From 46900ce652d19caa205288306d5f7f79b5356050 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Wed, 12 Nov 2025 13:48:03 +0100 Subject: [PATCH 1/2] [Rule Tuning] Remote File Creation in World Writeable Directory --- ...ote_file_creation_world_writeable_dir.toml | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml b/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml index 758bad70443..aa514b98865 100644 --- a/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml +++ b/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/07" +updated_date = "2025/11/12" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ be an indicator of an attacker attempting to move laterally within a network. """ from = "now-9m" index = ["logs-endpoint.events.file*", "auditbeat-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Remote File Creation in World Writeable Directory" note = """ ## Triage and analysis @@ -101,11 +101,13 @@ tags = [ "Resources: Investigation Guide", ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -file where host.os.type == "linux" and event.action == "creation" and -process.name in ("scp", "sshd", "ssh", "ftp", "sftp", "vsftpd", "sftp-server", "rsync") and -file.path like~ ("/tmp*", "/var/tmp*", "/dev/shm/*", "/home/.*") and user.id != "0" +event.category:file and host.os.type:linux and event.action:creation and +process.name:(scp or sshd or ssh or ftp or sftp or vsftpd or sftp-server or rsync) and +file.path:(/tmp* or /var/tmp* or /dev/shm/*) and +not user.id:0 and +not file.path:(/tmp/ansible-tmp-* or /var/tmp/ansible-tmp-*) ''' [[rule.threat]] @@ -130,3 +132,11 @@ reference = "https://attack.mitre.org/techniques/T1570/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["process.executable", "host.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" From 42f5eb30cf0811e3bf79380d2f93917918a23377 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 12 Nov 2025 13:59:58 +0100 Subject: [PATCH 2/2] Update lateral_movement_remote_file_creation_world_writeable_dir.toml --- ..._movement_remote_file_creation_world_writeable_dir.toml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml b/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml index aa514b98865..8df1dd42747 100644 --- a/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml +++ b/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml @@ -104,10 +104,9 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' event.category:file and host.os.type:linux and event.action:creation and -process.name:(scp or sshd or ssh or ftp or sftp or vsftpd or sftp-server or rsync) and -file.path:(/tmp* or /var/tmp* or /dev/shm/*) and -not user.id:0 and -not file.path:(/tmp/ansible-tmp-* or /var/tmp/ansible-tmp-*) +process.name:(ftp or rsync or scp or sftp or sftp-server or ssh or sshd or vsftpd) and +file.path:((/dev/shm/* or /tmp* or /var/tmp*) and not (/tmp/ansible-tmp-* or /var/tmp/ansible-tmp-*)) and +not user.id:0 ''' [[rule.threat]]