[New Rule] Suspicious Symbolic Link Created (#2969)

* [New Rule] Suspicious Symbolic Link Created

* Update rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml

Co-authored-by: Justin Ibarra <[email protected]>

* fixed unit testing issues after suggestion commit

---------

Co-authored-by: Justin Ibarra <[email protected]>
Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit c6eba3e)

Author: Aegrah

rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml

@@ -0,0 +1,79 @@
+[metadata]
+creation_date = "2023/07/27"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/27"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or
+directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different
+location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a
+privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or
+capabilities they would not normally have.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious Symbolic Link Created"
+risk_score = 21
+rule_id = "8a024633-c444-45c0-a4fe-78128d8c1ab6"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.action in ("exec", "exec_event") and 
+event.type == "start" and process.name == "ln" and 
+  (
+    /* suspicious files */
+    (process.args in ("/etc/shadow", "/etc/shadow-", "/etc/shadow~", "/etc/gshadow", "/etc/gshadow-") or 
+    (process.working_directory == "/etc" and process.args in ("shadow", "shadow-", "shadow~", "gshadow", "gshadow-"))) or 
+    
+    /* suspicious bins */
+    (process.args in ("/bin/bash", "/bin/dash", "/bin/sh", "/bin/tcsh", "/bin/csh", "/bin/zsh", "/bin/ksh", "/bin/fish") or 
+    (process.working_directory == "/bin" and process.args : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"))) or 
+    (process.args in ("/usr/bin/bash", "/usr/bin/dash", "/usr/bin/sh", "/usr/bin/tcsh", "/usr/bin/csh", "/usr/bin/zsh", "/usr/bin/ksh", "/usr/bin/fish") or 
+    (process.working_directory == "/usr/bin" and process.args in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"))) or
+    
+    /* suspicious locations */
+    (process.args : ("/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.weekly/*", "/etc/cron.monthly/*")) or
+    (process.args : ("/home/*/.ssh/*", "/root/.ssh/*","/etc/sudoers.d/*", "/dev/shm/*"))
+  ) and 
+not user.Ext.real.id == "0" and not group.Ext.real.id == "0"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1003.008"
+name = "/etc/passwd and /etc/shadow"
+reference = "https://attack.mitre.org/techniques/T1003/008/"
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"