Defense Evasion - Rules update - part 2

rules/defense_evasion/kernel_module_injection.yaml

@@ -0,0 +1,33 @@
+# Title: Kernel Module Injection via Utility Execution
+
+# Creation date: 2022/10/21
+
+# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/
+
+# MITRE ATT&CK Technique: T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions - https://attack.mitre.org/techniques/T1547/006/
+
+- name: Linux Kernel Module Injection via insmod
+  type: Exec
+  category: defense_evasion
+  severity: high
+  description: Detects the execution of the insmod utility to inject a Linux kernel module. Adversaries may inject a kernel module to gain access 
+    to information or to escalate privileges.
+  condition: payload.filename ENDS_WITH "/insmod" 
+    AND NOT ( payload.argv CONTAINS "rfkill" OR payload.argv CONTAINS "cryptd")
+
+- name: Linux Kernel Module Injection via modprobe
+  type: Exec
+  category: defense_evasion
+  severity: high
+  description: Detects the execution of the modprobe utility to inject a Linux kernel module. Adversaries may inject a kernel module to gain access 
+    to information or to escalate privileges.
+  condition: payload.filename ENDS_WITH "/modprobe" 
+    AND NOT payload.argv CONTAINS "-r"
+
+- name: Linux Kernel Module Injection via kmod
+  type: Exec
+  category: defense_evasion
+  severity: high
+  description: Detects the execution of kmod to directly load a Linux kernel module.
+  condition: payload.filename ENDS_WITH "/kmod" AND payload.argv CONTAINS "insert" 
+    AND NOT (payload.argv CONTAINS "rfkill" OR payload.argv CONTAINS "cryptd")

rules/defense_evasion/kernel_module_removal.yaml

@@ -6,18 +6,13 @@
 
 # MITRE ATT&CK Technique: T1562 - Impair Defenses - https://attack.mitre.org/techniques/T1562/
 
-- name: Remove Linux Kernel Module with rmmod
+- name: Remove Linux Kernel Module
   type: Exec
   category: defense_evasion
   severity: medium
-  description: Detects the execution of the rmmod utility to remove a Linux kernel module. Attackers may attempt to remove a kernel 
-    module to evade detection and avoid possible restrictions on their actions and resources.
-  condition: header.image == "/usr/sbin/rmmod"
-
-- name: Remove Linux Kernel Module with modprobe
-  type: Exec
-  category: defense_evasion
-  severity: medium
-  description: Detects the execution of the modprobe utility with the remove flag to remove a Linux kernel module. Attackers may attempt 
+  description: Detects the execution of utility to remove a Linux kernel module. Attackers may attempt 
     to remove a kernel module to evade detection and avoid possible restrictions on their actions and resources.
-  condition: payload.filename == "/usr/sbin/modprobe" AND (payload.argv CONTAINS "--remove" OR payload.argv CONTAINS "-r")
+  condition: (
+      payload.filename ENDS_WITH "/rmmod" OR 
+      (payload.filename ENDS_WITH "/modprobe" AND (payload.argv CONTAINS "--remove" OR payload.argv CONTAINS "-r"))
+    )

rules/defense_evasion/kernel_sysctl_tampering.yaml

@@ -0,0 +1,26 @@
+# Title: Kernel Logging Evasion via sysctl
+
+# Creation date: 2025/04/11
+
+# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/
+
+# MITRE ATT&CK Technique: T1562 - Impair Defenses - https://attack.mitre.org/techniques/T1562/
+
+- name: Detecting direct kernel printk modification
+  type: FileOpened
+  category: defense_evasion
+  severity: low
+  description: Detects direct write operations to the /proc/sys/kernel/printk file. This is how the sysctl utility, and other programs, modify the kernel.printk parameter under the hood to control console logging levels. 
+    Adversaries may use this to silence kernel logs and impair defenses.  
+  condition: payload.filename ENDS_WITH "/proc/sys/kernel/printk" 
+    AND (payload.flags CONTAINS "O_WRONLY" OR payload.flags CONTAINS "O_RDWR" OR payload.flags CONTAINS "O_TRUNC")
+
+- name: Detecting sysctl configuration file modification
+  type: FileOpened
+  category: defense_evasion
+  severity: medium
+  description: Monitors file events on sysctl configuration files. Attackers may tamper the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.
+  condition: (payload.filename ENDS_WITH "/sysctl.conf" OR payload.filename ENDS_WITH "/sysctl.d" ) 
+    AND (payload.flags CONTAINS "O_WRONLY" OR payload.flags CONTAINS "O_RDWR" OR payload.flags CONTAINS "O_CREAT")
+    AND NOT (header.image ENDS_WITH "/dockerd")
+

rules/defense_evasion/kill_command_exec.yaml

@@ -0,0 +1,15 @@
+# Title: Kill command executed
+
+# Creation Date: 2025/04/11
+
+# MITRE ATT&CK Tactic: TA0005 - Defense Evasion - https://attack.mitre.org/tactics/TA0005/
+
+# MITRE ATT&CK Technique: T1562 - Impair defense - https://attack.mitre.org/techniques/T1562/
+
+- name: Kill command executed
+  type: Exec
+  category: defense_evasion
+  severity: low
+  description: Detects the execution of kill, pkill, and killall commands on Linux systems. Attackers may use these commands 
+    to kill security tools or other processes to evade detection or disrupt system operations.
+  condition: payload.filename ENDS_WITH "kill" OR payload.filename ENDS_WITH "pkill" OR payload.filename ENDS_WITH "killall"

rules/defense_evasion/log_files_deleted.yaml

@@ -12,6 +12,27 @@
   severity: medium
   description: Detects the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic 
     evidence on a system.
-  condition: payload.filename IN ["/var/run/utmp", "/var/log/wtmp", "/var/log/btmp", "/var/log/lastlog", "/var/log/faillog", 
-    "/var/log/syslog", "/var/log/messages", "/var/log/secure", "/var/log/auth.log", "/var/log/boot.log", "/var/log/kern.log"]
-    AND NOT header.image IN ["/usr/bin/gzip", "/usr/bin/executor", "/usr/bin/dockerd"]
+  condition: (
+      payload.filename ENDS_WITH "/var/run/utmp" OR
+      payload.filename ENDS_WITH "/var/log/wtmp" OR
+      payload.filename ENDS_WITH "/var/log/btmp" OR
+      payload.filename ENDS_WITH "/var/log/lastlog" OR
+      payload.filename ENDS_WITH "/var/log/faillog" OR
+      payload.filename ENDS_WITH "/var/log/syslog" OR
+      payload.filename ENDS_WITH "/var/log/messages" OR
+      payload.filename ENDS_WITH "/var/log/secure" OR
+      payload.filename ENDS_WITH "/var/log/auth.log" OR
+      payload.filename ENDS_WITH "/var/log/boot.log" OR
+      payload.filename ENDS_WITH "/var/log/kern.log"
+    )
+    AND NOT header.image IN [
+      "/usr/bin/gzip", "/bin/gzip", "/usr/bin/zip", "/usr/bin/bzip2", "/bin/xz", "/usr/bin/xz", "/usr/bin/zstd",
+      "/usr/bin/compress", "/usr/bin/journalctl", "/usr/bin/logrotate"
+    ]
+
+- name: Truncate log files
+  type: FileOpened
+  category: defense_evasion
+  severity: medium
+  description: Detects the truncation of log files. Adversaries may truncate log files to remove evidence of their activities on the system.
+  condition: payload.filename STARTS_WITH "/var/log" AND payload.flags CONTAINS "O_TRUNC"