splunk · patel-bhavin · Sep 4, 2024 · Aug 9, 2024 · Aug 9, 2024 · Aug 9, 2024
@@ -0,0 +1,66 @@
+name: Linux Auditd Add User Account
+id: aae66dc0-74b4-4807-b480-b35f8027abb4
+version: 1
+date: '2024-09-04'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects the creation of new user accounts on Linux
+  systems using commands like "useradd" or "adduser." It leverages data from Endpoint
+  Detection and Response (EDR) agents, focusing on process names and command-line
+  executions. This activity is significant as adversaries often create new user accounts
+  to establish persistence on compromised hosts. If confirmed malicious, this could
+  allow attackers to maintain access, escalate privileges, and further compromise
+  the system, posing a severe security risk.
+data_source:
+- Linux Auditd Proctitle
+search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as
+  dest | where LIKE (process_exec, "%useradd%") OR LIKE (process_exec, "%adduser%")
+  | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle
+  dest  | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`|
+  `linux_auditd_add_user_account_filter`'
+how_to_implement: To implement this detection, the process begins by ingesting auditd
+  data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
+  executions and process details on Unix/Linux systems. These logs should be ingested
+  and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833),
+  which is essential for correctly parsing and categorizing the data. The next step
+  involves normalizing the field names  to match the field names set by the Splunk
+  Common Information Model (CIM) to ensure consistency across different data sources
+  and enhance the efficiency of data modeling. This approach enables effective monitoring
+  and detection of linux endpoints where auditd is deployed
+known_false_positives: Administrator or network operator can execute this command.
+  Please update the filter macros to remove false positives.
+references:
+- https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/
+tags:
+  analytic_story:
+  - Linux Privilege Escalation
+  - Linux Persistence Techniques
+  - Compromised Linux Host
+  asset_type: Endpoint
+  confidence: 50
+  impact: 50
+  message: A [$process_exec$] event occurred on host - [$dest$] to add a user account.
+  mitre_attack_id:
+  - T1136.001
+  - T1136
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - proctitle
+  risk_score: 25
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.log
+    source: /var/log/audit/audit.log
+    sourcetype: linux:audit
@@ -0,0 +1,70 @@
+name: Linux Auditd Add User Account Type
+id: f8c325ea-506e-4105-8ccf-da1492e90115
+version: 1
+date: '2024-09-04'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects the suspicious add user account type.
+  This behavior is critical for a SOC to monitor because it may indicate attempts
+  to gain unauthorized access or maintain control over a system. Such actions could
+  be signs of malicious activity. If confirmed, this could lead to serious consequences,
+  including a compromised system, unauthorized access to sensitive data, or even a
+  wider breach affecting the entire network. Detecting and responding to these signs
+  early is essential to prevent potential security incidents.
+data_source:
+- Linux Auditd Add User
+search: ' `linux_auditd` type=ADD_USER | rename hostname as dest| stats count min(_time)
+  as firstTime max(_time) as lastTime by exe pid dest res UID type | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`| `linux_auditd_add_user_account_type_filter`'
+how_to_implement: To implement this detection, the process begins by ingesting auditd
+  data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
+  executions and process details on Unix/Linux systems. These logs should be ingested
+  and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833),
+  which is essential for correctly parsing and categorizing the data. The next step
+  involves normalizing the field names  to match the field names set by the Splunk
+  Common Information Model (CIM) to ensure consistency across different data sources
+  and enhance the efficiency of data modeling. This approach enables effective monitoring
+  and detection of linux endpoints where auditd is deployed
+known_false_positives: Administrator or network operator can use this application
+  for automation purposes. Please update the filter macros to remove false positives.
+references:
+- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
+tags:
+  analytic_story:
+  - Linux Living Off The Land
+  - Linux Privilege Escalation
+  - Linux Persistence Techniques
+  - Compromised Linux Host
+  asset_type: Endpoint
+  confidence: 50
+  impact: 50
+  message: New [$type$] event on host - [$dest$] to add a user account type.
+  mitre_attack_id:
+  - T1136
+  - T1136.001
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - exe
+  - pid
+  - hostname
+  - res
+  - UID
+  - type
+  risk_score: 25
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log
+    source: /var/log/audit/audit.log
+    sourcetype: linux:audit
@@ -0,0 +1,75 @@
+name: Linux Auditd At Application Execution
+id: 9f306e0a-1c36-469e-8892-968ca12470dd
+version: 1
+date: '2024-09-04'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects the execution of the "At" application
+  in Linux, which can be used by attackers to create persistence entries on a compromised
+  host. This detection leverages data from Endpoint Detection and Response (EDR) agents,
+  focusing on process names and parent process names associated with "at" or "atd".
+  This activity is significant because the "At" application can be exploited to maintain
+  unauthorized access or deliver additional malicious payloads. If confirmed malicious,
+  this behavior could lead to data theft, ransomware attacks, or other severe consequences.
+  Immediate investigation is required to determine the legitimacy of the execution
+  and mitigate potential risks.
+data_source:
+- Linux Auditd Syscall
+search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd")
+  AND NOT (UID IN("daemon")) | rename host as dest | stats count min(_time) as firstTime
+  max(_time) as lastTime by comm exe  SYSCALL UID ppid pid dest | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`| `linux_auditd_at_application_execution_filter`'
+how_to_implement: To implement this detection, the process begins by ingesting auditd
+  data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
+  executions and process details on Unix/Linux systems. These logs should be ingested
+  and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833),
+  which is essential for correctly parsing and categorizing the data. The next step
+  involves normalizing the field names  to match the field names set by the Splunk
+  Common Information Model (CIM) to ensure consistency across different data sources
+  and enhance the efficiency of data modeling. This approach enables effective monitoring
+  and detection of linux endpoints where auditd is deployed
+known_false_positives: Administrator or network operator can use this application
+  for automation purposes. Please update the filter macros to remove false positives.
+references:
+- https://attack.mitre.org/techniques/T1053/001/
+- https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/
+tags:
+  analytic_story:
+  - Scheduled Tasks
+  - Linux Privilege Escalation
+  - Linux Persistence Techniques
+  - Linux Living Off The Land
+  - Compromised Linux Host
+  asset_type: Endpoint
+  confidence: 30
+  impact: 30
+  message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to execute the "at" application.
+  mitre_attack_id:
+  - T1053.002
+  - T1053
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - comm
+  - exe
+  - SYSCALL
+  - UID
+  - ppid
+  - pid
+  risk_score: 9
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log
+    source: /var/log/audit/audit.log
+    sourcetype: linux:audit
@@ -0,0 +1,69 @@
+name: Linux Auditd Auditd Service Stop
+id: 6cb9d0e1-eabe-41de-a11a-5efade354e9d
+version: 1
+date: '2024-09-04'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects the suspicious auditd service stop. This
+  behavior is critical for a SOC to monitor because it may indicate attempts to gain
+  unauthorized access or maintain control over a system. Such actions could be signs
+  of malicious activity. If confirmed, this could lead to serious consequences, including
+  a compromised system, unauthorized access to sensitive data, or even a wider breach
+  affecting the entire network. Detecting and responding to these signs early is essential
+  to prevent potential security incidents.
+data_source:
+- Linux Auditd Service Stop
+search: '`linux_auditd` type=SERVICE_STOP unit IN ("auditd") | rename host as dest
+  | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm
+  exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|
+  `linux_auditd_auditd_service_stop_filter`'
+how_to_implement: To implement this detection, the process begins by ingesting auditd
+  data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
+  executions and process details on Unix/Linux systems. These logs should be ingested
+  and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833),
+  which is essential for correctly parsing and categorizing the data. The next step
+  involves normalizing the field names  to match the field names set by the Splunk
+  Common Information Model (CIM) to ensure consistency across different data sources
+  and enhance the efficiency of data modeling. This approach enables effective monitoring
+  and detection of linux endpoints where auditd is deployed
+known_false_positives: Administrator or network operator can use this application
+  for automation purposes. Please update the filter macros to remove false positives.
+references:
+- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
+tags:
+  analytic_story:
+  - Linux Living Off The Land
+  - Linux Privilege Escalation
+  - Linux Persistence Techniques
+  - Compromised Linux Host
+  asset_type: Endpoint
+  confidence: 50
+  impact: 50
+  message: A service event - [$type$] event occured on host - [$dest$].
+  mitre_attack_id:
+  - T1489
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - type
+  - pid
+  - UID
+  - comm
+  - exe
+  risk_score: 49
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log
+    source: /var/log/audit/audit.log
+    sourcetype: linux:audit
@@ -0,0 +1,69 @@
+name: Linux Auditd Base64 Decode Files
+id: 5890ba10-4e48-4dc0-8a40-3e1ebe75e737
+version: 1
+date: '2024-09-04'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects suspicious Base64 decode operations that
+  may indicate malicious activity, such as data exfiltration or execution of encoded
+  commands. Base64 is commonly used to encode data for safe transmission, but attackers
+  may abuse it to conceal malicious payloads. This detection focuses on identifying
+  unusual or unexpected Base64 decoding processes, particularly when associated with
+  critical files or directories. By monitoring these activities, the analytic helps
+  uncover potential threats, enabling security teams to respond promptly and mitigate
+  risks associated with encoded malware or unauthorized data access.
+data_source:
+- Linux Auditd Execve
+search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as
+  dest | where LIKE(process_exec, "%base64%") AND (LIKE(process_exec, "%-d %") OR
+  LIKE(process_exec, "% --d%")) | stats count min(_time) as firstTime max(_time) as
+  lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`|
+  `linux_auditd_base64_decode_files_filter`'
+how_to_implement: To implement this detection, the process begins by ingesting auditd
+  data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
+  executions and process details on Unix/Linux systems. These logs should be ingested
+  and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833),
+  which is essential for correctly parsing and categorizing the data. The next step
+  involves normalizing the field names  to match the field names set by the Splunk
+  Common Information Model (CIM) to ensure consistency across different data sources
+  and enhance the efficiency of data modeling. This approach enables effective monitoring
+  and detection of linux endpoints where auditd is deployed
+known_false_positives: Administrator or network operator can use this application
+  for automation purposes. Please update the filter macros to remove false positives.
+references:
+- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
+- https://gtfobins.github.io/gtfobins/dd/
+tags:
+  analytic_story:
+  - Linux Living Off The Land
+  - Linux Privilege Escalation
+  - Linux Persistence Techniques
+  - Compromised Linux Host
+  asset_type: Endpoint
+  confidence: 50
+  impact: 50
+  message: A [$process_exec$] event occurred on host - [$dest$] to decode a file using base64.
+  mitre_attack_id:
+  - T1140
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - argc
+  - process_exec
+  risk_score: 25
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.log
+    source: /var/log/audit/audit.log
+    sourcetype: linux:audit