[New Rules] User / Group Creation & Privileged Group Addition (#2546)

* [New Rules] user/group creation

* Update rules/linux/persistence_linux_group_creation.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/persistence_linux_user_account_creation.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml

Co-authored-by: Justin Ibarra <[email protected]>

* added backdoor user account

* added host.os.type == linux for unit testing fix

* unit testing fixes

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <[email protected]>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <[email protected]>

* Added OSQuery to Investigation Guides

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <[email protected]>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <[email protected]>

* removed investigation guides to add in future PR

* Fixed some issues with the rules

* fixed typo

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <[email protected]>

* Update rules/linux/persistence_linux_user_account_creation.toml

Co-authored-by: Jonhnathan <[email protected]>

* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml

Co-authored-by: Jonhnathan <[email protected]>

* Update rules/linux/persistence_linux_group_creation.toml

Co-authored-by: Jonhnathan <[email protected]>

---------

Co-authored-by: Justin Ibarra <[email protected]>
Co-authored-by: Jonhnathan <[email protected]>

Author: 3 people

rules/linux/persistence_linux_backdoor_user_creation.toml

@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2023/03/07"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/06/22"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 
+0 to establish persistence on a system.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Linux Backdoor User Account Creation"
+risk_score = 47
+rule_id = "494ebba4-ecb7-4be4-8c6f-654c686549ad"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.type == "start" and
+event.action in ("exec", "exec_event") and process.name == "usermod" and
+process.args : "-u" and process.args : "0" and process.args : "-o"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1136"
+name = "Create Account"
+reference = "https://attack.mitre.org/techniques/T1136/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1136.001"
+name = "Local Account"
+reference = "https://attack.mitre.org/techniques/T1136/001/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"

rules/linux/persistence_linux_group_creation.toml

@@ -0,0 +1,46 @@
+[metadata]
+creation_date = "2023/02/13"
+integration = ["system"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/06/22"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.
+"""
+from = "now-9m"
+index = ["logs-system.auth-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Linux Group Creation"
+risk_score = 21
+rule_id = "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f"
+severity = "low"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and
+process.name in ("groupadd", "addgroup") and group.name != null
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1136"
+name = "Create Account"
+reference = "https://attack.mitre.org/techniques/T1136/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1136.001"
+name = "Local Account"
+reference = "https://attack.mitre.org/techniques/T1136/001/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"

rules/linux/persistence_linux_user_account_creation.toml

@@ -0,0 +1,46 @@
+[metadata]
+creation_date = "2023/02/13"
+integration = ["system"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/06/22"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.
+"""
+from = "now-9m"
+index = ["logs-system.auth-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Linux User Account Creation"
+risk_score = 21
+rule_id = "edfd5ca9-9d6c-44d9-b615-1e56b920219c"
+severity = "low"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and
+process.name in ("useradd", "adduser") and user.name != null
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1136"
+name = "Create Account"
+reference = "https://attack.mitre.org/techniques/T1136/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1136.001"
+name = "Local Account"
+reference = "https://attack.mitre.org/techniques/T1136/001/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"

rules/linux/persistence_linux_user_added_to_privileged_group.toml

@@ -0,0 +1,54 @@
+[metadata]
+creation_date = "2023/02/13"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/06/22"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to 
+establish persistence on a system.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Linux User Added to Privileged Group"
+risk_score = 47
+rule_id = "43d6ec12-2b1c-47b5-8f35-e9de65551d3b"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.type == "start" and
+process.parent.name == "sudo" and
+process.args in ("root", "admin", "wheel", "staff", "sudo",
+                             "disk", "video", "shadow", "lxc", "lxd") and
+(
+  process.name in ("usermod", "adduser") or
+  process.name == "gpasswd" and 
+  process.args in ("-a", "--add", "-M", "--members") 
+)
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1136"
+name = "Create Account"
+reference = "https://attack.mitre.org/techniques/T1136/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1136.001"
+name = "Local Account"
+reference = "https://attack.mitre.org/techniques/T1136/001/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"