Updating artifacts

behavior/rules/linux/command_and_control_hidden_process_execution_followed_by_network_connection.toml

@@ -0,0 +1,51 @@
+[rule]
+description = """
+Detects when a hidden process is executed, and initiates an outbound network connection. Threat actors may drop hidden
+payloads that will later be used to download additional payload stages or tools.
+"""
+id = "04ec0ec4-86c4-47e3-8c7b-8dad5f97532c"
+license = "Elastic License v2"
+name = "Hidden Process Execution followed by Network Connection"
+os_list = ["linux"]
+version = "1.0.3"
+
+query = '''
+sequence by process.entity_id with maxspan=30s
+  [process where event.action == "exec" and event.type == "start" and
+   process.executable: ("/tmp/.*", "/var/tmp/.*", "/dev/shm/.*")]
+  [network where event.action in ("connection_attempted", "connection_accepted") and event.type == "start" and
+   process.name : ".*"]
+'''
+
+min_endpoint_version = "7.15.0"
+optional_actions = []
+[[actions]]
+action = "kill_process"
+field = "process.entity_id"
+state = 0
+
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+[[threat.technique.subtechnique]]
+id = "T1071.001"
+name = "Web Protocols"
+reference = "https://attack.mitre.org/techniques/T1071/001/"
+
+
+[[threat.technique]]
+id = "T1105"
+name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"
+
+
+[threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[internal]
+min_endpoint_version = "7.15.0"

behavior/rules/linux/defense_evasion_binary_executed_from_shared_memory_directory.toml

@@ -10,12 +10,13 @@ license = "Elastic License v2"
 name = "Binary Executed from Shared Memory Directory"
 os_list = ["linux"]
 reference = ["https://intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"]
-version = "1.0.8"
+version = "1.0.9"
 
 query = '''
 process where event.type == "start" and event.action == "exec" and 
  process.executable : ("/dev/shm/*", "/run/shm/*") and not (
-   (process.executable : "/dev/shm/gitlab/*" and process.args == "./run" and process.pid == 0)
+   (process.executable : "/dev/shm/gitlab/*" and process.pid == 0) or
+   (process.executable: "/dev/shm/ansible-tmp*")
  )
 '''
 

behavior/rules/linux/defense_evasion_defense_evasion_via_bind_mount.toml

@@ -0,0 +1,57 @@
+[rule]
+description = """
+Identifies the use of the `mount` command to bind mount a directory to `/proc` in order to hide files or processes from
+detection. This technique is used in the wild by malware samples to evade detection by hiding files or processes from
+security tools that rely on `/proc` to gather information about running processes.
+"""
+id = "69b41dec-033a-4629-9b1d-dd2c54b507b9"
+license = "Elastic License v2"
+name = "Defense Evasion via Bind Mount"
+os_list = ["linux"]
+reference = ["https://dfir.ch/posts/slash-proc/"]
+version = "1.0.1"
+
+query = '''
+process where event.type == "start" and event.action == "exec" and process.name == "mount" and
+process.args == "-o" and process.args : "/proc/*" and process.args_count >= 5 and not process.args : "/proc/*/*"
+'''
+
+min_endpoint_version = "7.15.0"
+optional_actions = []
+[[actions]]
+action = "kill_process"
+field = "process.entity_id"
+state = 0
+
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+
+
+[threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1564"
+name = "Hide Artifacts"
+reference = "https://attack.mitre.org/techniques/T1564/"
+
+
+[threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[internal]
+min_endpoint_version = "7.15.0"

behavior/rules/linux/defense_evasion_execution_of_in_memory_file_via_interactive_session.toml

@@ -13,7 +13,7 @@ reference = [
     "https://github.com/MythicAgents/merlin/blob/main/Payload_Type/merlin/container/commands/memfd.go",
     "https://x-c3ll.github.io/posts/fileless-memfd_create/",
 ]
-version = "1.0.7"
+version = "1.0.8"
 
 query = '''
 process where event.type == "start" and event.action == "exec" and 
@@ -22,7 +22,9 @@ process.executable regex~ """/proc/[a-z0-9]+/fd/[a-z0-9]+""" and
 not (
   process.command_line : "runc init" or
   process.parent.command_line : "/sbin/init" or
-  process.parent.executable : ("/usr/sbin/runc", "/usr/libexec/snapd/snap-confine", "/var/lib/snapd/snap/bin/direnv")
+  process.parent.executable : (
+    "/usr/sbin/runc", "/usr/libexec/snapd/snap-confine", "/var/lib/snapd/snap/bin/direnv", "/usr/lib/systemd/systemd"
+  )
 )
 '''
 

behavior/rules/linux/defense_evasion_linux_decoded_or_decrypted_payload_written_to_suspicious_directory.toml

@@ -0,0 +1,75 @@
+[rule]
+description = """
+Identifies when the openssl utility is used to decode and/or decrypt a payload and write it to an abnormal or suspicious
+directory. Malware authors may attempt to evade detection by encoding and/or encrypting their payload.
+"""
+id = "a0fce633-b6ee-4e4c-b6c7-ba46b8561e9e"
+license = "Elastic License v2"
+name = "Linux Decoded or Decrypted Payload Written to Suspicious Directory"
+os_list = ["linux"]
+reference = ["https://attack.mitre.org/software/S0482/"]
+version = "1.0.4"
+
+query = '''
+process where event.action == "exec" and event.type == "start" and (
+  (process.name == "openssl" and process.args : "-out" and process.args : "enc" and process.args : ("-d", "-base64") and
+   process.args : ("/var/tmp/*", "/dev/shm*", "/var/www/*")) or 
+  (process.name == "base64" and process.args : "-d" and
+   process.args : ("/var/tmp/*", "/dev/shm*", "/var/www/*"))
+) and not process.parent.args : "*/var/lib/waagent/*" and not process.parent.name == "platform-python"
+'''
+
+min_endpoint_version = "7.15.0"
+optional_actions = []
+[[actions]]
+action = "kill_process"
+field = "process.entity_id"
+state = 0
+
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+
+[[threat.technique]]
+id = "T1204"
+name = "User Execution"
+reference = "https://attack.mitre.org/techniques/T1204/"
+[[threat.technique.subtechnique]]
+id = "T1204.002"
+name = "Malicious File"
+reference = "https://attack.mitre.org/techniques/T1204/002/"
+
+
+
+[threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1027"
+name = "Obfuscated Files or Information"
+reference = "https://attack.mitre.org/techniques/T1027/"
+
+[[threat.technique]]
+id = "T1140"
+name = "Deobfuscate/Decode Files or Information"
+reference = "https://attack.mitre.org/techniques/T1140/"
+
+
+[threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[internal]
+min_endpoint_version = "7.15.0"

behavior/rules/linux/defense_evasion_linux_execution_of_a_file_dropped_by_openssl.toml

@@ -0,0 +1,62 @@
+[rule]
+description = """
+Identifies when the OpenSSL utility create a file followed by its execution. Malware authors may attempt to evade
+detection and trick users into executing malicious code by encoding and encrypting their payload.
+"""
+id = "7032dd32-8a51-4545-94d0-5997051f4610"
+license = "Elastic License v2"
+name = "Linux Execution of a File Dropped by OpenSSL"
+os_list = ["linux"]
+reference = ["https://attack.mitre.org/software/S0482/", "https://attack.mitre.org/software/S0402/"]
+version = "1.0.3"
+
+query = '''
+sequence with maxspan=1m
+  [file where event.action != "deletion" and process.name == "openssl"] by file.path
+  [process where event.action == "exec" and event.type == "start"] by process.executable
+'''
+
+min_endpoint_version = "7.15.0"
+optional_actions = []
+[[actions]]
+action = "kill_process"
+field = "process.entity_id"
+state = 0
+
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1204"
+name = "User Execution"
+reference = "https://attack.mitre.org/techniques/T1204/"
+[[threat.technique.subtechnique]]
+id = "T1204.002"
+name = "Malicious File"
+reference = "https://attack.mitre.org/techniques/T1204/002/"
+
+
+
+[threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1027"
+name = "Obfuscated Files or Information"
+reference = "https://attack.mitre.org/techniques/T1027/"
+
+[[threat.technique]]
+id = "T1140"
+name = "Deobfuscate/Decode Files or Information"
+reference = "https://attack.mitre.org/techniques/T1140/"
+
+
+[threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[internal]
+min_endpoint_version = "7.15.0"

behavior/rules/linux/defense_evasion_linux_file_made_executable_by_suspicious_parent.toml

@@ -7,12 +7,16 @@ id = "742037b3-3ef6-4a33-84ed-b26fc6ae322c"
 license = "Elastic License v2"
 name = "Linux File Made Executable by Suspicious Parent"
 os_list = ["linux"]
-version = "1.0.4"
+version = "1.0.5"
 
 query = '''
 process where event.action == "exec" and event.type == "start" and process.name == "chmod" and
 process.args : ("+x", "a+x", "0777", "755", "777") and process.args : "/dev/shm/*" and
-process.parent.executable != null
+process.parent.executable != null and not (
+  (process.parent.executable == "/etc/init.d/nagios" and process.args in (
+    "/dev/shm/tmp", "/dev/shm/var", "/dev/shm/checkresults")
+  )
+)
 '''
 
 min_endpoint_version = "7.15.0"