From 4e74bc9736069306882e7fae64d1700b124d4236 Mon Sep 17 00:00:00 2001 From: paolo9921 Date: Fri, 4 Jul 2025 11:05:57 +0200 Subject: [PATCH 1/2] defense_evasion rules update --- ...tempt_to_disable_iptables_or_firewall.yaml | 51 ------------------ .../attempt_to_disable_syslog_service.yaml | 52 ------------------- ..._base32_encoding_or_decoding_activity.yaml | 36 ------------- .../clear_kernel_ring_buffer.yaml | 15 ------ .../disable_apparmor_attempt.yaml | 23 -------- .../disable_selinux_attempt.yaml | 15 ------ .../defense_evasion/hidden_file_dir_tmp.yaml | 20 ------- .../defense_evasion/hidden_shared_object.yaml | 16 ------ .../kernel_module_injection.yaml | 33 ++++++++++++ .../kernel_module_removal.yaml | 17 +++--- .../kernel_sysctl_tampering.yaml | 29 +++++++++++ rules/defense_evasion/kill_command_exec.yaml | 15 ++++++ rules/defense_evasion/log_files_deleted.yaml | 27 ++++++++-- .../potential_proot_exploits.yaml | 10 ++-- rules/defense_evasion/rename_esxi_files.yaml | 11 ++-- .../shell_history_deletion.yaml | 36 +++++++++++++ .../ssl_certificate_deletion.yaml | 23 ++++++++ .../var_log_file_by_unusual_process.yaml | 34 ++++++++++++ 18 files changed, 208 insertions(+), 255 deletions(-) delete mode 100644 rules/defense_evasion/attempt_to_disable_iptables_or_firewall.yaml delete mode 100644 rules/defense_evasion/attempt_to_disable_syslog_service.yaml delete mode 100644 rules/defense_evasion/base16_or_base32_encoding_or_decoding_activity.yaml delete mode 100644 rules/defense_evasion/clear_kernel_ring_buffer.yaml delete mode 100644 rules/defense_evasion/disable_apparmor_attempt.yaml delete mode 100644 rules/defense_evasion/disable_selinux_attempt.yaml delete mode 100644 rules/defense_evasion/hidden_file_dir_tmp.yaml delete mode 100644 rules/defense_evasion/hidden_shared_object.yaml create mode 100644 rules/defense_evasion/kernel_module_injection.yaml create mode 100644 rules/defense_evasion/kernel_sysctl_tampering.yaml create mode 100644 rules/defense_evasion/kill_command_exec.yaml create mode 100644 rules/defense_evasion/shell_history_deletion.yaml create mode 100644 rules/defense_evasion/ssl_certificate_deletion.yaml create mode 100644 rules/defense_evasion/var_log_file_by_unusual_process.yaml diff --git a/rules/defense_evasion/attempt_to_disable_iptables_or_firewall.yaml b/rules/defense_evasion/attempt_to_disable_iptables_or_firewall.yaml deleted file mode 100644 index 0c2fe755..00000000 --- a/rules/defense_evasion/attempt_to_disable_iptables_or_firewall.yaml +++ /dev/null @@ -1,51 +0,0 @@ -# Title: Attempt To Disable Iptables Or Firewall - -# Creation date: 2023/02/22 - -# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ - -# MITRE ATT&CK Technique: T1562 - Impair Defenses - https://attack.mitre.org/techniques/T1562/ - -- name: Disable firewall with ufw - type: Exec - category: defense_evasion - severity: low - description: Monitors for the execution of the ufw utility with the disable flag to disable the firewall. Attackers may attempt to disable - the firewall to affect how a host is allowed to receive or send network traffic and evade detection by security controls. - condition: payload.filename ENDS_WITH "/ufw" AND payload.argv CONTAINS "disable" - -- name: Flush iptables rules - type: Exec - category: defense_evasion - severity: low - description: Monitors for the execution of the iptables utility with the flush flag to flush iptables rules. Attackers may attempt to flush - iptables rules to affect how a host is allowed to receive or send network traffic and evade detection by security controls. - condition: payload.filename ENDS_WITH "/iptables" AND payload.argv CONTAINS "-F" AND payload.argc == 2 - -- name: Stop firewall service with service command - type: Exec - category: defense_evasion - severity: low - description: Monitors for the execution of the service utility with the stop flag to stop the firewall service. Attackers may attempt to stop - the firewall service to affect how a host is allowed to receive or send network traffic and evade detection by security controls. - condition: payload.filename ENDS_WITH "/service" AND payload.argv CONTAINS "stop" AND (payload.argv CONTAINS "firewalld" - OR payload.argv CONTAINS "ip6tables" OR payload.argv CONTAINS "iptables") - -- name: Turn off firewall service with chkconfig - type: Exec - category: defense_evasion - severity: low - description: Monitors for the execution of the chkconfig utility with the off flag to turn off the firewall service. Attackers may attempt to - turn off the firewall service to affect how a host is allowed to receive or send network traffic and evade detection by security controls. - condition: payload.filename ENDS_WITH "/sbin/chkconfig" AND payload.argv CONTAINS "off" AND (payload.argv CONTAINS "firewalld" - OR payload.argv CONTAINS "ip6tables" OR payload.argv CONTAINS "iptables") - -- name: Disable or stop firewall service with systemctl - type: Exec - category: defense_evasion - severity: low - description: Monitors for the execution of the systemctl utility with the disable, stop, or kill flag to disable or stop the firewall service. - Attackers may attempt to disable or stop the firewall service to affect how a host is allowed to receive or send network traffic and evade - detection by security controls. - condition: payload.filename ENDS_WITH "/bin/systemctl" AND (payload.argv CONTAINS "disable" OR payload.argv CONTAINS "stop" - OR payload.argv CONTAINS "kill") AND (payload.argv CONTAINS "firewalld" OR payload.argv CONTAINS "ip6tables" OR payload.argv CONTAINS "iptables") \ No newline at end of file diff --git a/rules/defense_evasion/attempt_to_disable_syslog_service.yaml b/rules/defense_evasion/attempt_to_disable_syslog_service.yaml deleted file mode 100644 index ab01a6d4..00000000 --- a/rules/defense_evasion/attempt_to_disable_syslog_service.yaml +++ /dev/null @@ -1,52 +0,0 @@ -# Title: Attempt To Disable Syslog Service - -# Creation date: 2020/04/27 - -# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ - -# MITRE ATT&CK Technique: T1562 - Impair Defenses - https://attack.mitre.org/techniques/T1562/ - -- name: Service command to stop syslog-related services - type: Exec - category: defense_evasion - severity: medium - description: Monitors for the execution of the service utility with the stop flag to stop syslog-related services. Attackers may attempt - to stop syslog-related services to disrupt event logging and evade detection by security controls. - condition: payload.filename ENDS_WITH "service" AND payload.argv CONTAINS "stop" AND (payload.argv CONTAINS "syslog" - OR payload.argv CONTAINS "rsyslog" OR payload.argv CONTAINS "syslog-ng") - -- name: Chkconfig command to turn off syslog-related services - type: Exec - category: defense_evasion - severity: medium - description: Monitors for the execution of the chkconfig utility with the off flag to turn off syslog-related services. Attackers may - attempt to turn off syslog-related services to disrupt event logging and evade detection by security controls. - condition: payload.filename ENDS_WITH "chkconfig" AND payload.argv CONTAINS "off" AND (payload.argv CONTAINS "syslog" - OR payload.argv CONTAINS "rsyslog" OR payload.argv CONTAINS "syslog-ng") - -- name: Systemctl command to disable syslog-related services - type: Exec - category: defense_evasion - severity: medium - description: Monitors for the execution of the systemctl utility with the disable flag to disable syslog-related services. Attackers may - attempt to disable syslog-related services to disrupt event logging and evade detection by security controls. - condition: payload.filename ENDS_WITH "systemctl" AND payload.argv CONTAINS "disable" AND (payload.argv CONTAINS "syslog" - OR payload.argv CONTAINS "rsyslog" OR payload.argv CONTAINS "syslog-ng") - -- name: Systemctl command to stop syslog-related services - type: Exec - category: defense_evasion - severity: medium - description: Monitors for the execution of the systemctl utility with the stop flag to stop syslog-related services. Attackers may - attempt to stop syslog-related services to disrupt event logging and evade detection by security controls. - condition: payload.filename ENDS_WITH "systemctl" AND payload.argv CONTAINS "stop" AND (payload.argv CONTAINS "syslog" - OR payload.argv CONTAINS "rsyslog" OR payload.argv CONTAINS "syslog-ng") - -- name: Systemctl command to kill syslog-related services - type: Exec - category: defense_evasion - severity: medium - description: Monitors for the execution of the systemctl utility with the kill flag to kill syslog-related services. Attackers may - attempt to kill syslog-related services to disrupt event logging and evade detection by security controls. - condition: payload.filename ENDS_WITH "systemctl" AND payload.argv CONTAINS "kill" AND (payload.argv CONTAINS "syslog" - OR payload.argv CONTAINS "rsyslog" OR payload.argv CONTAINS "syslog-ng") \ No newline at end of file diff --git a/rules/defense_evasion/base16_or_base32_encoding_or_decoding_activity.yaml b/rules/defense_evasion/base16_or_base32_encoding_or_decoding_activity.yaml deleted file mode 100644 index a9408dc9..00000000 --- a/rules/defense_evasion/base16_or_base32_encoding_or_decoding_activity.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Title: Base16 Or Base32 Encoding Or Decoding Activity - -# Creation date: 2020/04/17 - -# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ - -# MITRE ATT&CK Technique: T1027 - Obfuscated Files or Information - https://attack.mitre.org/techniques/T1027/ - - -- name: Base16 execution - type: Exec - category: defense_evasion - severity: low - description: Monitors for the execution of utilities related to Base16 encoding or decoding. Attackers may attempt to encode or decode data - using Base16 to evade detection by host- or network-based security controls. - condition: payload.filename IN ["/usr/bin/base16", "/sbin/base16", "/usr/bin/base16-encode", "/usr/bin/base16-decode", - "/usr/bin/base16enc", "/usr/bin/base16dec", "/usr/bin/base16plain", "/usr/bin/base16hex"] - -- name: Base32 execution - type: Exec - category: defense_evasion - severity: low - description: Monitors for the execution of utilities related to Base32 encoding or decoding. Attackers may attempt to encode or decode data - using Base32 to evade detection by host- or network-based security controls. - condition: payload.filename IN ["/usr/bin/base32", "/sbin/base32", "/usr/bin/base32-encode", "/usr/bin/base32-decode", - "/usr/bin/base32enc", "/usr/bin/base32dec", "/usr/bin/base32plain", "/usr/bin/base32hex"] - -- name: Base64 execution - type: Exec - category: defense_evasion - severity: low - description: Monitors for the execution of utilities related to Base64 encoding or decoding. Attackers may attempt to encode or decode data - using Base64 to evade detection by host- or network-based security controls. - condition: payload.filename IN ["/usr/bin/base64", "/sbin/base64", "/usr/bin/base64-encode", "/usr/bin/base64-decode", - "/usr/bin/base64enc", "/usr/bin/base64dec", "/usr/bin/base64plain", "/usr/bin/base64hex"] - diff --git a/rules/defense_evasion/clear_kernel_ring_buffer.yaml b/rules/defense_evasion/clear_kernel_ring_buffer.yaml deleted file mode 100644 index fab0901b..00000000 --- a/rules/defense_evasion/clear_kernel_ring_buffer.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# Title: Clear Kernel Ring Buffer - -# Creation date: 2023/10/24 - -# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ - -# MITRE ATT&CK Technique: T1562 - Impair Defenses - https://attack.mitre.org/techniques/T1562/ - -- name: Executing dmesg with clear flag - type: Exec - category: defense_evasion - severity: low - description: Monitors for the execution of the dmesg utility with the clear flag. Attackers may clear kernel ring buffer events to - evade detection after installing a Linux kernel module (LKM). - condition: header.image == "/usr/bin/dmesg" AND payload.argv CONTAINS "-c" \ No newline at end of file diff --git a/rules/defense_evasion/disable_apparmor_attempt.yaml b/rules/defense_evasion/disable_apparmor_attempt.yaml deleted file mode 100644 index 5d652f44..00000000 --- a/rules/defense_evasion/disable_apparmor_attempt.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Title: Disable Apparmor Attempt - -# Creation date: 2023/08/28 - -# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ - -# MITRE ATT&CK Technique: T1562 - Impair Defenses - https://attack.mitre.org/techniques/T1562/ - -- name: Disable AppArmor service - type: Exec - category: defense_evasion - severity: low - description: Monitors for the execution of the systemctl utility with the disable flag to disable the AppArmor service. Attackers may - attempt to disable the AppArmor service to evade detection and avoid possible restrictions on their actions and resources. - condition: payload.filename == "/usr/bin/systemctl" AND payload.argv CONTAINS "disable" AND payload.argv CONTAINS "apparmor" - -- name: Create symlink to disable AppArmor - type: Exec - category: defense_evasion - severity: low - description: Monitors for the execution of the ln utility to create a symlink to disable AppArmor. Attackers may attempt to create a - symlink to disable AppArmor to evade detection and avoid possible restrictions on their actions and resources. - condition: payload.filename == "/usr/bin/ln" AND payload.argv CONTAINS "/etc/apparmor.d/" AND payload.argv CONTAINS "/etc/apparmor.d/disable/" \ No newline at end of file diff --git a/rules/defense_evasion/disable_selinux_attempt.yaml b/rules/defense_evasion/disable_selinux_attempt.yaml deleted file mode 100644 index aefe435f..00000000 --- a/rules/defense_evasion/disable_selinux_attempt.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# Title: Disable Selinux Attempt - -# Creation date: 2020/04/22 - -# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ - -# MITRE ATT&CK Technique: T1562 - Impair Defenses - https://attack.mitre.org/techniques/T1562/ - -- name: Set enforce mode to permissive - type: Exec - category: defense_evasion - severity: medium - description: Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to - support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. - condition: payload.filename == "/usr/sbin/setenforce" AND payload.argv CONTAINS "0" \ No newline at end of file diff --git a/rules/defense_evasion/hidden_file_dir_tmp.yaml b/rules/defense_evasion/hidden_file_dir_tmp.yaml deleted file mode 100644 index af469ce0..00000000 --- a/rules/defense_evasion/hidden_file_dir_tmp.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Title: Hidden File Dir Tmp - -# Creation date: 2020/04/29 - -# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ - -# MITRE ATT&CK Technique: T1564 - Hide Artifacts - https://attack.mitre.org/techniques/T1564/ - -- name: Rename with suspicious pattern - type: FileRename - category: defense_evasion - severity: medium - description: Detects the renaming of files or directories with a suspicious pattern that may indicate an attempt to hide files or - directories. Adversaries may use this technique to hide files or directories on the system for persistence and defense evasion. - condition: NOT header.image IN ["/usr/bin/ls", "/usr/bin/find", "/usr/bin/grep", "/usr/bin/git", "/usr/bin/jq", "/usr/bin/basename"] - AND - (payload.source STARTS_WITH "/tmp" OR payload.source STARTS_WITH "/var/tmp" OR payload.source STARTS_WITH "/dev/shm") - AND - (payload.destination STARTS_WITH "/tmp/." OR payload.destination STARTS_WITH "/var/tmp/." OR payload.destination STARTS_WITH "/dev/shm/.") - \ No newline at end of file diff --git a/rules/defense_evasion/hidden_shared_object.yaml b/rules/defense_evasion/hidden_shared_object.yaml deleted file mode 100644 index 7db38a73..00000000 --- a/rules/defense_evasion/hidden_shared_object.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# Title: Hidden Shared Object - -# Creation date: 2022/07/20 - -# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ - -# MITRE ATT&CK Technique: T1564 - Hide Artifacts - https://attack.mitre.org/techniques/T1564/ - -- name: Creation of shared object files - type: FileCreated - category: defense_evasion - severity: medium - description: Detects the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a "." - as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system - for persistence and defense evasion. - condition: payload.filename ENDS_WITH ".so" AND payload.filename STARTS_WITH "." \ No newline at end of file diff --git a/rules/defense_evasion/kernel_module_injection.yaml b/rules/defense_evasion/kernel_module_injection.yaml new file mode 100644 index 00000000..faa9bede --- /dev/null +++ b/rules/defense_evasion/kernel_module_injection.yaml @@ -0,0 +1,33 @@ +# Title: Kernel Module Injection via Utility Execution + +# Creation date: 2022/10/21 + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions - https://attack.mitre.org/techniques/T1547/006/ + +- name: Linux Kernel Module Injection via insmod + type: Exec + category: defense_evasion + severity: high + description: Detects the execution of the insmod utility to inject a Linux kernel module. Adversaries may inject a kernel module to gain access + to information or to escalate privileges. + condition: payload.filename ENDS_WITH "/insmod" + AND NOT ( payload.argv CONTAINS "rfkill" OR payload.argv CONTAINS "cryptd") + +- name: Linux Kernel Module Injection via modprobe + type: Exec + category: defense_evasion + severity: high + description: Detects the execution of the modprobe utility to inject a Linux kernel module. Adversaries may inject a kernel module to gain access + to information or to escalate privileges. + condition: payload.filename ENDS_WITH "/modprobe" + AND NOT payload.argv CONTAINS "-r" + +- name: Linux Kernel Module Injection via kmod + type: Exec + category: defense_evasion + severity: high + description: Detects the execution of kmod to directly load a Linux kernel module. + condition: payload.filename ENDS_WITH "/kmod" AND payload.argv CONTAINS "insert" + AND NOT (payload.argv CONTAINS "rfkill" OR payload.argv CONTAINS "cryptd") diff --git a/rules/defense_evasion/kernel_module_removal.yaml b/rules/defense_evasion/kernel_module_removal.yaml index 7d5f2c43..e6176110 100644 --- a/rules/defense_evasion/kernel_module_removal.yaml +++ b/rules/defense_evasion/kernel_module_removal.yaml @@ -6,18 +6,13 @@ # MITRE ATT&CK Technique: T1562 - Impair Defenses - https://attack.mitre.org/techniques/T1562/ -- name: Remove Linux Kernel Module with rmmod +- name: Remove Linux Kernel Module type: Exec category: defense_evasion severity: medium - description: Detects the execution of the rmmod utility to remove a Linux kernel module. Attackers may attempt to remove a kernel - module to evade detection and avoid possible restrictions on their actions and resources. - condition: header.image == "/usr/sbin/rmmod" - -- name: Remove Linux Kernel Module with modprobe - type: Exec - category: defense_evasion - severity: medium - description: Detects the execution of the modprobe utility with the remove flag to remove a Linux kernel module. Attackers may attempt + description: Detects the execution of utility to remove a Linux kernel module. Attackers may attempt to remove a kernel module to evade detection and avoid possible restrictions on their actions and resources. - condition: payload.filename == "/usr/sbin/modprobe" AND (payload.argv CONTAINS "--remove" OR payload.argv CONTAINS "-r") + condition: ( + payload.filename ENDS_WITH "/rmmod" OR + (payload.filename ENDS_WITH "/modprobe" AND (payload.argv CONTAINS "--remove" OR payload.argv CONTAINS "-r")) + ) diff --git a/rules/defense_evasion/kernel_sysctl_tampering.yaml b/rules/defense_evasion/kernel_sysctl_tampering.yaml new file mode 100644 index 00000000..3372e9ea --- /dev/null +++ b/rules/defense_evasion/kernel_sysctl_tampering.yaml @@ -0,0 +1,29 @@ +# Title: Kernel Logging Evasion via sysctl + +# Creation date: 2025/04/11 + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1562 - Impair Defenses - https://attack.mitre.org/techniques/T1562/ + +- name: Detecting direct kernel printk modification + type: FileOpened + category: defense_evasion + severity: low + description: Detects direct write operations to the /proc/sys/kernel/printk file. This is how the sysctl utility, and other programs, modify the kernel.printk parameter under the hood to control console logging levels. + Adversaries may use this to silence kernel logs and impair defenses. + condition: payload.filename ENDS_WITH "/proc/sys/kernel/printk" + AND (payload.flags CONTAINS "O_WRONLY" OR payload.flags CONTAINS "O_RDWR" OR payload.flags CONTAINS "O_TRUNC") + +- name: Detecting sysctl configuration file modification + type: FileOpened + category: defense_evasion + severity: medium + description: Monitors file events on sysctl configuration files. Attackers may tamper the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security. + condition: ( + payload.filename STARTS_WITH "/etc/sysctl.conf" OR payload.filename STARTS_WITH "/etc/sysctl.d" OR + payload.filename STARTS_WITH "/lib/sysctl.d" OR payload.filename STARTS_WITH "/usr/lib/sysctl.d" OR + payload.filename STARTS_WITH "/usr/local/lib/sysctl.d" + ) AND (payload.flags CONTAINS "O_WRONLY" OR payload.flags CONTAINS "O_RDWR" OR payload.flags CONTAINS "O_CREAT") + AND NOT (header.image ENDS_WITH "/dockerd") + diff --git a/rules/defense_evasion/kill_command_exec.yaml b/rules/defense_evasion/kill_command_exec.yaml new file mode 100644 index 00000000..142491f9 --- /dev/null +++ b/rules/defense_evasion/kill_command_exec.yaml @@ -0,0 +1,15 @@ +# Title: Kill command executed + +# Creation Date: 2025/04/11 + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1562 - Impair defense - https://attack.mitre.org/techniques/T1562/ + +- name: Kill command executed + type: Exec + category: defense_evasion + severity: low + description: Detects the execution of kill, pkill, and killall commands on Linux systems. Attackers may use these commands + to kill security tools or other processes to evade detection or disrupt system operations. + condition: payload.filename ENDS_WITH "kill" OR payload.filename ENDS_WITH "pkill" OR payload.filename ENDS_WITH "killall" diff --git a/rules/defense_evasion/log_files_deleted.yaml b/rules/defense_evasion/log_files_deleted.yaml index b40593f5..11536760 100644 --- a/rules/defense_evasion/log_files_deleted.yaml +++ b/rules/defense_evasion/log_files_deleted.yaml @@ -12,6 +12,27 @@ severity: medium description: Detects the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. - condition: payload.filename IN ["/var/run/utmp", "/var/log/wtmp", "/var/log/btmp", "/var/log/lastlog", "/var/log/faillog", - "/var/log/syslog", "/var/log/messages", "/var/log/secure", "/var/log/auth.log", "/var/log/boot.log", "/var/log/kern.log"] - AND NOT header.image IN ["/usr/bin/gzip", "/usr/bin/executor", "/usr/bin/dockerd"] \ No newline at end of file + condition: ( + payload.filename ENDS_WITH "/var/run/utmp" OR + payload.filename ENDS_WITH "/var/log/wtmp" OR + payload.filename ENDS_WITH "/var/log/btmp" OR + payload.filename ENDS_WITH "/var/log/lastlog" OR + payload.filename ENDS_WITH "/var/log/faillog" OR + payload.filename ENDS_WITH "/var/log/syslog" OR + payload.filename ENDS_WITH "/var/log/messages" OR + payload.filename ENDS_WITH "/var/log/secure" OR + payload.filename ENDS_WITH "/var/log/auth.log" OR + payload.filename ENDS_WITH "/var/log/boot.log" OR + payload.filename ENDS_WITH "/var/log/kern.log" + ) + AND NOT header.image IN [ + "/usr/bin/gzip", "/bin/gzip", "/usr/bin/zip", "/usr/bin/bzip2", "/bin/xz", "/usr/bin/xz", "/usr/bin/zstd", + "/usr/bin/compress", "/usr/bin/journalctl", "/usr/bin/logrotate" + ] + +- name: Truncate log files + type: FileOpened + category: defense_evasion + severity: medium + description: Detects the truncation of log files. Adversaries may truncate log files to remove evidence of their activities on the system. + condition: payload.filename STARTS_WITH "/var/log" AND payload.flags CONTAINS "O_TRUNC" diff --git a/rules/defense_evasion/potential_proot_exploits.yaml b/rules/defense_evasion/potential_proot_exploits.yaml index 9bf40fc5..141efee2 100644 --- a/rules/defense_evasion/potential_proot_exploits.yaml +++ b/rules/defense_evasion/potential_proot_exploits.yaml @@ -10,10 +10,6 @@ type: Exec category: defense_evasion severity: medium - description: Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, - mount --bind, and binfmt_misc. Adversaries can leverage PRoot to expand the scope of their operations to multiple Linux - distributions and simplify their necessary efforts. PRoot also provides emulation capabilities that allow for malware built on other - architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), - can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or - orchestrate another attack on the environment. - condition: header.image ENDS_WITH "/proot" \ No newline at end of file + description: Detects execution of the PRoot utility. PRoot is a user-space tool that enables chroot-like environments, mount operations, and cross-architecture emulation. + Adversaries may use PRoot to bypass restrictions, run malware across architectures, or perform post-exploitation tasks like privilege escalation and network scanning. + condition: payload.filename ENDS_WITH "/proot" diff --git a/rules/defense_evasion/rename_esxi_files.yaml b/rules/defense_evasion/rename_esxi_files.yaml index 7dfc5781..03c1994f 100644 --- a/rules/defense_evasion/rename_esxi_files.yaml +++ b/rules/defense_evasion/rename_esxi_files.yaml @@ -10,9 +10,8 @@ type: FileRename category: defense_evasion severity: medium - description: Detects the renaming of VMware-related files, such as those with extensions like ".vmdk", ".vmx", ".vmxf", ".vmsd", ".vmsn", - ".vswp", ".vmss", ".nvram", and ".vmem", on a Linux system. Adversaries may use this technique to hide files on the system for persistence - and defense evasion. - condition: (payload.source ENDS_WITH ".vmdk" OR payload.source ENDS_WITH ".vmx" OR payload.source ENDS_WITH ".vmxf" - OR payload.source ENDS_WITH ".vmsd" OR payload.source ENDS_WITH ".vmsn" OR payload.source ENDS_WITH ".vswp" OR payload.source ENDS_WITH ".vmss" - OR payload.source ENDS_WITH ".nvram" OR payload.source ENDS_WITH ".vmem") \ No newline at end of file + description: Detects the renaming of critical VMware virtual machine files. Adversaries may rename these files to disrupt virtual machine operations, + hide malicious components, or impede incident response efforts, achieving defense evasion and potentially denial of service. + condition: payload.source ENDS_WITH ".vmdk" OR payload.source ENDS_WITH ".vmx" OR payload.source ENDS_WITH ".vmxf" + OR payload.source ENDS_WITH ".vmsd" OR payload.source ENDS_WITH ".vmsn" OR payload.source ENDS_WITH ".vswp" + OR payload.source ENDS_WITH ".vmss" OR payload.source ENDS_WITH ".nvram" OR payload.source ENDS_WITH ".vmem" diff --git a/rules/defense_evasion/shell_history_deletion.yaml b/rules/defense_evasion/shell_history_deletion.yaml new file mode 100644 index 00000000..10b1b6e2 --- /dev/null +++ b/rules/defense_evasion/shell_history_deletion.yaml @@ -0,0 +1,36 @@ +# Title: Shell History Removal + +# Creation Date: 2022/10/21 + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1070 - Indicator Removal: Clear Command History - https://attack.mitre.org/techniques/T1070/003/ + +- name: Shell history deletion + type: FileDeleted + category: defense_evasion + severity: medium + description: Detects the deletion of shell history files. Adversaries may delete shell history files to remove evidence of their activities on + the system. + condition: (payload.filename ENDS_WITH "ash_history" OR payload.filename ENDS_WITH "zsh_history" OR payload.filename ENDS_WITH "fish_history" OR payload.filename ENDS_WITH "fish_read_history" OR payload.filename ENDS_WITH "bash_history") + AND NOT ( + header.image ENDS_WITH "/dockerd" OR + header.image ENDS_WITH "/podman" OR + header.image ENDS_WITH "/crio" OR + header.image ENDS_WITH "/conmon" OR + header.image ENDS_WITH "/containerd" OR + header.image ENDS_WITH "/containerd-shim" OR + header.image ENDS_WITH "/containerd-shim-runc-v2" OR + header.image ENDS_WITH "/runc" OR + header.image ENDS_WITH "/crun" OR + header.image ENDS_WITH "/kubelet" + ) + +- name: Shell history truncation + type: FileOpened + category: defense_evasion + severity: medium + description: Detects the truncation of shell history files. Adversaries may truncate shell history files to remove evidence of their activities + on the system. + condition: (payload.filename ENDS_WITH "ash_history" OR payload.filename ENDS_WITH "zsh_history" OR payload.filename ENDS_WITH "fish_history" OR payload.filename ENDS_WITH "fish_read_history" OR payload.filename ENDS_WITH "bash_history") + AND payload.flags CONTAINS "O_TRUNC" diff --git a/rules/defense_evasion/ssl_certificate_deletion.yaml b/rules/defense_evasion/ssl_certificate_deletion.yaml new file mode 100644 index 00000000..b8cb6438 --- /dev/null +++ b/rules/defense_evasion/ssl_certificate_deletion.yaml @@ -0,0 +1,23 @@ +# Title: SSL certificate deletion + +# Creation Date: 2025/04/11 + +# MITRE ATT&CK Tactic: TA0005- Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1485 - Data Destruction - https://attack.mitre.org/techniques/T1485/ + +- name: SSL Certificate deletion + type: FileDeleted + category: defense_evasion + severity: medium + description: Detects the deletion of SSL certificates on a Linux system. Adversaries may delete SSL certificates to subvert + trust controls and negatively impact the system. + condition: ( + payload.filename STARTS_WITH "/etc/ssl/" OR payload.filename STARTS_WITH "/etc/pki/" OR + payload.filename STARTS_WITH "/usr/local/share/" + ) AND ( + payload.filename ENDS_WITH ".pem" OR payload.filename ENDS_WITH ".crt" OR + payload.filename ENDS_WITH ".cer" OR payload.filename ENDS_WITH ".ca-bundle" OR + payload.filename ENDS_WITH ".p7b" OR payload.filename ENDS_WITH ".p7c" OR + payload.filename ENDS_WITH ".p7s" + ) diff --git a/rules/defense_evasion/var_log_file_by_unusual_process.yaml b/rules/defense_evasion/var_log_file_by_unusual_process.yaml new file mode 100644 index 00000000..dc3633e9 --- /dev/null +++ b/rules/defense_evasion/var_log_file_by_unusual_process.yaml @@ -0,0 +1,34 @@ +# Title: var log file creation by unusual process + +# Creation Date: 2025/04/11 + +# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/ + +# MITRE ATT&CK Technique: T1564 - Hide Artifacts - https://attack.mitre.org/techniques/T1564/ + + + + +# CHECK WHITELIST + +- name: File Creation in /var/log via Suspicious Process (No Extension) + type: FileCreated + category: defense_evasion + severity: low + description: Detects the creation of files in the /var/log/ directory via process executables located in + world-writeable locations or via hidden processes, and without common extension. Attackers may attempt to hide their activities by + creating files in the /var/log/ directory, which is commonly used for logging system events. + condition: payload.filename STARTS_WITH "/var/log/" + AND ( + header.image STARTS_WITH "/tmp/" OR header.image STARTS_WITH "/var/tmp" OR + header.image STARTS_WITH "/dev/shm/" OR header.image STARTS_WITH "./" + ) + AND NOT ( + payload.filename ENDS_WITH ".log" OR + payload.filename ENDS_WITH ".gz" OR + payload.filename ENDS_WITH ".old" OR + payload.filename ENDS_WITH ".1" OR + payload.filename ENDS_WITH ".bak" OR + payload.filename ENDS_WITH ".xz" OR + payload.filename ENDS_WITH ".journal" + ) From 3827a50db673cd79b8da5da56ce5c918352ba42a Mon Sep 17 00:00:00 2001 From: paolo9921 Date: Fri, 4 Jul 2025 16:29:32 +0200 Subject: [PATCH 2/2] minor fix --- rules/defense_evasion/kernel_sysctl_tampering.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/rules/defense_evasion/kernel_sysctl_tampering.yaml b/rules/defense_evasion/kernel_sysctl_tampering.yaml index 3372e9ea..f241e8bd 100644 --- a/rules/defense_evasion/kernel_sysctl_tampering.yaml +++ b/rules/defense_evasion/kernel_sysctl_tampering.yaml @@ -20,10 +20,7 @@ category: defense_evasion severity: medium description: Monitors file events on sysctl configuration files. Attackers may tamper the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security. - condition: ( - payload.filename STARTS_WITH "/etc/sysctl.conf" OR payload.filename STARTS_WITH "/etc/sysctl.d" OR - payload.filename STARTS_WITH "/lib/sysctl.d" OR payload.filename STARTS_WITH "/usr/lib/sysctl.d" OR - payload.filename STARTS_WITH "/usr/local/lib/sysctl.d" - ) AND (payload.flags CONTAINS "O_WRONLY" OR payload.flags CONTAINS "O_RDWR" OR payload.flags CONTAINS "O_CREAT") + condition: (payload.filename ENDS_WITH "/sysctl.conf" OR payload.filename ENDS_WITH "/sysctl.d" ) + AND (payload.flags CONTAINS "O_WRONLY" OR payload.flags CONTAINS "O_RDWR" OR payload.flags CONTAINS "O_CREAT") AND NOT (header.image ENDS_WITH "/dockerd")