"
        )
      )
   ]

rules/linux/persistence_yum_package_manager_plugin_file_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/06/25"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -73,7 +73,7 @@ file.path : ("/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*") and not (
     "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd",
     "/usr/libexec/netplan/generate"
   ) or
-  process.name == "yumBackend.py" or
+  process.name in ("yumBackend.py", "crio") or
   file.extension in ("swp", "swpx", "swx") or
   file.Ext.original.name like ".ansible*" or
   file.name like ".ansible_tmp*" or