diff --git a/data_sources/linux_auditd_syscall.yml b/data_sources/linux_auditd_syscall.yml index 838787f1fe..5445708d04 100644 --- a/data_sources/linux_auditd_syscall.yml +++ b/data_sources/linux_auditd_syscall.yml @@ -59,6 +59,14 @@ fields: - EGID - SGID - FSGID +output_fields: +- comm +- exe +- syscall +- uid +- ppid +- pid +- dest example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59 success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2 ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml index 9219b3653b..f840941991 100644 --- a/detections/endpoint/linux_auditd_at_application_execution.yml +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -16,10 +16,13 @@ description: The following analytic detects the execution of the "At" applicatio and mitigate potential risks. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") - AND NOT (UID IN("daemon")) | rename host as dest | stats count min(_time) as firstTime - max(_time) as lastTime by comm exe SYSCALL UID ppid pid dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `linux_auditd_at_application_execution_filter`' +search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") AND NOT (uid IN ("daemon")) + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_at_application_execution_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -75,6 +78,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_auditd_new_at.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml index ae912d4253..8eabc73a99 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml @@ -15,10 +15,13 @@ description: The following analytic detects suspicious data transfer activities from the network. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=split OR exe= "*/split" | rename host as - dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL - UID ppid pid success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_data_transfer_size_limits_via_split_syscall_filter`' +search: '`linux_auditd` type=SYSCALL comm=split OR exe= "*/split" + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid success dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_data_transfer_size_limits_via_split_syscall_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -72,6 +75,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_new_split.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml index 33811e7267..6f72f46a1f 100644 --- a/detections/endpoint/linux_auditd_doas_tool_execution.yml +++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml @@ -14,10 +14,13 @@ description: The following analytic detects the execution of the 'doas' tool on the entire system. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=doas | rename host as dest | stats count - min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid - success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_doas_tool_execution_filter`' +search: '`linux_auditd` type=SYSCALL comm=doas + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid success dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_doas_tool_execution_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -71,6 +74,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_new_doas.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml index 0c78c283b2..bd43821817 100644 --- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -14,11 +14,13 @@ description: The following analytic detects the suspicious editing of cron jobs compromise. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL SYSCALL=rename (comm IN ("crontab") OR exe IN - ("*/crontab")) success=yes AND NOT (UID IN("daemon")) | rename host as dest | stats - count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid - pid dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_edit_cron_table_parameter_filter`' +search: '`linux_auditd` type=SYSCALL syscall IN ("rename", "execve") (comm IN ("crontab") OR exe IN ("*/crontab")) success=yes AND NOT (UID IN("daemon")) + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_edit_cron_table_parameter_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -73,6 +75,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_new_crontab.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml index c588b5d8a7..ca7b4b1b59 100644 --- a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml @@ -14,10 +14,13 @@ description: The following analytic detects the insertion of a Linux kernel modu execution, persistent access, and severe compromise of the affected system. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=insmod | rename host as dest | stats count - min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid - success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_insert_kernel_module_using_insmod_utility_filter`' +search: '`linux_auditd` type=SYSCALL comm=insmod + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid success dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_insert_kernel_module_using_insmod_utility_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should @@ -74,6 +77,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_new_insmod.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml index 335fcb0f35..1d70c9c585 100644 --- a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml @@ -14,10 +14,13 @@ description: The following analytic detects the installation of a Linux kernel m access to the system, compromising its integrity and security. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=modprobe | rename host as dest | stats count - min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid - success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `linux_auditd_install_kernel_module_using_modprobe_utility_filter`' +search: '`linux_auditd` type=SYSCALL comm=modprobe + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid success dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_install_kernel_module_using_modprobe_utility_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should @@ -73,6 +76,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_new_modprobe.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml index 8e0b9710ff..527fe37286 100644 --- a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml @@ -14,9 +14,12 @@ description: The following analytic identifies the use of the 'kmod' process to other malicious actions within the system. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=lsmod | rename host as dest | stats count - min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid - success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` +search: '`linux_auditd` type=SYSCALL comm=lsmod + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid success dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_auditd_kernel_module_enumeration_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures @@ -71,6 +74,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_new_lsmod.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml index d6c2dde6b3..5b972a1c54 100644 --- a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml +++ b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml @@ -15,10 +15,13 @@ description: The following analytic detects suspicious use of the `rmmod` utilit to protect system integrity and security. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=rmmod | rename host as dest | stats count - min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid - success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `linux_auditd_kernel_module_using_rmmod_utility_filter`' +search: '`linux_auditd` type=SYSCALL comm=rmmod + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid success dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_kernel_module_using_rmmod_utility_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -72,6 +75,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_new_rmmod.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml index 0875d6e3b8..3c4c97f9ae 100644 --- a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml +++ b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml @@ -15,12 +15,15 @@ description: The following analytic detects suspicious system network configurat reconnaissance operations, mitigating the risk of further compromise. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm IN ("arp", "ifconfig", "ip", "netstat", - "firewall-cmd", "ufw", "iptables", "ss", "route") | bucket _time span=15m | rename - host as dest | stats dc(comm) as unique_commands, values(comm) as comm, values(exe) - as exe, values(SYSCALL) as SYSCALL, values(UID) as UID, values(ppid) as ppid, values(pid) - as pid, count, min(_time) as firstTime, max(_time) as lastTime by success dest | - where unique_commands >= 4 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`linux_auditd` type=SYSCALL comm IN ("arp", "ifconfig", "ip", "netstat", "firewall-cmd", "ufw", "iptables", "ss", "route") + | bucket _time span=15m + | rename host as dest + | stats dc(comm) as unique_commands, values(comm) as comm, values(exe) + as exe, values(syscall) as syscall, values(uid) as uid, values(ppid) as ppid, values(pid) + as pid, count, min(_time) as firstTime, max(_time) as lastTime by success dest + | where unique_commands >= 4 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_auditd_system_network_configuration_discovery_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line @@ -75,6 +78,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_bucket_new.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml index 0e9f7a60c9..5852854c88 100644 --- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -15,10 +15,13 @@ description: The following analytic detects the suspicious use of the whoami com further malicious operations. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=whoami OR exe= "*/whoami" | rename host - as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL - UID ppid pid dest success | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_whoami_user_discovery_filter`' +search: '`linux_auditd` type=SYSCALL comm=whoami OR exe= "*/whoami" + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid dest success + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_whoami_user_discovery_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -73,6 +76,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_new_whoami.log source: auditd sourcetype: auditd