[Rule Tuning] Timeline Templates For Windows and Linux #1892
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terrancedejesus
added
OS: Linux
Rule: Tuning
Hosts File ModifiedReplicated by moving Comprehensive Timeline Template Check
Timeline Added to Duplicate Rule
|
Rule TuningWhile testing spawn shells with python, I noticed Data{
"_index": ".ds-logs-endpoint.events.process-default-2022.03.28-000001",
"_id": "Te9B238BDxJNEmTs_fNq",
"_version": 1,
"_score": 1,
"_source": {
"agent": {
"id": "7bc5ce5c-de4a-4b79-81fa-45198c4d75b7",
"type": "endpoint",
"version": "8.2.0-SNAPSHOT"
},
"process": {
"Ext": {
"ancestry": [
"N2JjNWNlNWMtZGU0YS00Yjc5LTgxZmEtNDUxOThjNGQ3NWI3LTEwMjY0LTEzMjkzMTI0NDk5LjQwMDAwMDAw",
"N2JjNWNlNWMtZGU0YS00Yjc5LTgxZmEtNDUxOThjNGQ3NWI3LTEwMjYzLTEzMjkzMTI0NDk4Ljg5MDAwMDAwMA==",
"N2JjNWNlNWMtZGU0YS00Yjc5LTgxZmEtNDUxOThjNGQ3NWI3LTEwMTg5LTEzMjkzMTI0NDk2Ljk1MDAwMDAwMA==",
"N2JjNWNlNWMtZGU0YS00Yjc5LTgxZmEtNDUxOThjNGQ3NWI3LTg5Mi0xMzI5MzEyMTcyMS4w",
"N2JjNWNlNWMtZGU0YS00Yjc5LTgxZmEtNDUxOThjNGQ3NWI3LTEtMTMyOTMxMjE3MDAuMA=="
]
},
"args": [
"python3",
"-c",
"import pty; pty.spawn(\"/bin/sh\")"
],
"parent": {
"args": [
"-bash"
],
"name": "bash",
"pid": 10264,
"args_count": 0,
"entity_id": "N2JjNWNlNWMtZGU0YS00Yjc5LTgxZmEtNDUxOThjNGQ3NWI3LTEwMjY0LTEzMjkzMTI0NDk5LjQwMDAwMDAw",
"command_line": "-bash",
"executable": "/bin/bash"
},
"exit_code": 0,
"name": "python3",
"pid": 10285,
"args_count": 0,
"entity_id": "N2JjNWNlNWMtZGU0YS00Yjc5LTgxZmEtNDUxOThjNGQ3NWI3LTEwMjg1LTEzMjkzMTI0NTkxLjUwMDAwMDAwMA==",
"command_line": "python3 -c import pty; pty.spawn(\"/bin/sh\")",
"executable": "/usr/bin/python3",
"hash": {
"sha1": "9b6d3f9d2129510da043a88f23c1d7dafdf8d104",
"sha256": "2e833afd6114ff314d879486c01ec19d3d94ef6f8c808d193fb329c98c674097",
"md5": "9822d4931aea8fb83f794d2d54c3c992"
}
},
"message": "Endpoint process event",
"@timestamp": "2022-03-30T14:36:38.2671779Z",
"ecs": {
"version": "1.11.0"
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "endpoint.events.process"
},
"elastic": {
"agent": {
"id": "7bc5ce5c-de4a-4b79-81fa-45198c4d75b7"
}
},
"host": {
"hostname": "ubuntu-tdejesus",
"os": {
"Ext": {
"variant": "Ubuntu"
},
"kernel": "5.13.0-1019-gcp #23~20.04.1-Ubuntu SMP Mon Mar 7 13:39:50 UTC 2022",
"name": "Linux",
"family": "ubuntu",
"type": "linux",
"version": "20.04.4",
"platform": "ubuntu",
"full": "Ubuntu 20.04.4"
},
"ip": [
"127.0.0.1",
"::1",
"10.142.0.52",
"fe80::4001:aff:fe8e:34"
],
"name": "ubuntu-tdejesus",
"id": "c78e287bbb0a5328e28b435c97de1cd0",
"mac": [
"42:01:0a:8e:00:34"
],
"architecture": "x86_64"
},
"event": {
"agent_id_status": "verified",
"sequence": 62669,
"ingested": "2022-03-30T14:36:49Z",
"created": "2022-03-30T14:36:38.2671779Z",
"kind": "event",
"module": "endpoint",
"action": "end",
"id": "MYFVxCublyiVcrVQ++++01D+",
"category": [
"process"
],
"type": [
"end"
],
"dataset": "endpoint.events.process"
},
"user": {
"Ext": {
"real": {
"id": 1022
}
},
"id": 1022
},
"group": {
"Ext": {
"real": {
"id": 1023
}
},
"id": 1023
}
},
"fields": {
"process.hash.md5": [
"9822d4931aea8fb83f794d2d54c3c992"
],
"host.os.full.text": [
"Ubuntu 20.04.4"
],
"process.command_line.caseless": [
"python3 -c import pty; pty.spawn(\"/bin/sh\")"
],
"event.category": [
"process"
],
"process.name.text": [
"python3"
],
"host.os.name.text": [
"Linux"
],
"host.os.full": [
"Ubuntu 20.04.4"
],
"process.parent.command_line": [
"-bash"
],
"process.parent.name": [
"bash"
],
"process.parent.pid": [
10264
],
"process.hash.sha256": [
"2e833afd6114ff314d879486c01ec19d3d94ef6f8c808d193fb329c98c674097"
],
"host.hostname": [
"ubuntu-tdejesus"
],
"process.pid": [
10285
],
"host.mac": [
"42:01:0a:8e:00:34"
],
"elastic.agent.id": [
"7bc5ce5c-de4a-4b79-81fa-45198c4d75b7"
],
"process.parent.entity_id": [
"N2JjNWNlNWMtZGU0YS00Yjc5LTgxZmEtNDUxOThjNGQ3NWI3LTEwMjY0LTEzMjkzMTI0NDk5LjQwMDAwMDAw"
],
"host.os.version": [
"20.04.4"
],
"host.os.name": [
"Linux"
],
"host.name": [
"ubuntu-tdejesus"
],
"event.agent_id_status": [
"verified"
],
"event.kind": [
"event"
],
"user.id": [
"1022"
],
"host.os.type": [
"linux"
],
"process.Ext.ancestry": [
"N2JjNWNlNWMtZGU0YS00Yjc5LTgxZmEtNDUxOThjNGQ3NWI3LTEwMjY0LTEzMjkzMTI0NDk5LjQwMDAwMDAw",
"N2JjNWNlNWMtZGU0YS00Yjc5LTgxZmEtNDUxOThjNGQ3NWI3LTEwMjYzLTEzMjkzMTI0NDk4Ljg5MDAwMDAwMA==",
"N2JjNWNlNWMtZGU0YS00Yjc5LTgxZmEtNDUxOThjNGQ3NWI3LTEwMTg5LTEzMjkzMTI0NDk2Ljk1MDAwMDAwMA==",
"N2JjNWNlNWMtZGU0YS00Yjc5LTgxZmEtNDUxOThjNGQ3NWI3LTg5Mi0xMzI5MzEyMTcyMS4w",
"N2JjNWNlNWMtZGU0YS00Yjc5LTgxZmEtNDUxOThjNGQ3NWI3LTEtMTMyOTMxMjE3MDAuMA=="
],
"user.Ext.real.id": [
"1022"
],
"data_stream.type": [
"logs"
],
"process.parent.args_count": [
0
],
"host.architecture": [
"x86_64"
],
"process.name": [
"python3"
],
"agent.id": [
"7bc5ce5c-de4a-4b79-81fa-45198c4d75b7"
],
"process.parent.executable.text": [
"/bin/bash"
],
"ecs.version": [
"1.11.0"
],
"event.created": [
"2022-03-30T14:36:38.267Z"
],
"agent.version": [
"8.2.0-SNAPSHOT"
],
"host.os.family": [
"ubuntu"
],
"process.command_line.text": [
"python3 -c import pty; pty.spawn(\"/bin/sh\")"
],
"group.id": [
"1023"
],
"process.entity_id": [
"N2JjNWNlNWMtZGU0YS00Yjc5LTgxZmEtNDUxOThjNGQ3NWI3LTEwMjg1LTEzMjkzMTI0NTkxLjUwMDAwMDAwMA=="
],
"process.parent.name.text": [
"bash"
],
"host.ip": [
"127.0.0.1",
"::1",
"10.142.0.52",
"fe80::4001:aff:fe8e:34"
],
"event.sequence": [
62669
],
"process.executable.caseless": [
"/usr/bin/python3"
],
"agent.type": [
"endpoint"
],
"process.executable.text": [
"/usr/bin/python3"
],
"event.module": [
"endpoint"
],
"host.os.kernel": [
"5.13.0-1019-gcp #23~20.04.1-Ubuntu SMP Mon Mar 7 13:39:50 UTC 2022"
],
"host.os.full.caseless": [
"ubuntu 20.04.4"
],
"process.name.caseless": [
"python3"
],
"host.id": [
"c78e287bbb0a5328e28b435c97de1cd0"
],
"process.exit_code": [
0
],
"process.executable": [
"/usr/bin/python3"
],
"process.parent.name.caseless": [
"bash"
],
"process.parent.executable.caseless": [
"/bin/bash"
],
"process.parent.executable": [
"/bin/bash"
],
"process.parent.command_line.text": [
"-bash"
],
"process.args_count": [
0
],
"data_stream.namespace": [
"default"
],
"process.args": [
"python3",
"-c",
"import pty; pty.spawn(\"/bin/sh\")"
],
"message": [
"Endpoint process event"
],
"host.os.Ext.variant": [
"Ubuntu"
],
"process.parent.args": [
"-bash"
],
"group.Ext.real.id": [
"1023"
],
"event.action": [
"end"
],
"event.ingested": [
"2022-03-30T14:36:49.000Z"
],
"@timestamp": [
"2022-03-30T14:36:38.267Z"
],
"host.os.platform": [
"ubuntu"
],
"process.parent.command_line.caseless": [
"-bash"
],
"event.type": [
"end"
],
"data_stream.dataset": [
"endpoint.events.process"
],
"process.command_line": [
"python3 -c import pty; pty.spawn(\"/bin/sh\")"
],
"process.hash.sha1": [
"9b6d3f9d2129510da043a88f23c1d7dafdf8d104"
],
"event.id": [
"MYFVxCublyiVcrVQ++++01D+"
],
"host.os.name.caseless": [
"linux"
],
"event.dataset": [
"endpoint.events.process"
]
}
} |
Interactive Terminal Spawned via PythonComprehensive Timeline Template Check
Timeline Template Added to Duplicate Rule
|
Findings/Notes/QuestionsBuild only checks for GenericLooks like the builds fail if you try to use a comprehensive timeline template. Missing Generic File and Registry Timeline TemplatesLooks like we are missing a Generic File Timeline and Generic Registry Timeline template or maybe that was intentional? How to check if template fits for the ruleThe best way to verify this is to use Security > Timelines > Templates > Select your template and then add the additional parameters to the query to see if the document shows up. Automated Generation of the Template References on BuildIf these templates are going to stay this generic, then there we may be able to auto-generate the Generic Threat Match Timeline TemplateNot exactly sure where this data resides or how to check the list it is matching against. I assume this is a backlist of IoCs that we match against. Generic Network Timeline TemplateCurrently this is based on |
Suspicious CertUtil CommandsGeneric Process Timeline Template Check
|
RDP (Remote Desktop Protocol) from the InternetGeneric Network Timeline Template Check
|
LSASS Memory Dump CreationGeneric Endpoint Timeline Template Check
|
Adding Hidden File Attribute via AttribGeneric Process Timeline Template Check
|
Telnet Port ActivityGeneric Network Timeline Template Check
|
ImageLoad via Windows Update Auto Update ClientGeneric Process Timeline Template Check
|
Just update this with the new comprehensive template IDs and names and it will pass tests detection-rules/detection_rules/schemas/definitions.py Lines 40 to 45 in a3d7427 |
…ck comments and versions
Co-authored-by: Justin Ibarra <[email protected]>
brokensound77
approved these changes
Apr 1, 2022
Removing pipfile
deleting pipfile.lock
terrancedejesus
commented
Apr 1, 2022
w0rk3r
approved these changes
Apr 1, 2022
terrancedejesus
deleted the
1879-rule-tuning-timeline-templates-for-windows-and-linux
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues
Resolves #1879
Summary
The following rules have been chosen to test these timeline templates with.
Process Tracking
All information regarding steps taken can be found in this gdoc