diff --git a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml index 470df53cb16..9846fb5bcb1 100644 --- a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml +++ b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/18" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/06/18" +updated_date = "2025/07/21" [rule] author = ["Elastic"] @@ -18,6 +18,41 @@ index = ["logs-kubernetes.audit_logs-*"] language = "kuery" license = "Elastic License v2" name = "Kubernetes Unusual Decision by User Agent" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Kubernetes Unusual Decision by User Agent + +Kubernetes orchestrates containerized applications, relying on API requests for operations. Typically, these requests originate from system components or trusted users with consistent user agents. Adversaries might exploit this by using atypical user agents to mask unauthorized access or misconfigurations. The detection rule identifies anomalies in user agents and response annotations, signaling potential threats in the Kubernetes environment. + +### Possible investigation steps + +- Review the Kubernetes audit logs for entries where the user_agent.original field is present to identify any unusual or unexpected user agents. +- Cross-reference the identified user agents with known system components and trusted users to determine if the user agent is legitimate or potentially malicious. +- Examine the kubernetes.audit.stage field for "ResponseComplete" entries to understand the context and outcome of the requests associated with the unusual user agent. +- Investigate the source IP addresses and associated usernames in the audit logs to identify any patterns or anomalies that could indicate unauthorized access. +- Check for any recent changes or deployments in the Kubernetes environment that might explain the presence of unusual user agents or unexpected behavior. +- Assess the risk and impact of the detected anomaly by considering the sensitivity of the accessed resources and the permissions associated with the user account involved. + +### False positive analysis + +- System components or trusted users with legitimate but infrequent user agents may trigger the rule. To manage this, identify these user agents and add them to an exception list to prevent unnecessary alerts. +- Automated scripts or tools used for maintenance or monitoring might use unique user agents. Regularly review these tools and update the exception list to include their user agents if they are verified as non-threatening. +- New deployments or updates to Kubernetes components can introduce new user agents temporarily. Monitor these changes and adjust the rule exceptions accordingly to accommodate expected behavior during these periods. +- Third-party integrations or plugins may use distinct user agents. Validate these integrations and, if deemed safe, include their user agents in the exception list to reduce false positives. + +### Response and remediation + +- Immediately isolate the affected Kubernetes node or cluster to prevent further unauthorized access or potential lateral movement by the adversary. +- Review and terminate any suspicious or unauthorized sessions identified in the audit logs to cut off any active malicious activity. +- Revoke and rotate credentials associated with the compromised user agent to prevent further unauthorized access using the same credentials. +- Conduct a thorough review of the affected system's configurations and permissions to identify and rectify any misconfigurations or overly permissive access controls. +- Implement additional monitoring and logging for the affected systems to detect any further anomalies or unauthorized activities promptly. +- Escalate the incident to the security operations team for a comprehensive investigation and to determine if any data exfiltration or further compromise has occurred. +- Update and enhance detection rules and alerts to better identify similar anomalies in user agents and response annotations in the future, ensuring quicker response times. +""" risk_score = 21 rule_id = "8a1db198-da6f-4500-b985-7fe2457300af" severity = "low" @@ -26,7 +61,8 @@ tags = [ "Domain: Container", "Use Case: Threat Detection", "Data Source: Kubernetes", - "Tactic: Execution" + "Tactic: Execution", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml index 21d23509444..2777a1f2983 100644 --- a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml +++ b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/19" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/06/19" +updated_date = "2025/07/21" [rule] author = ["Elastic"] @@ -25,6 +25,41 @@ index = [ language = "eql" license = "Elastic License v2" name = "Potential Impersonation Attempt via Kubectl" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Impersonation Attempt via Kubectl + +Kubectl is a command-line tool for interacting with Kubernetes clusters, allowing users to manage applications and resources. Adversaries may exploit kubectl by using specific arguments to impersonate users, gaining unauthorized access or escalating privileges. The detection rule identifies suspicious kubectl executions, focusing on arguments that suggest impersonation, such as those related to user identity and authentication, to flag potential misuse. + +### Possible investigation steps + +- Review the process arguments to confirm the presence of impersonation-related flags such as "--kubeconfig", "--token", "--as", "--as-group", or "--as-uid" to understand the scope of the impersonation attempt. +- Examine the parent process name and executable path to determine if the kubectl command was initiated from a suspicious location or script, such as "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/root/*", or "/home/*". +- Check the user account associated with the kubectl execution to assess whether it aligns with expected usage patterns or if it indicates potential unauthorized access. +- Investigate related alerts or logs for secret access or kubeconfig file discovery to identify if there is a broader pattern of suspicious activity that could indicate a coordinated impersonation attempt. +- Analyze the network activity associated with the kubectl execution to identify any unusual connections or data transfers that may suggest unauthorized access or data exfiltration. + +### False positive analysis + +- Legitimate administrative tasks: System administrators may use kubectl with impersonation arguments for legitimate purposes such as testing permissions or managing resources on behalf of other users. To handle this, create exceptions for known administrative accounts or specific IP addresses. +- Automation scripts: Automated scripts or CI/CD pipelines might use impersonation arguments to perform tasks across different environments. Review and whitelist these scripts by identifying their unique execution patterns or specific user accounts. +- Development and testing environments: Developers might use impersonation features in non-production environments for testing purposes. Exclude these environments by filtering based on environment-specific identifiers or network segments. +- Security tools: Some security tools or monitoring solutions may use impersonation arguments to audit or verify access controls. Identify these tools and exclude their processes by recognizing their signatures or execution paths. +- Frequent legitimate use cases: If certain teams or departments regularly use impersonation for valid reasons, consider creating role-based exceptions to reduce noise while maintaining security oversight. + +### Response and remediation + +- Immediately isolate the affected Kubernetes node or cluster to prevent further unauthorized access or privilege escalation. +- Revoke any potentially compromised credentials, such as tokens or kubeconfig files, and issue new ones with updated security policies. +- Review and audit the Kubernetes RBAC (Role-Based Access Control) settings to ensure that only authorized users have the necessary permissions, and adjust roles and permissions as needed to minimize privilege escalation risks. +- Conduct a thorough investigation of the affected systems to identify any unauthorized changes or deployments made by the adversary, and roll back any malicious or suspicious configurations. +- Monitor for any further suspicious kubectl activity, especially those involving impersonation arguments, and set up alerts for any similar future attempts. +- Escalate the incident to the security operations team for a comprehensive review and to determine if additional security measures or incident response actions are required. +- Implement additional logging and monitoring for kubectl commands and Kubernetes API interactions to enhance detection capabilities for similar threats in the future. +""" risk_score = 21 rule_id = "3c6685eb-9eaa-43a4-be1b-a7f9f1f5e63d" setup = """## Setup @@ -65,6 +100,7 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: SentinelOne", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_unsual_kill_signal.toml b/rules/linux/defense_evasion_unsual_kill_signal.toml index 98f40163b77..2e5e79756ad 100644 --- a/rules/linux/defense_evasion_unsual_kill_signal.toml +++ b/rules/linux/defense_evasion_unsual_kill_signal.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/16" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/07/21" [rule] author = ["Elastic"] @@ -16,6 +16,41 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Unusual Kill Signal" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Kill Signal + +In Linux environments, kill signals are used to manage process lifecycles. Signals in the range of 32-64 are less common and can be exploited by adversaries, such as rootkits, to manipulate processes stealthily, potentially leading to privilege escalation or evasion of security measures. The 'Unusual Kill Signal' detection rule identifies these rare signals, flagging potential misuse by monitoring specific syscall activities, thus aiding in early threat detection. + +### Possible investigation steps + +- Review the process details associated with the alert, focusing on the process name, PID, and parent process to understand the context of the kill signal usage. +- Examine the user account under which the process was executed to determine if it aligns with expected behavior or if it indicates potential unauthorized access. +- Investigate the command line arguments and environment variables of the process to identify any suspicious or unusual commands that may suggest malicious activity. +- Check the system logs around the time of the alert for any related events or anomalies that could provide additional context or indicate a broader attack pattern. +- Correlate the alert with other security events or alerts from the same host to identify if this is part of a larger attack or if there are other indicators of compromise. +- Assess the network activity of the host to identify any unusual outbound connections that could suggest data exfiltration or communication with a command and control server. + +### False positive analysis + +- Legitimate applications or services may use signals in the 32-64 range for custom inter-process communication, leading to false positives. Identify these applications and create exceptions for their specific processes. +- Some system monitoring or management tools might utilize these signals for legitimate process management tasks. Review the tools in use and whitelist their activities if they are verified as non-threatening. +- Development environments or testing frameworks might employ unusual signals for debugging or testing purposes. Ensure these environments are properly isolated and exclude their activities from triggering alerts. +- Custom scripts or automation tasks could be configured to use these signals for specific operations. Audit these scripts and, if deemed safe, add them to an exception list to prevent unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary. +- Terminate any suspicious processes identified with unusual kill signals in the range of 32-64 to halt any ongoing malicious activity. +- Conduct a thorough forensic analysis of the affected system to identify any rootkits or malicious software that may have been installed, focusing on the processes and files associated with the unusual kill signals. +- Restore the system from a known good backup if rootkit presence is confirmed, ensuring that the backup is free from any compromise. +- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited. +- Implement enhanced monitoring and logging for unusual kill signals and related activities to detect any future attempts at similar attacks. +- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to assess the need for broader organizational response measures. +""" references = [ "https://github.com/m0nad/Diamorphine/blob/master/diamorphine.c#L302", "https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd", @@ -45,7 +80,8 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", - "Data Source: Auditd Manager" + "Data Source: Auditd Manager", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql"