Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[New Rule] Potential Buffer Overflow Attack Detected #3312

Merged
merged 10 commits into from
Jan 22, 2024
Merged

[New Rule] Potential Buffer Overflow Attack Detected #3312

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
f8e32a6
[New Rule] Potential Buffer Overflow Attack
Aegrah Dec 11, 2023
d87ac8d
Added timestamp_override
Aegrah Dec 11, 2023
d3fa394
Merge branch 'main' into new-rule-potential-bufferoverflow-detected
Aegrah Dec 12, 2023
9ecf2bf
Merge branch 'main' into new-rule-potential-bufferoverflow-detected
Aegrah Jan 4, 2024
65431d2
Update privilege_escalation_potential_bufferoverflow_attack.toml
Aegrah Jan 4, 2024
c0abad1
Merge branch 'main' into new-rule-potential-bufferoverflow-detected
Aegrah Jan 5, 2024
06899b4
Merge branch 'main' into new-rule-potential-bufferoverflow-detected
shashank-elastic Jan 22, 2024
1bfeee9
Update privilege_escalation_potential_bufferoverflow_attack.toml
Aegrah Jan 22, 2024
7c5c8cc
Update rules/linux/privilege_escalation_potential_bufferoverflow_atta…
Aegrah Jan 22, 2024
ab96dd3
Update rules/linux/privilege_escalation_potential_bufferoverflow_atta…
Aegrah Jan 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 76 additions & 0 deletions rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
[metadata]
creation_date = "2023/12/11"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/11"

[rule]
author = ["Elastic"]
description = """
Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a
threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short
time interval could indicate application exploitation attempts.
"""
from = "now-9m"
index = [".alerts-security.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Buffer Overflow Attack Detected"
risk_score = 21
rule_id = "b7c05aaf-78c2-4558-b069-87fa25973489"
setup = """

This rule leverages alert data from other prebuilt detection rules to function correctly.

### Dependent Elastic Detection Rule Enablement
As a higher-order rule (based on other detections), this rule also requires the following prerequisite Elastic detection rule to be installed and enabled:
- Segfault Detected (5c81fc9d-1eae-437f-ba07-268472967013)

"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Tactic: Initial Access",
"Use Case: Vulnerability",
"Rule Type: Higher-Order Rule"
]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
kibana.alert.rule.rule_id:5c81fc9d-1eae-437f-ba07-268472967013 and event.kind:signal
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"

[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"

[rule.threshold]
field = ["event.kind", "host.id"]
value = 100

Loading