-
Notifications
You must be signed in to change notification settings - Fork 353
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3089 from splunk/linux_auditd_detection
linux_auditd_detection
- Loading branch information
Showing
54 changed files
with
3,498 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| name: Linux Auditd Add User Account | ||
| id: aae66dc0-74b4-4807-b480-b35f8027abb4 | ||
| version: 1 | ||
| date: '2024-09-04' | ||
| author: Teoderick Contreras, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects the creation of new user accounts on Linux | ||
| systems using commands like "useradd" or "adduser." It leverages data from Endpoint | ||
| Detection and Response (EDR) agents, focusing on process names and command-line | ||
| executions. This activity is significant as adversaries often create new user accounts | ||
| to establish persistence on compromised hosts. If confirmed malicious, this could | ||
| allow attackers to maintain access, escalate privileges, and further compromise | ||
| the system, posing a severe security risk. | ||
| data_source: | ||
| - Linux Auditd Proctitle | ||
| search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as | ||
| dest | where LIKE (process_exec, "%useradd%") OR LIKE (process_exec, "%adduser%") | ||
| | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle | ||
| dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| | ||
| `linux_auditd_add_user_account_filter`' | ||
| how_to_implement: To implement this detection, the process begins by ingesting auditd | ||
| data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line | ||
| executions and process details on Unix/Linux systems. These logs should be ingested | ||
| and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), | ||
| which is essential for correctly parsing and categorizing the data. The next step | ||
| involves normalizing the field names to match the field names set by the Splunk | ||
| Common Information Model (CIM) to ensure consistency across different data sources | ||
| and enhance the efficiency of data modeling. This approach enables effective monitoring | ||
| and detection of linux endpoints where auditd is deployed | ||
| known_false_positives: Administrator or network operator can execute this command. | ||
| Please update the filter macros to remove false positives. | ||
| references: | ||
| - https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/ | ||
| tags: | ||
| analytic_story: | ||
| - Linux Privilege Escalation | ||
| - Linux Persistence Techniques | ||
| - Compromised Linux Host | ||
| asset_type: Endpoint | ||
| confidence: 50 | ||
| impact: 50 | ||
| message: A [$process_exec$] event occurred on host - [$dest$] to add a user account. | ||
| mitre_attack_id: | ||
| - T1136.001 | ||
| - T1136 | ||
| observable: | ||
| - name: dest | ||
| type: Endpoint | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - _time | ||
| - proctitle | ||
| risk_score: 25 | ||
| security_domain: endpoint | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.log | ||
| source: /var/log/audit/audit.log | ||
| sourcetype: linux:audit |
70 changes: 70 additions & 0 deletions
70
detections/endpoint/linux_auditd_add_user_account_type.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| name: Linux Auditd Add User Account Type | ||
| id: f8c325ea-506e-4105-8ccf-da1492e90115 | ||
| version: 1 | ||
| date: '2024-09-04' | ||
| author: Teoderick Contreras, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects the suspicious add user account type. | ||
| This behavior is critical for a SOC to monitor because it may indicate attempts | ||
| to gain unauthorized access or maintain control over a system. Such actions could | ||
| be signs of malicious activity. If confirmed, this could lead to serious consequences, | ||
| including a compromised system, unauthorized access to sensitive data, or even a | ||
| wider breach affecting the entire network. Detecting and responding to these signs | ||
| early is essential to prevent potential security incidents. | ||
| data_source: | ||
| - Linux Auditd Add User | ||
| search: ' `linux_auditd` type=ADD_USER | rename hostname as dest| stats count min(_time) | ||
| as firstTime max(_time) as lastTime by exe pid dest res UID type | `security_content_ctime(firstTime)` | ||
| | `security_content_ctime(lastTime)`| `linux_auditd_add_user_account_type_filter`' | ||
| how_to_implement: To implement this detection, the process begins by ingesting auditd | ||
| data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line | ||
| executions and process details on Unix/Linux systems. These logs should be ingested | ||
| and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), | ||
| which is essential for correctly parsing and categorizing the data. The next step | ||
| involves normalizing the field names to match the field names set by the Splunk | ||
| Common Information Model (CIM) to ensure consistency across different data sources | ||
| and enhance the efficiency of data modeling. This approach enables effective monitoring | ||
| and detection of linux endpoints where auditd is deployed | ||
| known_false_positives: Administrator or network operator can use this application | ||
| for automation purposes. Please update the filter macros to remove false positives. | ||
| references: | ||
| - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html | ||
| tags: | ||
| analytic_story: | ||
| - Linux Living Off The Land | ||
| - Linux Privilege Escalation | ||
| - Linux Persistence Techniques | ||
| - Compromised Linux Host | ||
| asset_type: Endpoint | ||
| confidence: 50 | ||
| impact: 50 | ||
| message: New [$type$] event on host - [$dest$] to add a user account type. | ||
| mitre_attack_id: | ||
| - T1136 | ||
| - T1136.001 | ||
| observable: | ||
| - name: dest | ||
| type: Hostname | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - _time | ||
| - exe | ||
| - pid | ||
| - hostname | ||
| - res | ||
| - UID | ||
| - type | ||
| risk_score: 25 | ||
| security_domain: endpoint | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log | ||
| source: /var/log/audit/audit.log | ||
| sourcetype: linux:audit |
75 changes: 75 additions & 0 deletions
75
detections/endpoint/linux_auditd_at_application_execution.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| name: Linux Auditd At Application Execution | ||
| id: 9f306e0a-1c36-469e-8892-968ca12470dd | ||
| version: 1 | ||
| date: '2024-09-04' | ||
| author: Teoderick Contreras, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects the execution of the "At" application | ||
| in Linux, which can be used by attackers to create persistence entries on a compromised | ||
| host. This detection leverages data from Endpoint Detection and Response (EDR) agents, | ||
| focusing on process names and parent process names associated with "at" or "atd". | ||
| This activity is significant because the "At" application can be exploited to maintain | ||
| unauthorized access or deliver additional malicious payloads. If confirmed malicious, | ||
| this behavior could lead to data theft, ransomware attacks, or other severe consequences. | ||
| Immediate investigation is required to determine the legitimacy of the execution | ||
| and mitigate potential risks. | ||
| data_source: | ||
| - Linux Auditd Syscall | ||
| search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") | ||
| AND NOT (UID IN("daemon")) | rename host as dest | stats count min(_time) as firstTime | ||
| max(_time) as lastTime by comm exe SYSCALL UID ppid pid dest | `security_content_ctime(firstTime)` | ||
| | `security_content_ctime(lastTime)`| `linux_auditd_at_application_execution_filter`' | ||
| how_to_implement: To implement this detection, the process begins by ingesting auditd | ||
| data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line | ||
| executions and process details on Unix/Linux systems. These logs should be ingested | ||
| and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), | ||
| which is essential for correctly parsing and categorizing the data. The next step | ||
| involves normalizing the field names to match the field names set by the Splunk | ||
| Common Information Model (CIM) to ensure consistency across different data sources | ||
| and enhance the efficiency of data modeling. This approach enables effective monitoring | ||
| and detection of linux endpoints where auditd is deployed | ||
| known_false_positives: Administrator or network operator can use this application | ||
| for automation purposes. Please update the filter macros to remove false positives. | ||
| references: | ||
| - https://attack.mitre.org/techniques/T1053/001/ | ||
| - https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/ | ||
| tags: | ||
| analytic_story: | ||
| - Scheduled Tasks | ||
| - Linux Privilege Escalation | ||
| - Linux Persistence Techniques | ||
| - Linux Living Off The Land | ||
| - Compromised Linux Host | ||
| asset_type: Endpoint | ||
| confidence: 30 | ||
| impact: 30 | ||
| message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to execute the "at" application. | ||
| mitre_attack_id: | ||
| - T1053.002 | ||
| - T1053 | ||
| observable: | ||
| - name: dest | ||
| type: Endpoint | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - _time | ||
| - comm | ||
| - exe | ||
| - SYSCALL | ||
| - UID | ||
| - ppid | ||
| - pid | ||
| risk_score: 9 | ||
| security_domain: endpoint | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log | ||
| source: /var/log/audit/audit.log | ||
| sourcetype: linux:audit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| name: Linux Auditd Auditd Service Stop | ||
| id: 6cb9d0e1-eabe-41de-a11a-5efade354e9d | ||
| version: 1 | ||
| date: '2024-09-04' | ||
| author: Teoderick Contreras, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects the suspicious auditd service stop. This | ||
| behavior is critical for a SOC to monitor because it may indicate attempts to gain | ||
| unauthorized access or maintain control over a system. Such actions could be signs | ||
| of malicious activity. If confirmed, this could lead to serious consequences, including | ||
| a compromised system, unauthorized access to sensitive data, or even a wider breach | ||
| affecting the entire network. Detecting and responding to these signs early is essential | ||
| to prevent potential security incidents. | ||
| data_source: | ||
| - Linux Auditd Service Stop | ||
| search: '`linux_auditd` type=SERVICE_STOP unit IN ("auditd") | rename host as dest | ||
| | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm | ||
| exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| | ||
| `linux_auditd_auditd_service_stop_filter`' | ||
| how_to_implement: To implement this detection, the process begins by ingesting auditd | ||
| data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line | ||
| executions and process details on Unix/Linux systems. These logs should be ingested | ||
| and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), | ||
| which is essential for correctly parsing and categorizing the data. The next step | ||
| involves normalizing the field names to match the field names set by the Splunk | ||
| Common Information Model (CIM) to ensure consistency across different data sources | ||
| and enhance the efficiency of data modeling. This approach enables effective monitoring | ||
| and detection of linux endpoints where auditd is deployed | ||
| known_false_positives: Administrator or network operator can use this application | ||
| for automation purposes. Please update the filter macros to remove false positives. | ||
| references: | ||
| - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html | ||
| tags: | ||
| analytic_story: | ||
| - Linux Living Off The Land | ||
| - Linux Privilege Escalation | ||
| - Linux Persistence Techniques | ||
| - Compromised Linux Host | ||
| asset_type: Endpoint | ||
| confidence: 50 | ||
| impact: 50 | ||
| message: A service event - [$type$] event occured on host - [$dest$]. | ||
| mitre_attack_id: | ||
| - T1489 | ||
| observable: | ||
| - name: dest | ||
| type: Endpoint | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - _time | ||
| - type | ||
| - pid | ||
| - UID | ||
| - comm | ||
| - exe | ||
| risk_score: 49 | ||
| security_domain: endpoint | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log | ||
| source: /var/log/audit/audit.log | ||
| sourcetype: linux:audit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| name: Linux Auditd Base64 Decode Files | ||
| id: 5890ba10-4e48-4dc0-8a40-3e1ebe75e737 | ||
| version: 1 | ||
| date: '2024-09-04' | ||
| author: Teoderick Contreras, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects suspicious Base64 decode operations that | ||
| may indicate malicious activity, such as data exfiltration or execution of encoded | ||
| commands. Base64 is commonly used to encode data for safe transmission, but attackers | ||
| may abuse it to conceal malicious payloads. This detection focuses on identifying | ||
| unusual or unexpected Base64 decoding processes, particularly when associated with | ||
| critical files or directories. By monitoring these activities, the analytic helps | ||
| uncover potential threats, enabling security teams to respond promptly and mitigate | ||
| risks associated with encoded malware or unauthorized data access. | ||
| data_source: | ||
| - Linux Auditd Execve | ||
| search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as | ||
| dest | where LIKE(process_exec, "%base64%") AND (LIKE(process_exec, "%-d %") OR | ||
| LIKE(process_exec, "% --d%")) | stats count min(_time) as firstTime max(_time) as | ||
| lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| | ||
| `linux_auditd_base64_decode_files_filter`' | ||
| how_to_implement: To implement this detection, the process begins by ingesting auditd | ||
| data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line | ||
| executions and process details on Unix/Linux systems. These logs should be ingested | ||
| and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), | ||
| which is essential for correctly parsing and categorizing the data. The next step | ||
| involves normalizing the field names to match the field names set by the Splunk | ||
| Common Information Model (CIM) to ensure consistency across different data sources | ||
| and enhance the efficiency of data modeling. This approach enables effective monitoring | ||
| and detection of linux endpoints where auditd is deployed | ||
| known_false_positives: Administrator or network operator can use this application | ||
| for automation purposes. Please update the filter macros to remove false positives. | ||
| references: | ||
| - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html | ||
| - https://gtfobins.github.io/gtfobins/dd/ | ||
| tags: | ||
| analytic_story: | ||
| - Linux Living Off The Land | ||
| - Linux Privilege Escalation | ||
| - Linux Persistence Techniques | ||
| - Compromised Linux Host | ||
| asset_type: Endpoint | ||
| confidence: 50 | ||
| impact: 50 | ||
| message: A [$process_exec$] event occurred on host - [$dest$] to decode a file using base64. | ||
| mitre_attack_id: | ||
| - T1140 | ||
| observable: | ||
| - name: dest | ||
| type: Endpoint | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - _time | ||
| - argc | ||
| - process_exec | ||
| risk_score: 25 | ||
| security_domain: endpoint | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.log | ||
| source: /var/log/audit/audit.log | ||
| sourcetype: linux:audit |
Oops, something went wrong.