-
Notifications
You must be signed in to change notification settings - Fork 197
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Detection Rules] Adding Documents for v8.16.7 Pre-Built Detection Ru…
…les (#6523)
- Loading branch information
1 parent
4a99355
commit a454adc
Showing
393 changed files
with
32,963 additions
and
711 deletions.
There are no files selected for viewing
129 changes: 129 additions & 0 deletions
129
...16-7/prebuilt-rule-8-16-7-access-control-list-modification-via-setfacl.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,129 @@ | ||
| [[prebuilt-rule-8-16-7-access-control-list-modification-via-setfacl]] | ||
| === Access Control List Modification via setfacl | ||
|
|
||
| This rule detects Linux Access Control List (ACL) modification via the setfacl command. | ||
|
|
||
| *Rule type*: eql | ||
|
|
||
| *Rule indices*: | ||
|
|
||
| * auditbeat-* | ||
| * endgame-* | ||
| * logs-auditd_manager.auditd-* | ||
| * logs-crowdstrike.fdr* | ||
| * logs-endpoint.events.process* | ||
| * logs-sentinel_one_cloud_funnel.* | ||
|
|
||
| *Severity*: low | ||
|
|
||
| *Risk score*: 21 | ||
|
|
||
| *Runs every*: 5m | ||
|
|
||
| *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 100 | ||
|
|
||
| *References*: | ||
|
|
||
| * https://www.uptycs.com/blog/threat-research-report-team/evasive-techniques-used-by-malicious-linux-shell-scripts | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Domain: Endpoint | ||
| * OS: Linux | ||
| * Use Case: Threat Detection | ||
| * Tactic: Defense Evasion | ||
| * Data Source: Elastic Defend | ||
| * Data Source: Elastic Endgame | ||
| * Data Source: Auditd Manager | ||
| * Data Source: Crowdstrike | ||
| * Data Source: SentinelOne | ||
| * Resources: Investigation Guide | ||
|
|
||
| *Version*: 104 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Investigation guide | ||
|
|
||
|
|
||
|
|
||
| *Triage and analysis* | ||
|
|
||
|
|
||
| > **Disclaimer**: | ||
| > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. | ||
|
|
||
|
|
||
| *Investigating Access Control List Modification via setfacl* | ||
|
|
||
|
|
||
| Access Control Lists (ACLs) in Linux enhance file permission management by allowing more granular access control. The `setfacl` command modifies these ACLs, potentially altering who can access or modify files. Adversaries may exploit `setfacl` to stealthily change permissions, evading detection and maintaining persistence. The detection rule identifies suspicious `setfacl` executions, excluding benign patterns, to flag potential misuse. | ||
|
|
||
|
|
||
| *Possible investigation steps* | ||
|
|
||
|
|
||
| - Review the process details to confirm the execution of the setfacl command, focusing on the process.name and event.type fields to ensure the alert is valid. | ||
| - Examine the process.command_line to understand the specific ACL modifications attempted and identify any unusual or unauthorized changes. | ||
| - Investigate the user account associated with the process execution to determine if the action aligns with their typical behavior or role. | ||
| - Check the process's parent process to identify how the setfacl command was initiated and assess if it was part of a legitimate workflow or a potential compromise. | ||
| - Correlate the event with other security logs or alerts from the same host to identify any related suspicious activities or patterns that might indicate a broader attack. | ||
|
|
||
|
|
||
| *False positive analysis* | ||
|
|
||
|
|
||
| - Routine system maintenance tasks may trigger the rule if they involve legitimate use of setfacl. To manage this, identify and document regular maintenance scripts or processes that use setfacl and create exceptions for these specific command lines. | ||
| - Backup operations that restore ACLs using setfacl can be mistaken for suspicious activity. Exclude these by adding exceptions for command lines that match known backup procedures, such as those using the --restore option. | ||
| - Automated log management tools might use setfacl to manage permissions on log directories like /var/log/journal/. To prevent false positives, exclude these specific directory paths from triggering the rule. | ||
| - Custom applications or services that require dynamic permission changes using setfacl could be flagged. Review these applications and, if deemed safe, add their specific command patterns to the exception list to avoid unnecessary alerts. | ||
|
|
||
|
|
||
| *Response and remediation* | ||
|
|
||
|
|
||
| - Immediately isolate the affected system from the network to prevent further unauthorized access or changes. | ||
| - Review the process execution logs to identify any unauthorized users or processes that executed the `setfacl` command. | ||
| - Revert any unauthorized ACL changes by restoring the original file permissions from a known good backup or configuration. | ||
| - Conduct a thorough scan of the system for any additional signs of compromise, such as unauthorized user accounts or unexpected processes. | ||
| - Update and patch the system to address any vulnerabilities that may have been exploited to gain access. | ||
| - Implement stricter access controls and monitoring on critical systems to detect and prevent unauthorized ACL modifications in the future. | ||
| - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected. | ||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| process where host.os.type == "linux" and event.type == "start" and | ||
| event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and | ||
| process.name == "setfacl" and not ( | ||
| process.command_line == "/bin/setfacl --restore=-" or | ||
| process.args == "/var/log/journal/" or | ||
| process.parent.name in ("stats.pl", "perl", "find") or | ||
| process.parent.command_line like~ "/bin/sh -c *ansible*" | ||
| ) | ||
| ---------------------------------- | ||
|
|
||
| *Framework*: MITRE ATT&CK^TM^ | ||
|
|
||
| * Tactic: | ||
| ** Name: Defense Evasion | ||
| ** ID: TA0005 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0005/ | ||
| * Technique: | ||
| ** Name: File and Directory Permissions Modification | ||
| ** ID: T1222 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1222/ | ||
| * Sub-technique: | ||
| ** Name: Linux and Mac File and Directory Permissions Modification | ||
| ** ID: T1222.002 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1222/002/ |
184 changes: 184 additions & 0 deletions
184
...8-16-7/prebuilt-rule-8-16-7-access-to-keychain-credentials-directories.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,184 @@ | ||
| [[prebuilt-rule-8-16-7-access-to-keychain-credentials-directories]] | ||
| === Access to Keychain Credentials Directories | ||
|
|
||
| Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. | ||
|
|
||
| *Rule type*: eql | ||
|
|
||
| *Rule indices*: | ||
|
|
||
| * logs-endpoint.events.process* | ||
|
|
||
| *Severity*: high | ||
|
|
||
| *Risk score*: 73 | ||
|
|
||
| *Runs every*: 5m | ||
|
|
||
| *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 100 | ||
|
|
||
| *References*: | ||
|
|
||
| * https://objective-see.com/blog/blog_0x25.html | ||
| * https://securelist.com/calisto-trojan-for-macos/86543/ | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Domain: Endpoint | ||
| * OS: macOS | ||
| * Use Case: Threat Detection | ||
| * Tactic: Credential Access | ||
| * Data Source: Elastic Defend | ||
| * Resources: Investigation Guide | ||
|
|
||
| *Version*: 209 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Investigation guide | ||
|
|
||
|
|
||
|
|
||
| *Triage and analysis* | ||
|
|
||
|
|
||
| > **Disclaimer**: | ||
| > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. | ||
|
|
||
|
|
||
| *Investigating Access to Keychain Credentials Directories* | ||
|
|
||
|
|
||
| macOS keychains securely store user credentials, such as passwords and certificates, essential for system and application authentication. Adversaries may target these directories to extract sensitive information, potentially compromising user accounts and system integrity. The detection rule identifies suspicious access attempts by monitoring process activities related to keychain directories, excluding known legitimate processes and actions, thus highlighting potential unauthorized access attempts. | ||
|
|
||
|
|
||
| *Possible investigation steps* | ||
|
|
||
|
|
||
| - Review the process details that triggered the alert, focusing on the process.args field to identify the specific keychain directory accessed and the nature of the access attempt. | ||
| - Examine the process.parent.executable and process.executable fields to determine the origin of the process and assess whether it is a known or potentially malicious application. | ||
| - Investigate the process.Ext.effective_parent.executable field to trace the parent process chain and identify any unusual or unauthorized parent processes that may have initiated the access. | ||
| - Check for any recent changes or installations on the system that could explain the access attempt, such as new software or updates that might interact with keychain directories. | ||
| - Correlate the alert with other security events or logs from the same host to identify any patterns or additional suspicious activities that could indicate a broader compromise. | ||
|
|
||
|
|
||
| *False positive analysis* | ||
|
|
||
|
|
||
| - Processes related to legitimate security applications like Microsoft Defender, JumpCloud Agent, and Rapid7 IR Agent may trigger false positives. Users can mitigate this by ensuring these applications are included in the exclusion list for process executables and effective parent executables. | ||
| - Routine administrative tasks involving keychain management, such as setting keychain settings or importing certificates, might be flagged. To handle this, users should add these specific actions to the exclusion list for process arguments. | ||
| - Applications like OpenVPN Connect and JAMF management tools that interact with keychain directories for legitimate purposes can cause false alerts. Users should verify these applications are part of the exclusion list for parent executables to prevent unnecessary alerts. | ||
| - Regular system maintenance or updates that involve keychain access might be misinterpreted as suspicious. Users should monitor these activities and adjust the exclusion criteria as needed to accommodate known maintenance processes. | ||
|
|
||
|
|
||
| *Response and remediation* | ||
|
|
||
|
|
||
| - Immediately isolate the affected macOS system from the network to prevent further unauthorized access or data exfiltration. | ||
| - Terminate any suspicious processes identified by the detection rule that are attempting to access keychain directories without legitimate reasons. | ||
| - Conduct a thorough review of the system's keychain access logs to identify any unauthorized access or modifications to keychain files. | ||
| - Change all passwords and credentials stored in the keychain on the affected system to prevent potential misuse of compromised credentials. | ||
| - Restore the system from a known good backup if unauthorized access has led to system integrity issues or data corruption. | ||
| - Implement additional monitoring on the affected system to detect any further unauthorized access attempts, focusing on the keychain directories and related processes. | ||
| - Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign. | ||
|
|
||
| ==== Setup | ||
|
|
||
|
|
||
|
|
||
| *Setup* | ||
|
|
||
|
|
||
| This rule requires data coming in from Elastic Defend. | ||
|
|
||
|
|
||
| *Elastic Defend Integration Setup* | ||
|
|
||
| Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. | ||
|
|
||
|
|
||
| *Prerequisite Requirements:* | ||
|
|
||
| - Fleet is required for Elastic Defend. | ||
| - To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. | ||
|
|
||
|
|
||
| *The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* | ||
|
|
||
| - Go to the Kibana home page and click "Add integrations". | ||
| - In the query bar, search for "Elastic Defend" and select the integration to see more details about it. | ||
| - Click "Add Elastic Defend". | ||
| - Configure the integration name and optionally add a description. | ||
| - Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". | ||
| - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. | ||
| - We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" | ||
| - Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. | ||
| For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. | ||
| - Click "Save and Continue". | ||
| - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. | ||
| For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. | ||
|
|
||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| process where host.os.type == "macos" and event.type in ("start", "process_started") and | ||
| process.args : | ||
| ( | ||
| "/Users/*/Library/Keychains/*", | ||
| "/Library/Keychains/*", | ||
| "/Network/Library/Keychains/*", | ||
| "System.keychain", | ||
| "login.keychain-db", | ||
| "login.keychain" | ||
| ) and | ||
| not process.args : ("find-certificate", | ||
| "add-trusted-cert", | ||
| "set-keychain-settings", | ||
| "delete-certificate", | ||
| "/Users/*/Library/Keychains/openvpn.keychain-db", | ||
| "show-keychain-info", | ||
| "lock-keychain", | ||
| "set-key-partition-list", | ||
| "import", | ||
| "find-identity") and | ||
| not process.parent.executable : | ||
| ( | ||
| "/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect", | ||
| "/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise", | ||
| "/opt/jc/bin/jumpcloud-agent" | ||
| ) and | ||
| not process.executable : ("/opt/jc/bin/jumpcloud-agent", "/usr/bin/basename") and | ||
| not process.Ext.effective_parent.executable : ("/opt/rapid7/ir_agent/ir_agent", | ||
| "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint", | ||
| "/Applications/QualysCloudAgent.app/Contents/MacOS/qualys-cloud-agent", | ||
| "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon", | ||
| "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService", | ||
| "/usr/local/jamf/bin/jamf", | ||
| "/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon") | ||
| ---------------------------------- | ||
|
|
||
| *Framework*: MITRE ATT&CK^TM^ | ||
|
|
||
| * Tactic: | ||
| ** Name: Credential Access | ||
| ** ID: TA0006 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0006/ | ||
| * Technique: | ||
| ** Name: Credentials from Password Stores | ||
| ** ID: T1555 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1555/ | ||
| * Sub-technique: | ||
| ** Name: Keychain | ||
| ** ID: T1555.001 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1555/001/ |
Oops, something went wrong.