From b47601b9bda370f363fc3be953d1426d83df7356 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Thu, 20 Jul 2023 16:37:59 +0200 Subject: [PATCH 1/7] [New Rule] Sudo Command Enumeration Detected --- ...very_sudo_allowed_command_enumeration.toml | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 rules/linux/discovery_sudo_allowed_command_enumeration.toml diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml new file mode 100644 index 00000000000..2025a3fa7a2 --- /dev/null +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -0,0 +1,45 @@ +[metadata] +creation_date = "2023/07/20" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/20" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for +the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, +potentially allowing to escalate privileges to root. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Sudo Command Enumeration Detected" +risk_score = 21 +rule_id = "28d39238-0c01-420a-b77a-24e5a7378663" +severity = "low" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.name == "sudo" and process.args == "-l" and +process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and +not group.Ext.real.id : "0" and not user.Ext.real.id : "0" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" From 9a29940b12bf2d1d1fa9ca5c1f3fa4b9bf00585f Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 24 Jul 2023 16:41:15 +0200 Subject: [PATCH 2/7] Update discovery_sudo_allowed_command_enumeration.toml --- .../linux/discovery_sudo_allowed_command_enumeration.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index 2025a3fa7a2..f4c3a8c1ec0 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/20" +updated_date = "2023/07/24" [rule] author = ["Elastic"] @@ -14,18 +14,18 @@ the invoking user. Attackers may execute this command to enumerate commands allo potentially allowing to escalate privileges to root. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Sudo Command Enumeration Detected" risk_score = 21 rule_id = "28d39238-0c01-420a-b77a-24e5a7378663" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process where host.os.type == "linux" and event.type == "start" event.action : ("exec", "exec_event") and process.name == "sudo" and process.args == "-l" and process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not group.Ext.real.id : "0" and not user.Ext.real.id : "0" From c1b50a04a72e8911c82fd6ca1acbdb97aa964803 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 24 Jul 2023 16:52:01 +0200 Subject: [PATCH 3/7] revert endgame support due to unit testing fail --- rules/linux/discovery_sudo_allowed_command_enumeration.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index f4c3a8c1ec0..13233ab7646 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -14,18 +14,18 @@ the invoking user. Attackers may execute this command to enumerate commands allo potentially allowing to escalate privileges to root. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Sudo Command Enumeration Detected" risk_score = 21 rule_id = "28d39238-0c01-420a-b77a-24e5a7378663" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" event.action : ("exec", "exec_event") and +process where host.os.type == "linux" and event.type == "start" event.action == "exec" and process.name == "sudo" and process.args == "-l" and process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not group.Ext.real.id : "0" and not user.Ext.real.id : "0" From f75e5bf27f0dbe952ba36224389a77366b066847 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 24 Jul 2023 16:58:38 +0200 Subject: [PATCH 4/7] Update discovery_sudo_allowed_command_enumeration.toml --- rules/linux/discovery_sudo_allowed_command_enumeration.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index 13233ab7646..ae332f38dc5 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -14,18 +14,18 @@ the invoking user. Attackers may execute this command to enumerate commands allo potentially allowing to escalate privileges to root. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Sudo Command Enumeration Detected" risk_score = 21 rule_id = "28d39238-0c01-420a-b77a-24e5a7378663" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" event.action == "exec" and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "sudo" and process.args == "-l" and process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not group.Ext.real.id : "0" and not user.Ext.real.id : "0" From 63c4760f37d7d01436f406acbbc79a76d590c927 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 25 Jul 2023 16:22:28 +0200 Subject: [PATCH 5/7] Update discovery_sudo_allowed_command_enumeration.toml --- rules/linux/discovery_sudo_allowed_command_enumeration.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index ae332f38dc5..d470e394689 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -14,18 +14,18 @@ the invoking user. Attackers may execute this command to enumerate commands allo potentially allowing to escalate privileges to root. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Sudo Command Enumeration Detected" risk_score = 21 rule_id = "28d39238-0c01-420a-b77a-24e5a7378663" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process where host.os.type == "linux" and event.type == "start" and event.action =="exec" and process.name == "sudo" and process.args == "-l" and process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not group.Ext.real.id : "0" and not user.Ext.real.id : "0" From 4b1dd808bf74bb251275419d2d9388db4f57d9b2 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 2 Aug 2023 21:59:30 +0200 Subject: [PATCH 6/7] Update rules/linux/discovery_sudo_allowed_command_enumeration.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- rules/linux/discovery_sudo_allowed_command_enumeration.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index d470e394689..5f572c7f83a 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -25,7 +25,7 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action =="exec" and +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sudo" and process.args == "-l" and process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not group.Ext.real.id : "0" and not user.Ext.real.id : "0" From 73710a4470b16156e32887864e55f57c8f315924 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 2 Aug 2023 21:59:39 +0200 Subject: [PATCH 7/7] Update rules/linux/discovery_sudo_allowed_command_enumeration.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- rules/linux/discovery_sudo_allowed_command_enumeration.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index 5f572c7f83a..e34be9912dc 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -27,7 +27,7 @@ type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sudo" and process.args == "-l" and -process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and +process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not group.Ext.real.id : "0" and not user.Ext.real.id : "0" '''