diff --git a/detections/endpoint/linux_auditd_add_user_account.yml b/detections/endpoint/linux_auditd_add_user_account.yml new file mode 100644 index 0000000000..c33bc16d25 --- /dev/null +++ b/detections/endpoint/linux_auditd_add_user_account.yml @@ -0,0 +1,66 @@ +name: Linux Auditd Add User Account +id: aae66dc0-74b4-4807-b480-b35f8027abb4 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the creation of new user accounts on Linux + systems using commands like "useradd" or "adduser." It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as adversaries often create new user accounts + to establish persistence on compromised hosts. If confirmed malicious, this could + allow attackers to maintain access, escalate privileges, and further compromise + the system, posing a severe security risk. +data_source: +- Linux Auditd Proctitle +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as + dest | where LIKE (process_exec, "%useradd%") OR LIKE (process_exec, "%adduser%") + | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_add_user_account_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. +references: +- https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/ +tags: + analytic_story: + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A [$process_exec$] event occurred on host - [$dest$] to add a user account. + mitre_attack_id: + - T1136.001 + - T1136 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - proctitle + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_add_user_account_type.yml b/detections/endpoint/linux_auditd_add_user_account_type.yml new file mode 100644 index 0000000000..1b7d6b8f9f --- /dev/null +++ b/detections/endpoint/linux_auditd_add_user_account_type.yml @@ -0,0 +1,70 @@ +name: Linux Auditd Add User Account Type +id: f8c325ea-506e-4105-8ccf-da1492e90115 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the suspicious add user account type. + This behavior is critical for a SOC to monitor because it may indicate attempts + to gain unauthorized access or maintain control over a system. Such actions could + be signs of malicious activity. If confirmed, this could lead to serious consequences, + including a compromised system, unauthorized access to sensitive data, or even a + wider breach affecting the entire network. Detecting and responding to these signs + early is essential to prevent potential security incidents. +data_source: +- Linux Auditd Add User +search: ' `linux_auditd` type=ADD_USER | rename hostname as dest| stats count min(_time) + as firstTime max(_time) as lastTime by exe pid dest res UID type | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_add_user_account_type_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: New [$type$] event on host - [$dest$] to add a user account type. + mitre_attack_id: + - T1136 + - T1136.001 + observable: + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - exe + - pid + - hostname + - res + - UID + - type + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml new file mode 100644 index 0000000000..49d5a50c87 --- /dev/null +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -0,0 +1,75 @@ +name: Linux Auditd At Application Execution +id: 9f306e0a-1c36-469e-8892-968ca12470dd +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the execution of the "At" application + in Linux, which can be used by attackers to create persistence entries on a compromised + host. This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and parent process names associated with "at" or "atd". + This activity is significant because the "At" application can be exploited to maintain + unauthorized access or deliver additional malicious payloads. If confirmed malicious, + this behavior could lead to data theft, ransomware attacks, or other severe consequences. + Immediate investigation is required to determine the legitimacy of the execution + and mitigate potential risks. +data_source: +- Linux Auditd Syscall +search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") + AND NOT (UID IN("daemon")) | rename host as dest | stats count min(_time) as firstTime + max(_time) as lastTime by comm exe SYSCALL UID ppid pid dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_at_application_execution_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://attack.mitre.org/techniques/T1053/001/ +- https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/ +tags: + analytic_story: + - Scheduled Tasks + - Linux Privilege Escalation + - Linux Persistence Techniques + - Linux Living Off The Land + - Compromised Linux Host + asset_type: Endpoint + confidence: 30 + impact: 30 + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to execute the "at" application. + mitre_attack_id: + - T1053.002 + - T1053 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - comm + - exe + - SYSCALL + - UID + - ppid + - pid + risk_score: 9 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_auditd_service_stop.yml b/detections/endpoint/linux_auditd_auditd_service_stop.yml new file mode 100644 index 0000000000..20ddf0f391 --- /dev/null +++ b/detections/endpoint/linux_auditd_auditd_service_stop.yml @@ -0,0 +1,69 @@ +name: Linux Auditd Auditd Service Stop +id: 6cb9d0e1-eabe-41de-a11a-5efade354e9d +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the suspicious auditd service stop. This + behavior is critical for a SOC to monitor because it may indicate attempts to gain + unauthorized access or maintain control over a system. Such actions could be signs + of malicious activity. If confirmed, this could lead to serious consequences, including + a compromised system, unauthorized access to sensitive data, or even a wider breach + affecting the entire network. Detecting and responding to these signs early is essential + to prevent potential security incidents. +data_source: +- Linux Auditd Service Stop +search: '`linux_auditd` type=SERVICE_STOP unit IN ("auditd") | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm + exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_auditd_service_stop_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A service event - [$type$] event occured on host - [$dest$]. + mitre_attack_id: + - T1489 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - type + - pid + - UID + - comm + - exe + risk_score: 49 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml new file mode 100644 index 0000000000..15b0b91e2d --- /dev/null +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -0,0 +1,69 @@ +name: Linux Auditd Base64 Decode Files +id: 5890ba10-4e48-4dc0-8a40-3e1ebe75e737 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects suspicious Base64 decode operations that + may indicate malicious activity, such as data exfiltration or execution of encoded + commands. Base64 is commonly used to encode data for safe transmission, but attackers + may abuse it to conceal malicious payloads. This detection focuses on identifying + unusual or unexpected Base64 decoding processes, particularly when associated with + critical files or directories. By monitoring these activities, the analytic helps + uncover potential threats, enabling security teams to respond promptly and mitigate + risks associated with encoded malware or unauthorized data access. +data_source: +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where LIKE(process_exec, "%base64%") AND (LIKE(process_exec, "%-d %") OR + LIKE(process_exec, "% --d%")) | stats count min(_time) as firstTime max(_time) as + lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_base64_decode_files_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +- https://gtfobins.github.io/gtfobins/dd/ +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A [$process_exec$] event occurred on host - [$dest$] to decode a file using base64. + mitre_attack_id: + - T1140 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml new file mode 100644 index 0000000000..23917623b0 --- /dev/null +++ b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml @@ -0,0 +1,67 @@ +name: Linux Auditd Change File Owner To Root +id: 7b87c556-0ca4-47e0-b84c-6cd62a0a3e90 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects the use of the 'chown' command to change + a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. + This activity is significant as it may indicate an attempt to escalate privileges + by adversaries, malware, or red teamers. If confirmed malicious, this action could + allow an attacker to gain root-level access, leading to full control over the compromised + host and potential persistence within the environment. +data_source: +- Linux Auditd Proctitle +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as + dest | where LIKE (process_exec, "%chown %") AND LIKE (process_exec, "% root %") + | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle + normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_change_file_owner_to_root_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. +references: +- https://unix.stackexchange.com/questions/101073/how-to-change-permissions-from-root-user-to-all-users +- https://askubuntu.com/questions/617850/changing-from-user-to-superuser +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A [$process_exec$] event occurred on host - [$dest$] to change a file owner to root. + mitre_attack_id: + - T1222.002 + - T1222 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - proctitle + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_clipboard_data_copy.yml b/detections/endpoint/linux_auditd_clipboard_data_copy.yml new file mode 100644 index 0000000000..20b1cf0179 --- /dev/null +++ b/detections/endpoint/linux_auditd_clipboard_data_copy.yml @@ -0,0 +1,68 @@ +name: Linux Auditd Clipboard Data Copy +id: 9ddfe470-c4d0-4e60-8668-7337bd699edd +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the use of the Linux 'xclip' command to + copy data from the clipboard. It leverages Linux Auditd + telemetry, focusing on process names and command-line arguments related to clipboard + operations. This activity is significant because adversaries can exploit clipboard + data to capture sensitive information such as passwords or IP addresses. If confirmed + malicious, this technique could lead to unauthorized data exfiltration, compromising + sensitive information and potentially aiding further attacks within the environment. +data_source: +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where LIKE(process_exec, "%xclip%") AND (LIKE(process_exec, "%clipboard%") + OR LIKE(process_exec, "%-o%") OR LIKE(process_exec, "%clip %") OR LIKE(process_exec, + "%-selection %") OR LIKE(process_exec, "%sel %")) | stats count min(_time) as firstTime + max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `linux_auditd_clipboard_data_copy_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: False positives may be present on Linux desktop as it may commonly + be used by administrators or end users. Filter as needed. +references: +- https://attack.mitre.org/techniques/T1115/ +- https://linux.die.net/man/1/xclip +tags: + analytic_story: + - Linux Living Off The Land + - Compromised Linux Host + asset_type: Endpoint + confidence: 40 + impact: 40 + message: A [$process_exec$] event occurred on host - [$dest$] to copy data from the clipboard. + mitre_attack_id: + - T1115 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 16 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.log + source: /var/log/audit/audit.log + sourcetype: linux:audit + update_timestamp: true diff --git a/detections/endpoint/linux_auditd_data_destruction_command.yml b/detections/endpoint/linux_auditd_data_destruction_command.yml new file mode 100644 index 0000000000..0ce3e41f48 --- /dev/null +++ b/detections/endpoint/linux_auditd_data_destruction_command.yml @@ -0,0 +1,66 @@ +name: Linux Auditd Data Destruction Command +id: 4da5ce1a-f71b-4e71-bb73-c0a3c73f3c3c +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects the execution of a Unix shell command + designed to wipe root directories on a Linux host. It leverages data from Linux Auditd, focusing on the 'rm' command with force recursive deletion and the '--no-preserve-root' option. This activity is significant as it + indicates potential data destruction attempts, often associated with malware like + Awfulshred. If confirmed malicious, this behavior could lead to severe data loss, + system instability, and compromised integrity of the affected Linux host. Immediate + investigation and response are crucial to mitigate potential damage. +data_source: +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where LIKE (process_exec, "%rm %") AND LIKE (process_exec, "% -rf %") AND + LIKE (process_exec, "%--no-preserve-root%") | stats count min(_time) as firstTime + max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_data_destruction_command_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: unknown +references: +- https://cert.gov.ua/article/3718487 +- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ +tags: + analytic_story: + - Data Destruction + - AwfulShred + - Compromised Linux Host + asset_type: Endpoint + confidence: 90 + impact: 100 + message: A [$process_exec$] event occurred on host - [$dest$] to destroy data. + mitre_attack_id: + - T1485 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 90 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.log + source: /var/log/audit/audit.log + sourcetype: linux:audit + update_timestamp: true diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml new file mode 100644 index 0000000000..742d1323bb --- /dev/null +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml @@ -0,0 +1,67 @@ +name: Linux Auditd Data Transfer Size Limits Via Split +id: 4669561d-3bbd-44e3-857c-0e3c6ef2120c +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects suspicious data transfer activities that + involve the use of the `split` syscall, potentially indicating an attempt to evade + detection by breaking large files into smaller parts. Attackers may use this technique + to bypass size-based security controls, facilitating the covert exfiltration of + sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, + this analytic helps identify potential data exfiltration attempts, allowing security + teams to intervene and prevent the unauthorized transfer of critical information + from the network. +data_source: +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where LIKE(process_exec, "%split %") AND LIKE(process_exec, "% -b %") | stats + count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_transfer_size_limits_via_split_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 70 + impact: 70 + message: A [$process_exec$] event occurred on host - [$dest$] to split a file. + mitre_attack_id: + - T1030 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 49 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml new file mode 100644 index 0000000000..45a7e337e4 --- /dev/null +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml @@ -0,0 +1,71 @@ +name: Linux Auditd Data Transfer Size Limits Via Split Syscall +id: c03d4a49-cf9d-435b-86e9-c6f8c9b6c42e +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects suspicious data transfer activities that + involve the use of the `split` syscall, potentially indicating an attempt to evade + detection by breaking large files into smaller parts. Attackers may use this technique + to bypass size-based security controls, facilitating the covert exfiltration of + sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, + this analytic helps identify potential data exfiltration attempts, allowing security + teams to intervene and prevent the unauthorized transfer of critical information + from the network. +data_source: +- Linux Auditd Syscall +search: '`linux_auditd` type=SYSCALL comm=split OR exe= "*/split" | rename host as + dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL + UID ppid pid success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_data_transfer_size_limits_via_split_syscall_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] that limits the size of data transfer. + mitre_attack_id: + - T1030 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - comm + - exe + - SYSCALL + - UID + - ppid + - pid + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml new file mode 100644 index 0000000000..b6d0662dfe --- /dev/null +++ b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml @@ -0,0 +1,68 @@ +name: Linux Auditd Database File And Directory Discovery +id: f616c4f3-bde9-41cf-856c-019b65f668bb +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: "The following analytic detects suspicious database file and directory discovery activities, which may signal an attacker attempt to locate and assess critical database assets on a compromised system. This behavior is often a precursor to data theft, unauthorized access, or privilege escalation, as attackers seek to identify valuable information stored in databases. By monitoring for unusual or unauthorized attempts to locate database files and directories, this analytic aids in early detection of potential reconnaissance or data breach efforts, enabling security teams to respond swiftly and mitigate the risk of further compromise." +data_source: +- Linux Auditd Execve +search: ' `linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND + (LIKE (process_exec, "%.db%") OR LIKE (process_exec, "%.sql%") OR LIKE (process_exec, + "%.sqlite%") OR LIKE (process_exec, "%.mdb%")OR LIKE (process_exec, "%.accdb%")OR + LIKE (process_exec, "%.mdf%")OR LIKE (process_exec, "%.ndf%")OR LIKE (process_exec, + "%.ldf%")OR LIKE (process_exec, "%.frm%")OR LIKE (process_exec, "%.idb%")OR LIKE + (process_exec, "%.myd%")OR LIKE (process_exec, "%.myi%")OR LIKE (process_exec, "%.dbf%")OR + LIKE (process_exec, "%.db2%")OR LIKE (process_exec, "%.dbc%")OR LIKE (process_exec, + "%.fpt%")OR LIKE (process_exec, "%.ora%")) | stats count min(_time) as firstTime + max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_database_file_and_directory_discovery_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A [$process_exec$] event occurred on host - [$dest$] to discover database files and directories. + mitre_attack_id: + - T1083 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_dd_file_overwrite.yml b/detections/endpoint/linux_auditd_dd_file_overwrite.yml new file mode 100644 index 0000000000..4dfca37b55 --- /dev/null +++ b/detections/endpoint/linux_auditd_dd_file_overwrite.yml @@ -0,0 +1,65 @@ +name: Linux Auditd Dd File Overwrite +id: d1b74420-4cea-4752-a123-9b40dfcca49a +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects the use of the 'dd' command to overwrite + files on a Linux system. It leverages data from Linux Auditd telemetry, focusing on process execution logs that include command-line details. + This activity is significant because adversaries often use the 'dd' command to destroy + or irreversibly overwrite files, disrupting system availability and services. If + confirmed malicious, this behavior could lead to data destruction, making recovery + difficult and potentially causing significant operational disruptions. +data_source: +- Linux Auditd Proctitle +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE(process_exec, "%dd %") AND LIKE(process_exec, "% of=%") | stats + count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_dd_file_overwrite_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. +references: +- https://gtfobins.github.io/gtfobins/dd/ +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md +tags: + analytic_story: + - Industroyer2 + - Data Destruction + - Compromised Linux Host + asset_type: Endpoint + confidence: 90 + impact: 90 + message: A [$process_exec$] event occurred on host - [$dest$]. + mitre_attack_id: + - T1485 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - proctitle + risk_score: 81 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml new file mode 100644 index 0000000000..c06023c1cc --- /dev/null +++ b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml @@ -0,0 +1,70 @@ +name: Linux Auditd Disable Or Modify System Firewall +id: 07052556-d4b5-4bae-89aa-cbdc1bb11250 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the suspicious disable or modify system + firewall. This behavior is critical for a SOC to monitor because it may indicate + attempts to gain unauthorized access or maintain control over a system. Such actions + could be signs of malicious activity. If confirmed, this could lead to serious consequences, + including a compromised system, unauthorized access to sensitive data, or even a + wider breach affecting the entire network. Detecting and responding to these signs + early is essential to prevent potential security incidents. +data_source: +- Linux Auditd Service Stop +search: '`linux_auditd` type=SERVICE_STOP unit IN ("firewalld", "ufw") | rename host + as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid + UID comm exe unit dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_disable_or_modify_system_firewall_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A service event - [$type$] to disable or modify system firewall occured on host - [$dest$] . + mitre_attack_id: + - T1562.004 + - T1562 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - type + - pid + - UID + - comm + - exe + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml new file mode 100644 index 0000000000..563cd85b6c --- /dev/null +++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml @@ -0,0 +1,68 @@ +name: Linux Auditd Doas Conf File Creation +id: 61059783-574b-40d2-ac2f-69b898afd6b4 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects the creation of the doas.conf file on + a Linux host. This file is used by the doas utility to allow standard users to perform + tasks as root, similar to sudo. The detection leverages Linux Auditd data, focusing on + the creation of the doas.conf file. This activity is significant because it can + indicate an attempt to gain elevated privileges, potentially by an adversary. If + confirmed malicious, this could allow an attacker to execute commands with root + commands with root privileges, leading to full system compromise. +data_source: +- Linux Auditd Path +search: '`linux_auditd` type=PATH name ="/etc/doas.conf*" | rename host as dest | + stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_doas_conf_file_creation_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. +references: +- https://wiki.gentoo.org/wiki/Doas +- https://www.makeuseof.com/how-to-install-and-use-doas/ +tags: + analytic_story: + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A [$type$] event occured on host - [$dest$] to create a doas.conf file. + mitre_attack_id: + - T1548.003 + - T1548 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - name + - nametype + - OGID + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml new file mode 100644 index 0000000000..884e79ac0d --- /dev/null +++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml @@ -0,0 +1,70 @@ +name: Linux Auditd Doas Tool Execution +id: 91b8ca78-f205-4826-a3ef-cd8d6b24e97b +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the execution of the 'doas' tool on a + Linux host. This tool allows standard users to perform tasks with root privileges, + similar to 'sudo'. The detection leverages data from Linux Auditd, focusing on process names and command-line executions. This activity + is significant as 'doas' can be exploited by adversaries to gain elevated privileges + on a compromised host. If confirmed malicious, this could lead to unauthorized administrative + access, potentially compromising the entire system. +data_source: +- Linux Auditd Syscall +search: '`linux_auditd` type=SYSCALL comm=doas | rename host as dest | stats count + min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid + success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_doas_tool_execution_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. +references: +- https://wiki.gentoo.org/wiki/Doas +- https://www.makeuseof.com/how-to-install-and-use-doas/ +tags: + analytic_story: + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 70 + impact: 70 + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to execute the "doas" tool. + mitre_attack_id: + - T1548.003 + - T1548 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - comm + - exe + - SYSCALL + - UID + - ppid + - pid + risk_score: 49 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml new file mode 100644 index 0000000000..f8a4b96e3b --- /dev/null +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -0,0 +1,73 @@ +name: Linux Auditd Edit Cron Table Parameter +id: f4bb7321-7e64-4d1e-b1aa-21f8b019a91f +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects the suspicious editing of cron jobs in + Linux using the crontab command-line parameter (-e). It identifies this activity + by monitoring command-line executions involving 'crontab' and the edit parameter. + This behavior is significant for a SOC as cron job manipulations can indicate unauthorized + persistence attempts or scheduled malicious actions. If confirmed malicious, this + activity could lead to system compromise, unauthorized access, or broader network + compromise. +data_source: +- Linux Auditd Syscall +search: '`linux_auditd` type=SYSCALL SYSCALL=rename (comm IN ("crontab") OR exe IN + ("*/crontab")) success=yes AND NOT (UID IN("daemon")) | rename host as dest | stats + count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid + pid dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_edit_cron_table_parameter_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://attack.mitre.org/techniques/T1053/003/ +tags: + analytic_story: + - Scheduled Tasks + - Linux Privilege Escalation + - Linux Persistence Techniques + - Linux Living Off The Land + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to edit the cron table. + mitre_attack_id: + - T1053.003 + - T1053 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - comm + - exe + - SYSCALL + - UID + - ppid + - pid + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml new file mode 100644 index 0000000000..bf39f2489c --- /dev/null +++ b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml @@ -0,0 +1,79 @@ +name: Linux Auditd File And Directory Discovery +id: 0bbfb79c-a755-49a5-a38a-1128d0a452f1 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects suspicious file and directory discovery + activities, which may indicate an attacker's effort to locate sensitive documents + and files on a compromised system. This behavior often precedes data exfiltration, + as adversaries seek to identify valuable or confidential information for theft. + By identifying unusual or unauthorized attempts to browse or enumerate files and + directories, this analytic helps security teams detect potential reconnaissance + or preparatory actions by an attacker, enabling timely intervention to prevent data + breaches or unauthorized access. +data_source: +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND + (LIKE (process_exec, "%.tif%") OR LIKE (process_exec, "%.tiff%") OR LIKE (process_exec, + "%.gif%") OR LIKE (process_exec, "%.jpeg%")OR LIKE (process_exec, "%.jpg%")OR LIKE + (process_exec, "%.jif%")OR LIKE (process_exec, "%.jfif%")OR LIKE (process_exec, + "%.jp2%")OR LIKE (process_exec, "%.jpx%")OR LIKE (process_exec, "%.j2k%")OR LIKE + (process_exec, "%.j2c%")OR LIKE (process_exec, "%.fpx%")OR LIKE (process_exec, "%.pcd%")OR + LIKE (process_exec, "%.png%")OR LIKE (process_exec, "%.flv%") OR LIKE (process_exec, + "%.pdf%")OR LIKE (process_exec, "%.mp4%")OR LIKE (process_exec, "%.mp3%")OR LIKE + (process_exec, "%.gifv%")OR LIKE (process_exec, "%.avi%")OR LIKE (process_exec, + "%.mov%")OR LIKE (process_exec, "%.mpeg%")OR LIKE (process_exec, "%.wav%")OR LIKE + (process_exec, "%.doc%")OR LIKE (process_exec, "%.docx%")OR LIKE (process_exec, + "%.xls%")OR LIKE (process_exec, "%.xlsx%")OR LIKE (process_exec, "%.svg%")) | stats + count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_and_directory_discovery_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A [$process_exec$] event occurred on host - [$dest$] to discover files and directories. + mitre_attack_id: + - T1083 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml new file mode 100644 index 0000000000..9ef853f1f3 --- /dev/null +++ b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml @@ -0,0 +1,69 @@ +name: Linux Auditd File Permission Modification Via Chmod +id: 5f1d2ea7-eec0-4790-8b24-6875312ad492 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects suspicious file permission modifications + using the `chmod` command, which may indicate an attacker attempting to alter access + controls on critical files or directories. Such modifications can be used to grant + unauthorized users elevated privileges or to conceal malicious activities by restricting + legitimate access. By monitoring for unusual or unauthorized `chmod` usage, this + analytic helps identify potential security breaches, allowing security teams to + respond promptly to prevent privilege escalation, data tampering, or other unauthorized + actions on the system. +data_source: +- Linux Auditd Proctitle +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE(process_exec, "%chmod%") AND (LIKE(process_exec, "% 777 %") + OR LIKE(process_exec, "% 755 %") OR LIKE(process_exec, "%x%") OR LIKE(process_exec, + "% 754 %") OR LIKE(process_exec, "% 700 %")) | stats count min(_time) as firstTime + max(_time) as lastTime by process_exec proctitle dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_file_permission_modification_via_chmod_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A [$process_exec$] event occurred on host - [$dest$] to modify file permissions using the "chmod" command. + mitre_attack_id: + - T1222.002 + - T1222 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - proctitle + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml new file mode 100644 index 0000000000..02dd37610f --- /dev/null +++ b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml @@ -0,0 +1,69 @@ +name: Linux Auditd File Permissions Modification Via Chattr +id: f2d1110d-b01c-4a58-9975-90a9edeb083a +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects suspicious file permissions modifications + using the chattr command, which may indicate an attacker attempting to manipulate + file attributes to evade detection or prevent alteration. The chattr command can + be used to make files immutable or restrict deletion, which can be leveraged to + protect malicious files or disrupt system operations. By monitoring for unusual + or unauthorized chattr usage, this analytic helps identify potential tampering with + critical files, enabling security teams to quickly respond to and mitigate threats + associated with unauthorized file attribute changes. +data_source: +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE(process_exec, "%chattr %") AND LIKE(process_exec, "% -i%") + | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle + normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_file_permissions_modification_via_chattr_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 70 + impact: 70 + message: A [$process_exec$] event occurred on host - [$dest$] to modify file permissions using the "chattr" command. + mitre_attack_id: + - T1222.002 + - T1222 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 49 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml new file mode 100644 index 0000000000..fbb9f814e0 --- /dev/null +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml @@ -0,0 +1,76 @@ +name: Linux Auditd Find Credentials From Password Managers +id: 784241aa-85a5-4782-a503-d071bd3446f9 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects suspicious attempts to find credentials + stored in password managers, which may indicate an attacker's effort to retrieve + sensitive login information. Password managers are often targeted by adversaries + seeking to access stored passwords for further compromise or lateral movement within + a network. By monitoring for unusual or unauthorized access to password manager + files or processes, this analytic helps identify potential credential theft attempts, + enabling security teams to respond quickly to protect critical accounts and prevent + further unauthorized access. +data_source: +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND + (LIKE (process_exec, "%.kdbx%") OR LIKE (process_exec, "%KeePass%") OR LIKE (process_exec, + "%KeePass\.enforced%") OR LIKE (process_exec, "%.lpdb%")OR LIKE (process_exec, "%.opvault%")OR + LIKE (process_exec, "%.agilekeychain%")OR LIKE (process_exec, "%.dashlane%")OR LIKE + (process_exec, "%.rfx%")OR LIKE (process_exec, "%passbolt%")OR LIKE (process_exec, + "%.spdb%")OR LIKE (process_exec, "%StickyPassword%")OR LIKE (process_exec, "%.walletx%")OR + LIKE (process_exec, "%enpass%")OR LIKE (process_exec, "%vault%")OR LIKE (process_exec, + "%.kdb%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc + process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_find_credentials_from_password_managers_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A [$process_exec$] event occurred on host - [$dest$] to find credentials stored in password managers. + mitre_attack_id: + - T1555.005 + - T1555 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/linux_auditd_find_password_db.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml new file mode 100644 index 0000000000..a6124b82e4 --- /dev/null +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml @@ -0,0 +1,71 @@ +name: Linux Auditd Find Credentials From Password Stores +id: 4de73044-9a1d-4a51-a1c2-85267d8dcab3 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects suspicious attempts to find credentials + stored in password stores, indicating a potential attacker's effort to access sensitive + login information. Password stores are critical repositories that contain valuable + credentials, and unauthorized access to them can lead to significant security breaches. + By monitoring for unusual or unauthorized activities related to password store access, + this analytic helps identify potential credential theft attempts, allowing security + teams to respond promptly and prevent unauthorized access to critical systems and + data. +data_source: +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND + (LIKE (process_exec, "%password%") OR LIKE (process_exec, "%pass %") OR LIKE (process_exec, + "%credential%")OR LIKE (process_exec, "%creds%")) | stats count min(_time) as firstTime + max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_stores_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A [$process_exec$] event occurred on host - [$dest$] to find credentials stored in password managers. + mitre_attack_id: + - T1555.005 + - T1555 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_find_private_keys.yml b/detections/endpoint/linux_auditd_find_private_keys.yml new file mode 100644 index 0000000000..9ff566aa84 --- /dev/null +++ b/detections/endpoint/linux_auditd_find_private_keys.yml @@ -0,0 +1,66 @@ +name: Linux Auditd Find Private Keys +id: 80bb9988-190b-4ee0-a3c3-509545a8f678 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: "The following analytic detects suspicious attempts to find private keys, which may indicate an attacker's effort to access sensitive cryptographic information. Private keys are crucial for securing encrypted communications and data, and unauthorized access to them can lead to severe security breaches, including data decryption and identity theft. By monitoring for unusual or unauthorized searches for private keys, this analytic helps identify potential threats to cryptographic security, enabling security teams to take swift action to protect the integrity and confidentiality of encrypted information." +data_source: +- Linux Auditd Execve +search: ' `linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND + (LIKE (process_exec, "%.pem%") OR LIKE (process_exec, "%.cer%") OR LIKE (process_exec, + "%.crt%") OR LIKE (process_exec, "%.pgp%") OR LIKE (process_exec, "%.key%") OR LIKE + (process_exec, "%.gpg%")OR LIKE (process_exec, "%.ppk%") OR LIKE (process_exec, + "%.p12%")OR LIKE (process_exec, "%.pfx%")OR LIKE (process_exec, "%.p7b%")) | stats + count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_private_keys_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A [$process_exec$] event occurred on host - [$dest$] to find private keys. + mitre_attack_id: + - T1552.004 + - T1552 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml new file mode 100644 index 0000000000..c4498b01eb --- /dev/null +++ b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml @@ -0,0 +1,65 @@ +name: Linux Auditd Find Ssh Private Keys +id: e2d2bd10-dcd1-4b2f-8a76-0198eab32ba5 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: "The following analytic detects suspicious attempts to find SSH private keys, which may indicate an attacker's effort to compromise secure access to systems. SSH private keys are essential for secure authentication, and unauthorized access to these keys can enable attackers to gain unauthorized access to servers and other critical infrastructure. By monitoring for unusual or unauthorized searches for SSH private keys, this analytic helps identify potential threats to network security, allowing security teams to quickly respond and safeguard against unauthorized access and potential breaches." +data_source: +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND + (LIKE (process_exec, "%id_rsa%") OR LIKE (process_exec, "%id_dsa%")OR LIKE (process_exec, + "%.key%") OR LIKE (process_exec, "%ssh_key%")OR LIKE (process_exec, "%authorized_keys%")) + | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_find_ssh_private_keys_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 70 + impact: 70 + message: A [$process_exec$] event occurred on host - [$dest$] to find SSH private keys. + mitre_attack_id: + - T1552.004 + - T1552 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml new file mode 100644 index 0000000000..fcede5c55c --- /dev/null +++ b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml @@ -0,0 +1,69 @@ +name: Linux Auditd Hardware Addition Swapoff +id: 5728bb16-1a0b-4b66-bce2-0074ac839770 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the execution of the "swapoff" command, + which disables the swapping of paging devices on a Linux system. It leverages data + from Endpoint Detection and Response (EDR) agents, focusing on process execution + logs. This activity is significant because disabling swap can be a tactic used by + malware, such as Awfulshred, to evade detection and hinder forensic analysis. If + confirmed malicious, this action could allow an attacker to manipulate system memory + management, potentially leading to data corruption, system instability, or evasion + of memory-based detection mechanisms. +data_source: +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE(process_exec, "%swapoff %") AND LIKE(process_exec, "% -a%") + | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle + normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_hardware_addition_swapoff_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: administrator may disable swapping of devices in a linux host. + Filter is needed. +references: +- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ +tags: + analytic_story: + - Data Destruction + - AwfulShred + - Compromised Linux Host + asset_type: Endpoint + confidence: 60 + impact: 60 + message: A [$process_exec$] event occurred on host - [$dest$] to disable the swapping + of paging devices on a Linux system. + mitre_attack_id: + - T1200 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 36 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.log + source: /var/log/audit/audit.log + sourcetype: linux:audit + update_timestamp: true diff --git a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml new file mode 100644 index 0000000000..c8a07b3865 --- /dev/null +++ b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml @@ -0,0 +1,72 @@ +name: Linux Auditd Hidden Files And Directories Creation +id: 555cc358-bf16-4e05-9b3a-0f89c73b7261 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: "The following analytic detects suspicious creation of hidden files and + directories, which may indicate an attacker's attempt to conceal malicious activities + or unauthorized data. Hidden files and directories are often used to evade detection + by security tools and administrators, providing a stealthy means for storing malware, + logs, or sensitive information. By monitoring for unusual or unauthorized creation of + hidden files and directories, this analytic helps identify potential attempts to hide + or unauthorized creation of hidden files and directories, this analytic helps identify + potential attempts to hide malicious operations, enabling security teams to uncover + and address hidden threats effectively." +data_source: +- Linux Auditd Execve +search: ' `linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where (LIKE (process_exec,"%touch %") OR LIKE (process_exec,"%mkdir %")OR + LIKE (process_exec,"%vim %") OR LIKE (process_exec,"%vi %") OR LIKE (process_exec,"%nano + %")) AND (LIKE (process_exec,"% ./.%") OR LIKE (process_exec," .%")OR LIKE (process_exec," + /.%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_hidden_files_and_directories_creation_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A [$process_exec$] event occurred on host - [$dest$]. + mitre_attack_id: + - T1083 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml new file mode 100644 index 0000000000..215c54dcc4 --- /dev/null +++ b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml @@ -0,0 +1,73 @@ +name: Linux Auditd Insert Kernel Module Using Insmod Utility +id: bc0ca53f-dea6-4906-9b12-09c396fdf1d3 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the insertion of a Linux kernel module + using the insmod utility. It leverages data from Linux Auditd, focusing on process execution logs that include process names and + command-line details. This activity is significant as it may indicate the installation + of a rootkit or malicious kernel module, potentially allowing an attacker to gain + elevated privileges and bypass security detections. If confirmed malicious, this + could lead to unauthorized code execution, persistent access, and severe compromise + of the affected system. +data_source: +- Linux Auditd Syscall +search: '`linux_auditd` type=SYSCALL comm=insmod | rename host as dest | stats count + min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid + success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_insert_kernel_module_using_insmod_utility_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. +references: +- https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ +- https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup +- https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 +tags: + analytic_story: + - Linux Privilege Escalation + - Linux Rootkit + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to insert a Linux kernel module using the insmod utility. + mitre_attack_id: + - T1547.006 + - T1547 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - comm + - exe + - SYSCALL + - UID + - ppid + - pid + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml new file mode 100644 index 0000000000..d1753399c9 --- /dev/null +++ b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml @@ -0,0 +1,73 @@ +name: Linux Auditd Install Kernel Module Using Modprobe Utility +id: 95165985-ace5-4d42-9c42-93a89a5af901 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the installation of a Linux kernel module + using the modprobe utility. It leverages data from Linux Auditd, focusing on process names and command-line executions. This activity + is significant because installing a kernel module can indicate an attempt to deploy + a rootkit or other malicious kernel-level code, potentially leading to elevated + privileges and bypassing security detections. If confirmed malicious, this could + allow an attacker to gain persistent, high-level access to the system, compromising + its integrity and security. +data_source: +- Linux Auditd Syscall +search: '`linux_auditd` type=SYSCALL comm=modprobe | rename host as dest | stats count + min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid + success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_install_kernel_module_using_modprobe_utility_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. +references: +- https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ +- https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup +- https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 +tags: + analytic_story: + - Linux Privilege Escalation + - Linux Rootkit + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to install a Linux kernel module using the modprobe utility. + mitre_attack_id: + - T1547.006 + - T1547 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - comm + - exe + - SYSCALL + - UID + - ppid + - pid + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml new file mode 100644 index 0000000000..a9ef21100c --- /dev/null +++ b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml @@ -0,0 +1,69 @@ +name: Linux Auditd Kernel Module Enumeration +id: d1b088de-c47a-4572-9339-bdcc26493b32 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic identifies the use of the 'kmod' process to list + kernel modules on a Linux system. This detection leverages data from Linux Auditd, focusing on process names and command-line executions. + While listing kernel modules is not inherently malicious, it can be a precursor + to loading unauthorized modules using 'insmod'. If confirmed malicious, this activity + could allow an attacker to load kernel modules, potentially leading to privilege + escalation, persistence, or other malicious actions within the system. +data_source: +- Linux Auditd Syscall +search: '`linux_auditd` type=SYSCALL comm=lsmod | rename host as dest | stats count + min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid + success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `linux_auditd_kernel_module_enumeration_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: False positives are present based on automated tooling or system + administrative usage. Filter as needed. +references: +- https://man7.org/linux/man-pages/man8/kmod.8.html +tags: + analytic_story: + - Linux Rootkit + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 30 + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to list kernel modules. + mitre_attack_id: + - T1082 + - T1014 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - comm + - exe + - SYSCALL + - UID + - ppid + - pid + risk_score: 15 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.log + source: /var/log/audit/audit.log + sourcetype: linux:audit + update_timestamp: true diff --git a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml new file mode 100644 index 0000000000..0203fa75c1 --- /dev/null +++ b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml @@ -0,0 +1,65 @@ +name: Linux Auditd Kernel Module Using Rmmod Utility +id: 31810b7a-0abe-42be-a210-0dec8106afee +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: "The following analytic detects suspicious use of the `rmmod` utility for kernel module removal, which may indicate an attacker attempt to unload critical or security-related kernel modules. The `rmmod` command is used to remove modules from the Linux kernel, and unauthorized use can be a tactic to disable security features, conceal malicious activities, or disrupt system operations. By monitoring for unusual or unauthorized `rmmod` activity, this analytic helps identify potential tampering with kernel modules, enabling security teams to take proactive measures to protect system integrity and security." +data_source: +- Linux Auditd Syscall +search: '`linux_auditd` type=SYSCALL comm=rmmod | rename host as dest | stats count + min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid + success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_kernel_module_using_rmmod_utility_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 90 + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to remove a Linux kernel module using the rmmod utility. + mitre_attack_id: + - T1547.006 + - T1547 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - comm + - exe + - SYSCALL + - UID + - ppid + - pid + risk_score: 72 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml new file mode 100644 index 0000000000..511e1a611b --- /dev/null +++ b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml @@ -0,0 +1,67 @@ +name: Linux Auditd Nopasswd Entry In Sudoers File +id: 651df959-ad17-4b73-a323-90cb96d5fa1b +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the addition of NOPASSWD entries to the + /etc/sudoers file on Linux systems. It leverages Linux Auditd data to identify command lines containing "NOPASSWD:". This activity + is significant because it allows users to execute commands with elevated privileges + without requiring a password, which can be exploited by adversaries to maintain + persistent, privileged access. If confirmed malicious, this could lead to unauthorized + privilege escalation, persistent access, and potential compromise of sensitive data + and system integrity. +data_source: +- Linux Auditd Proctitle +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE (process_exec, "%NOPASSWD%") | stats count min(_time) as firstTime + max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_nopasswd_entry_in_sudoers_file_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. +references: +- https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands +- https://help.ubuntu.com/community/Sudoers +tags: + analytic_story: + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A [$process_exec$] event occurred on host - [$dest$] to add NOPASSWD entry in sudoers file. + mitre_attack_id: + - T1548.003 + - T1548 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - proctitle + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml new file mode 100644 index 0000000000..072d6a1dc6 --- /dev/null +++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml @@ -0,0 +1,70 @@ +name: Linux Auditd Osquery Service Stop +id: 0c320fea-6e87-4b99-a884-74d09d4b655d +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects suspicious stopping of the `osquery` service, + which may indicate an attempt to disable monitoring and evade detection. `Osquery` + is a powerful tool used for querying system information and detecting anomalies, + and stopping its service can be a sign that an attacker is trying to disrupt security + monitoring or hide malicious activities. By monitoring for unusual or unauthorized + stops of the `osquery` service, this analytic helps identify potential efforts to + bypass security controls, enabling security teams to investigate and respond to + possible threats effectively. +data_source: +- Linux Auditd Service Stop +search: '`linux_auditd` type=SERVICE_STOP unit IN ("osqueryd") | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm + exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_osquery_service_stop_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A service event - [$type$] event occured on host - [$dest$] to stop the osquery service. + mitre_attack_id: + - T1489 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - type + - pid + - UID + - comm + - exe + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml new file mode 100644 index 0000000000..b7577183a0 --- /dev/null +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -0,0 +1,69 @@ +name: Linux Auditd Possible Access Or Modification Of Sshd Config File +id: acb3ea33-70f7-47aa-b335-643b3aebcb2f +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects suspicious access or modification of the + sshd_config file on Linux systems. It leverages data from Linux Auditd, focusing on command-line executions involving processes like + "cat," "nano," "vim," and "vi" accessing the sshd_config file. This activity is + significant because unauthorized changes to sshd_config can allow threat actors + to redirect port connections or use unauthorized keys, potentially compromising + the system. If confirmed malicious, this could lead to unauthorized access, privilege + escalation, or persistent backdoor access, posing a severe security risk. +data_source: +- Linux Auditd Path +search: '`linux_auditd` type=PATH name="/etc/ssh/ssh_config*" | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_possible_access_or_modification_of_sshd_config_file_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this commandline + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.hackingarticles.in/ssh-penetration-testing-port-22/ +- https://attack.mitre.org/techniques/T1098/004/ +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A [$type$] has been accessed/modified on host - [$dest$] to modify the sshd_config file. + mitre_attack_id: + - T1098.004 + - T1098 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - name + - nametype + - OGID + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_ssh_config.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml new file mode 100644 index 0000000000..eb214c17fe --- /dev/null +++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml @@ -0,0 +1,69 @@ +name: Linux Auditd Possible Access To Credential Files +id: 0419cb7a-57ea-467b-974f-77c303dfe2a3 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects attempts to access or dump the contents + of /etc/passwd and /etc/shadow files on Linux systems. It leverages data from Linux + Auditd, focusing on processes like 'cat', 'nano', 'vim', and 'vi' accessing these + files. This activity is significant as it may indicate credential dumping, a technique + used by adversaries to gain persistence or escalate privileges. If confirmed malicious, + privileges. If confirmed malicious, attackers could obtain hashed passwords for + offline cracking, leading to unauthorized access and potential system compromise. +data_source: +- Linux Auditd Proctitle +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where (LIKE (process_exec, "%shadow%") OR LIKE (process_exec, "%passwd%")) + AND (LIKE (process_exec, "%cat %") OR LIKE (process_exec, "%nano %")OR LIKE (process_exec, + "%vim %") OR LIKE (process_exec, "%vi %")) | stats count min(_time) as firstTime + max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_possible_access_to_credential_files_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. +references: +- https://askubuntu.com/questions/445361/what-is-difference-between-etc-shadow-and-etc-passwd +- https://attack.mitre.org/techniques/T1003/008/ +tags: + analytic_story: + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A [$process_exec$] event occurred on host - [$dest$] to access or dump the contents of /etc/passwd and /etc/shadow files. + mitre_attack_id: + - T1003.008 + - T1003 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - proctitle + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml new file mode 100644 index 0000000000..7c5b6fc127 --- /dev/null +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -0,0 +1,66 @@ +name: Linux Auditd Possible Access To Sudoers File +id: 8be88f46-f7e8-4ae6-b15e-cf1b13392834 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects potential access or modification of the + /etc/sudoers file on a Linux system. It leverages data from Linux Auditd, focusing on processes like "cat," "nano," "vim," and "vi" + accessing the /etc/sudoers file. This activity is significant because the sudoers + file controls user permissions for executing commands with elevated privileges. + If confirmed malicious, an attacker could gain persistence or escalate privileges, + compromising the security of the targeted host. +data_source: +- Linux Auditd Path +search: '`linux_auditd` type=PATH name="/etc/sudoers*" | rename host as dest | stats + count min(_time) as firstTime max(_time) as lastTime by name nametype OGID dest + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_possible_access_to_sudoers_file_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: administrator or network operator can execute this command. + Please update the filter macros to remove false positives. +references: +- https://attack.mitre.org/techniques/T1548/003/ +- https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf +tags: + analytic_story: + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A [$type$] has been accessed/modified on host - [$dest$] to access or modify the sudoers file. + mitre_attack_id: + - T1548.003 + - T1548 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - name + - nametype + - OGID + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml new file mode 100644 index 0000000000..3dbb2bf6cd --- /dev/null +++ b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -0,0 +1,72 @@ +name: Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File +id: fea71cf0-fa10-4ef6-9202-9682b2e0c477 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Hunting +description: The following analytic detects potential tampering with cronjob files + on a Linux system by identifying 'echo' commands that append code to existing cronjob + files. It leverages logs from Linux Auditd, focusing on process names, parent processes, and command-line executions. This activity is + significant because adversaries often use it for persistence or privilege escalation. + If confirmed malicious, this could allow attackers to execute unauthorized code + automatically, leading to system compromises and unauthorized data access, thereby + impacting business operations and data integrity. +data_source: +- Linux Auditd Path +search: '`linux_auditd` type=PATH name IN("*/etc/cron*", "*/var/spool/cron/*", "*/etc/anacrontab*") + | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime + by name nametype OGID dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: False positives may arise from legitimate actions by administrators + or network operators who may use these commands for automation purposes. Therefore, + it's recommended to adjust filter macros to eliminate such false positives. +references: +- https://attack.mitre.org/techniques/T1053/003/ +- https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability +- https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ +tags: + analytic_story: + - Scheduled Tasks + - Linux Privilege Escalation + - Linux Persistence Techniques + - Linux Living Off The Land + - Compromised Linux Host + asset_type: Endpoint + confidence: 70 + impact: 70 + message: A [$type$] event has occured on host - [$dest$] to append a cronjob entry on an existing cronjob file. + mitre_attack_id: + - T1053.003 + - T1053 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - name + - nametype + - OGID + risk_score: 49 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited2.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml new file mode 100644 index 0000000000..1a1d49c96b --- /dev/null +++ b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml @@ -0,0 +1,66 @@ +name: Linux Auditd Preload Hijack Library Calls +id: 35c50572-a70b-452f-afa9-bebdf3c3ce36 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects the use of the LD_PRELOAD environment + variable to hijack or hook library functions on a Linux platform. It leverages data + from Linux Auditd, focusing on process execution logs that include command-line details. This activity is significant because adversaries, + malware authors, and red teamers commonly use this technique to gain elevated privileges + and establish persistence on a compromised machine. If confirmed malicious, this + behavior could allow attackers to execute arbitrary code, escalate privileges, and + maintain long-term access to the system. +data_source: +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where LIKE (process_exec, "%LD_PRELOAD%")| stats count min(_time) as firstTime + max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `linux_auditd_preload_hijack_library_calls_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. +references: +- https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5 +tags: + analytic_story: + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 90 + impact: 90 + message: A [$process_exec$] event occurred on host - [$dest$] to hijack or hook library functions using the LD_PRELOAD environment variable. + mitre_attack_id: + - T1574.006 + - T1574 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 81 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/linux_auditd_ldpreload.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml new file mode 100644 index 0000000000..109ef8c438 --- /dev/null +++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml @@ -0,0 +1,62 @@ +name: Linux Auditd Preload Hijack Via Preload File +id: c1b7abca-55cb-4a39-bdfb-e28c1c12745f +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: "The following analytic detects suspicious preload hijacking via the `preload` file, which may indicate an attacker's attempt to intercept or manipulate library loading processes. The `preload` file can be used to force the loading of specific libraries before others, potentially allowing malicious code to execute or alter application behavior. By monitoring for unusual or unauthorized modifications to the `preload` file, this analytic helps identify attempts to hijack preload mechanisms, enabling security teams to investigate and address potential threats to system integrity and security." +data_source: +- Linux Auditd Path +search: '`linux_auditd` type=PATH name="/etc/ld.so.preload*" | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_preload_hijack_via_preload_file_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 90 + impact: 90 + message: A [$type$] event has occured on host - [$dest$] to modify the preload file. + mitre_attack_id: + - T1574.006 + - T1574 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - name + - nametype + - OGID + risk_score: 81 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_service_restarted.yml b/detections/endpoint/linux_auditd_service_restarted.yml new file mode 100644 index 0000000000..051df9e2ab --- /dev/null +++ b/detections/endpoint/linux_auditd_service_restarted.yml @@ -0,0 +1,72 @@ +name: Linux Auditd Service Restarted +id: 8eb3e858-18d3-44a4-a514-52cfa39f154a +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the restarting or re-enabling of services + on Linux systems using the `systemctl` or `service` commands. It leverages data + from Linux Auditd, focusing on process and command-line execution logs. This activity + is significant as adversaries may use it to maintain persistence or execute unauthorized + actions. If confirmed malicious, this behavior could lead to repeated execution + of malicious payloads, unauthorized access, or data destruction. Security analysts + should investigate these events to mitigate risks and prevent further compromise. +data_source: +- Linux Auditd Proctitle +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where (LIKE(process_exec, "%systemctl %") OR LIKE(process_exec, "%service + %") ) AND(LIKE(process_exec, "%restart%") OR LIKE(process_exec, "%reenable%") OR + LIKE(process_exec, "%reload%")) | stats count min(_time) as firstTime max(_time) + as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `linux_auditd_service_restarted_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this commandline + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://attack.mitre.org/techniques/T1543/003/ +tags: + analytic_story: + - AwfulShred + - Scheduled Tasks + - Linux Privilege Escalation + - Data Destruction + - Linux Persistence Techniques + - Linux Living Off The Land + - Gomir + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A [$process_exec$] event occurred on host - [$dest$] to restart or re-enable a service. + mitre_attack_id: + - T1053.006 + - T1053 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - proctitle + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/linux_services_restart/linux_services_restart.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_service_started.yml b/detections/endpoint/linux_auditd_service_started.yml new file mode 100644 index 0000000000..0cccf2d1c4 --- /dev/null +++ b/detections/endpoint/linux_auditd_service_started.yml @@ -0,0 +1,68 @@ +name: Linux Auditd Service Started +id: b5eed06d-5c97-4092-a3a1-fa4b7e77c71a +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects the suspicious service started. This behavior + is critical for a SOC to monitor because it may indicate attempts to gain unauthorized + access or maintain control over a system. Such actions could be signs of malicious + activity. If confirmed, this could lead to serious consequences, including a compromised + system, unauthorized access to sensitive data, or even a wider breach affecting + the entire network. Detecting and responding to these signs early is essential to + prevent potential security incidents. +data_source: +- Linux Auditd Proctitle +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where (LIKE(process_exec, "%systemctl %") OR LIKE(process_exec, "%service + %") ) AND(LIKE(process_exec, "% start %") OR LIKE(process_exec, "% enable %")) | + stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle + normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_service_started_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A [$process_exec$] event occurred on host - [$dest$] to start or enable a service. + mitre_attack_id: + - T1569.002 + - T1569 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - proctitle + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml new file mode 100644 index 0000000000..40d98c4d48 --- /dev/null +++ b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml @@ -0,0 +1,68 @@ +name: Linux Auditd Setuid Using Chmod Utility +id: 8230c407-1b47-4d95-ac2e-718bd6381386 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the execution of the chmod utility to + set the SUID or SGID bit on files, which can allow users to temporarily gain root + or group-level access. This detection leverages data from Linux Auditd, focusing on process names and command-line arguments related + to chmod. This activity is significant as it can indicate an attempt to escalate + privileges or maintain persistence on a system. If confirmed malicious, an attacker + could gain elevated access, potentially compromising sensitive data or critical + system functions. +data_source: +- Linux Auditd Proctitle +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE (process_exec, "%chmod %") AND (LIKE (process_exec, "% u+s + %") OR LIKE (process_exec, "% g+s %") OR LIKE (process_exec, "% 4777 %") OR LIKE + (process_exec, "% 4577 %")) | stats count min(_time) as firstTime max(_time) as + lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_setuid_using_chmod_utility_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. +references: +- https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 90 + impact: 90 + message: A [$process_exec$] event occurred on host - [$dest$] to set the SUID or SGID bit on files using the chmod utility. + mitre_attack_id: + - T1548.001 + - T1548 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - proctitle + risk_score: 81 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml new file mode 100644 index 0000000000..ba6c251de4 --- /dev/null +++ b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml @@ -0,0 +1,69 @@ +name: Linux Auditd Setuid Using Setcap Utility +id: 1474459a-302b-4255-8add-d82f96d14cd9 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects the execution of the 'setcap' utility + to enable the SUID bit on Linux systems. It leverages Linux Auditd data, focusing on process names and command-line arguments that indicate the + use of 'setcap' with specific capabilities. This activity is significant because + setting the SUID bit allows a user to temporarily gain root access, posing a substantial + security risk. If confirmed malicious, an attacker could escalate privileges, execute + arbitrary commands with elevated permissions, and potentially compromise the entire + system. +data_source: +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where LIKE (process_exec, "%setcap %") AND (LIKE (process_exec, "% cap_setuid+ep + %") OR LIKE (process_exec, "% cap_setuid=ep %") OR LIKE (process_exec, "% cap_net_bind_service+p + %") OR LIKE (process_exec, "% cap_net_raw+ep %") OR LIKE (process_exec, "% cap_dac_read_search+ep + %")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_setuid_using_setcap_utility_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. +references: +- https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ +tags: + analytic_story: + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 90 + impact: 90 + message: A [$process_exec$] event occurred on host - [$dest$] to set the SUID or SGID bit on files using the setcap utility. + mitre_attack_id: + - T1548.001 + - T1548 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 81 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setcap_priv.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_shred_overwrite_command.yml b/detections/endpoint/linux_auditd_shred_overwrite_command.yml new file mode 100644 index 0000000000..c139a7582d --- /dev/null +++ b/detections/endpoint/linux_auditd_shred_overwrite_command.yml @@ -0,0 +1,66 @@ +name: Linux Auditd Shred Overwrite Command +id: ce2bde4d-a1d4-4452-8c87-98440e5adfb3 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects the execution of the 'shred' command on + a Linux machine, which is used to overwrite files to make them unrecoverable. It + leverages data from Linux Auditd, focusing on process names and command-line arguments. This activity is significant because the 'shred' command can be used in destructive attacks, such as those seen in the Industroyer2 malware targeting energy facilities. If confirmed malicious, this activity could lead to the permanent destruction of critical files, severely impacting system integrity and data availability. +data_source: +- Linux Auditd Proctitle +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE (process_exec, "%shred%") AND (LIKE (process_exec, "%-n%") + OR LIKE (process_exec, "%-z%") OR LIKE (process_exec, "%-u%") OR LIKE (process_exec, + "%-s%")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec + proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `linux_auditd_shred_overwrite_command_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ +- https://cert.gov.ua/article/39518 +tags: + analytic_story: + - AwfulShred + - Linux Privilege Escalation + - Data Destruction + - Linux Persistence Techniques + - Industroyer2 + - Compromised Linux Host + asset_type: Endpoint + confidence: 90 + impact: 90 + message: A [$process_exec$] event occurred on host - [$dest$] to overwrite files using the shred utility. + mitre_attack_id: + - T1485 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - proctitle + risk_score: 81 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_stop_services.yml b/detections/endpoint/linux_auditd_stop_services.yml new file mode 100644 index 0000000000..c2ca43a903 --- /dev/null +++ b/detections/endpoint/linux_auditd_stop_services.yml @@ -0,0 +1,69 @@ +name: Linux Auditd Stop Services +id: 43bc9281-753b-4743-b4b7-60af84f085f3 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects attempts to stop or clear a service on + Linux systems. It leverages data from Linux Auditd, focusing on processes like "systemctl," "service," and "svcadm" executing stop commands. + This activity is significant as adversaries often terminate security or critical + services to disable defenses or disrupt operations, as seen in malware like Industroyer2. + If confirmed malicious, this could lead to the disabling of security mechanisms, + allowing attackers to persist, escalate privileges, or deploy destructive payloads, + severely impacting system integrity and availability. +data_source: +- Linux Auditd Service Stop +search: '`linux_auditd` type=SERVICE_STOP | rename host as dest | stats count min(_time) + as firstTime max(_time) as lastTime by type pid UID comm exe dest | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `linux_auditd_stop_services_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ +- https://cert.gov.ua/article/39518 +tags: + analytic_story: + - Industroyer2 + - Data Destruction + - AwfulShred + - Compromised Linux Host + asset_type: Endpoint + confidence: 70 + impact: 70 + message: A service event - [$type$] event occured on host - [$dest$] to stop or disable a service. + mitre_attack_id: + - T1489 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - type + - pid + - UID + - comm + - exe + risk_score: 49 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml new file mode 100644 index 0000000000..d49703030f --- /dev/null +++ b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml @@ -0,0 +1,66 @@ +name: Linux Auditd Sudo Or Su Execution +id: 817a5c89-5b92-4818-a22d-aa35e1361afe +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the execution of the "sudo" or "su" command + on a Linux operating system. It leverages data from Linux Auditd, focusing on process names and parent process names. This activity + is significant because "sudo" and "su" commands are commonly used by adversaries + to elevate privileges, potentially leading to unauthorized access or control over + the system. If confirmed malicious, this activity could allow attackers to execute + commands with root privileges, leading to severe security breaches, data exfiltration, + or further system compromise. +data_source: +- Linux Auditd Proctitle +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE(process_exec, "%sudo %") OR LIKE(process_exec, "%su %") | stats + count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_sudo_or_su_execution_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. +references: +- https://attack.mitre.org/techniques/T1548/003/ +tags: + analytic_story: + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A [$process_exec$] event occurred on host - [$dest$] to execute the sudo or su command. + mitre_attack_id: + - T1548.003 + - T1548 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - proctitle + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/linux_auditd_sudo_su.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_sysmon_service_stop.yml b/detections/endpoint/linux_auditd_sysmon_service_stop.yml new file mode 100644 index 0000000000..b441b1e23a --- /dev/null +++ b/detections/endpoint/linux_auditd_sysmon_service_stop.yml @@ -0,0 +1,69 @@ +name: Linux Auditd Sysmon Service Stop +id: 20901256-633a-40de-8753-7b88811a460f +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects the suspicious sysmon service stop. This + behavior is critical for a SOC to monitor because it may indicate attempts to gain + unauthorized access or maintain control over a system. Such actions could be signs + of malicious activity. If confirmed, this could lead to serious consequences, including + a compromised system, unauthorized access to sensitive data, or even a wider breach + affecting the entire network. Detecting and responding to these signs early is essential + to prevent potential security incidents. +data_source: +- Linux Auditd Service Stop +search: '`linux_auditd` type=SERVICE_STOP unit IN ("sysmon") | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm + exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_sysmon_service_stop_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A service event - [$type$] event occured on host - [$dest$] to stop or disable the sysmon service. + mitre_attack_id: + - T1489 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - type + - pid + - UID + - comm + - exe + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop.log/linux_auditd_sysmon_service_stop.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml new file mode 100644 index 0000000000..299ac8abec --- /dev/null +++ b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml @@ -0,0 +1,74 @@ +name: Linux Auditd System Network Configuration Discovery +id: 5db16825-81bd-4923-a8d6-d6a13a59832a +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects suspicious system network configuration + discovery activities, which may indicate an adversary's attempt to gather information + about the network environment. Such actions typically involve commands or tools + used to identify network interfaces, routing tables, and active connections. Detecting + these activities is crucial, as they often precede more targeted attacks like lateral + movement or data exfiltration. By identifying unusual or unauthorized network discovery + efforts, this analytic helps security teams to swiftly detect and respond to potential + reconnaissance operations, mitigating the risk of further compromise. +data_source: +- Linux Auditd Syscall +search: '`linux_auditd` type=SYSCALL comm IN ("arp", "ifconfig", "ip", "netstat", + "firewall-cmd", "ufw", "iptables", "ss", "route") | bucket _time span=15m | rename + host as dest | stats dc(comm) as unique_commands, values(comm) as comm, values(exe) + as exe, values(SYSCALL) as SYSCALL, values(UID) as UID, values(ppid) as ppid, values(pid) + as pid, count, min(_time) as firstTime, max(_time) as lastTime by success dest | + where unique_commands >= 4 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_auditd_system_network_configuration_discovery_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to discover system network configuration. + mitre_attack_id: + - T1016 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - comm + - exe + - SYSCALL + - UID + - ppid + - pid + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml new file mode 100644 index 0000000000..e1af798091 --- /dev/null +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -0,0 +1,75 @@ +name: Linux Auditd Unix Shell Configuration Modification +id: 66f737c6-3f7f-46ed-8e9b-cc0e5bf01f04 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects suspicious modifications to Unix shell + configuration files, which may indicate an attempt to alter system behavior or gain + unauthorized access. Unix shell configuration files, such as `.bashrc` or `.profile`, + control user environment settings and command execution. Unauthorized changes to + these files can be used to execute malicious commands, escalate privileges, or hide + malicious activities. By monitoring for unusual or unauthorized modifications to + shell configuration files, this analytic helps identify potential security threats, + allowing security teams to respond quickly and mitigate risks. +data_source: +- Linux Auditd Path +search: '`linux_auditd` type=PATH name IN ("/etc/profile", "/etc/shells", "/etc/profile.d", + "/etc/bash.bashrc", "/etc/bashrc", "/etc/zsh/zprofile", "/etc/zsh/zshrc", "/etc/zsh/zlogin", + "/etc/zsh/zlogout", "/etc/csh.cshrc", "/etc/csh.login", "/root/.bashrc", "/root/.bash_profile", + "root/.profile", "/root/.zshrc", "/root/.zprofile", "/home/*/.bashrc", "/home/*/.zshrc", + "/home/*/.bash_profile", "/home/*/.zprofile", "/home/*/.profile", "/home/*/.bash_login", + "/home/*/.bash_logout", "/home/*/.zlogin", "/home/*/.zlogout") | rename host as + dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype + OGID dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_unix_shell_configuration_modification_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A [$type$] event occured on host - [$dest$] to modify the unix shell configuration file. + mitre_attack_id: + - T1546.004 + - T1546 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - name + - nametype + - OGID + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml new file mode 100644 index 0000000000..5fb708ae4e --- /dev/null +++ b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml @@ -0,0 +1,69 @@ +name: Linux Auditd Unload Module Via Modprobe +id: 90964d6a-4b5f-409a-85bd-95e261e03fe9 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects suspicious use of the `modprobe` command + to unload kernel modules, which may indicate an attempt to disable critical system + components or evade detection. The `modprobe` utility manages kernel modules, and + unauthorized unloading of modules can disrupt system security features, remove logging + capabilities, or conceal malicious activities. By monitoring for unusual or unauthorized + `modprobe` operations involving module unloading, this analytic helps identify potential + tampering with kernel functionality, enabling security teams to investigate and + address possible threats to system integrity. +data_source: +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where LIKE (process_exec, "%modprobe%") AND LIKE (process_exec, "%-r %") + | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_unload_module_via_modprobe_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 70 + impact: 70 + message: A [$process_exec$] event occurred on host - [$dest$] to unload a kernel module via the modprobe command. + mitre_attack_id: + - T1547.006 + - T1547 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 49 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml new file mode 100644 index 0000000000..abd5c53579 --- /dev/null +++ b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml @@ -0,0 +1,63 @@ +name: Linux Auditd Virtual Disk File And Directory Discovery +id: eec78cef-d4c8-4b35-8f5b-6922102a4a41 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: "The following analytic detects suspicious discovery of virtual disk files and directories, which may indicate an attacker's attempt to locate and access virtualized storage environments. Virtual disks can contain sensitive data or critical system configurations, and unauthorized discovery attempts could signify preparatory actions for data exfiltration or further compromise. By monitoring for unusual or unauthorized searches for virtual disk files and directories, this analytic helps identify potential reconnaissance activities, enabling security teams to respond promptly and safeguard against unauthorized access and data breaches." +data_source: +- Linux Auditd Execve +search: ' `linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND + (LIKE (process_exec, "%.vhd%") OR LIKE (process_exec, "%.vhdx%") OR LIKE (process_exec, + "%.vmdk%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc + process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_virtual_disk_file_and_directory_discovery_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A [$process_exec$] event occurred on host - [$dest$] to discover virtual disk files and directories. + mitre_attack_id: + - T1083 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - argc + - process_exec + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml new file mode 100644 index 0000000000..ae07759e24 --- /dev/null +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -0,0 +1,72 @@ +name: Linux Auditd Whoami User Discovery +id: d1ff2e22-310d-446a-80b3-faedaa7b3b52 +version: 1 +date: '2024-09-04' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the suspicious use of the whoami command, + which may indicate an attacker trying to gather information about the current user + account on a compromised system. The whoami command is commonly used to verify user + privileges and identity, especially during initial stages of an attack to assess + the level of access. By monitoring for unusual or unauthorized executions of whoami, + this analytic helps in identifying potential reconnaissance activities, enabling + security teams to take action before the attacker escalates privileges or conducts + further malicious operations. +data_source: +- Linux Auditd Syscall +search: '`linux_auditd` type=SYSCALL comm=whoami OR exe= "*/whoami" | rename host + as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL + UID ppid pid dest success | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_whoami_user_discovery_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. +references: +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS +tags: + analytic_story: + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to discover virtual disk files and directories. + mitre_attack_id: + - T1033 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - comm + - exe + - SYSCALL + - UID + - ppid + - pid + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log + source: /var/log/audit/audit.log + sourcetype: linux:audit diff --git a/macros/linux_auditd.yml b/macros/linux_auditd.yml new file mode 100644 index 0000000000..70ce2b76cd --- /dev/null +++ b/macros/linux_auditd.yml @@ -0,0 +1,4 @@ +definition: sourcetype="linux:audit" +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environmnent. +name: linux_auditd \ No newline at end of file diff --git a/macros/linux_auditd_normalized_execve_process.yml b/macros/linux_auditd_normalized_execve_process.yml new file mode 100644 index 0000000000..83f885f803 --- /dev/null +++ b/macros/linux_auditd_normalized_execve_process.yml @@ -0,0 +1,4 @@ +definition: 'type=EXECVE | eval relevant_fields=if(type="EXECVE", "", relevant_fields) | foreach a* [eval relevant_fields=if(type="EXECVE", mvappend(relevant_fields, ''<>''), relevant_fields)] | eval process_exec=if(type="EXECVE", mvjoin(relevant_fields, " "), process_exec) | eval process_exec=if(type="EXECVE", trim(process_exec), process_exec)' +description: customer specific splunk configurations to normalized auditd PROCTITLE type to recover process commandline. + Replace the macro definition with configurations for your Splunk Environmnent. +name: linux_auditd_normalized_execve_process \ No newline at end of file diff --git a/macros/linux_auditd_normalized_proctitle_process.yml b/macros/linux_auditd_normalized_proctitle_process.yml new file mode 100644 index 0000000000..999b133614 --- /dev/null +++ b/macros/linux_auditd_normalized_proctitle_process.yml @@ -0,0 +1,6 @@ +definition: 'type=PROCTITLE | eval normalized_proctitle_delimiter = if(type=="PROCTITLE" AND isnotnull(proctitle), if(match(proctitle,"^[0-9A-F]+$"), replace(proctitle, "000", "020"),proctitle),null()) + | eval normalized_proctitle_delimiter = if(type=="PROCTITLE" AND isnotnull(proctitle), if(match(normalized_proctitle_delimiter,"^[0-9A-F]+$"), replace(normalized_proctitle_delimiter, "00", "20"),normalized_proctitle_delimiter),null()) + | eval process_exec = if(match(normalized_proctitle_delimiter,"^[0-9A-F]+$"),urldecode(replace(normalized_proctitle_delimiter,"([0-9A-F]{2})","%\1")),normalized_proctitle_delimiter)' +description: customer specific splunk configurations to normalized auditd PROCTITLE type to recover process commandline. + Replace the macro definition with configurations for your Splunk Environmnent. +name: linux_auditd_normalized_proctitle_process \ No newline at end of file diff --git a/stories/compromised_linux_host.yml b/stories/compromised_linux_host.yml new file mode 100644 index 0000000000..7e2902252e --- /dev/null +++ b/stories/compromised_linux_host.yml @@ -0,0 +1,25 @@ +name: Compromised Linux Host +id: d7ea2fc0-3710-4257-b64f-f3c2a6abebd3 +version: 1 +date: '2024-06-25' +author: Teoderick Contreras, Splunk +description: Monitor for activities and techniques associated with Compromised Linux Host attacks. + These include unauthorized access attempts, unusual network traffic patterns, and the presence of + unknown or suspicious processes. Look for unexpected changes in system files, modifications to configuration files, + and the installation of unrecognized software. Pay attention to abnormal resource usage, such as high CPU or memory + consumption. Regularly review logs for signs of privilege escalation or lateral movement, and ensure integrity checks + are in place to detect tampering with critical system components. +narrative: In a tale of digital intrusion, Imagine a system administrator noticing unexpected spikes in network traffic and CPU usage. + Delving deeper, they find unknown processes running and unfamiliar software installed. System files and configurations show + unauthorized modifications, hinting at privilege escalation. Log reviews reveal attempts at lateral movement across the network. + The administrator's vigilance, combined with regular integrity checks, helps uncover and mitigate the threat. This narrative + underscores the importance of monitoring and swift action in maintaining a secure Linux environment. +references: [] +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file