Skip to content

[Rule Tuning] Linux DR Tuning - 5 #5494

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Aegrah wants to merge 5 commits into
base: main
Choose a base branch
from
Open

[Rule Tuning] Linux DR Tuning - 5 #5494

Aegrah wants to merge 5 commits into from

Conversation

@Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Dec 18, 2025
edited
Loading

Pull Request Summary

Why

This PR updates and strengthens a wide range of Linux defense evasion detection rules. The focus is on improving detection accuracy, expanding data source coverage, increasing risk prioritization, and adding more robust filtering to reduce false positives and benign activity.

What changed

  • General Enhancements

    • Many rules have updated updated_date fields for traceability.
    • Several rules have increased risk scores and severity levels (e.g., from "low" to "medium"/"high", risk score from 21/47 to 47/73).
    • More event actions, process names, and parent process filters included in detection logic for broader coverage and reduced false positives.
    • Index patterns expanded to cover more log sources (e.g., logs-auditd_manager.auditd-*, logs-crowdstrike.fdr*, logs-sentinel_one_cloud_funnel.*, endgame-*, auditbeat-*).
    • New exclusions for known benign processes, paths, and parent executables to reduce noise.
    • New terms rules now use agent.id instead of host.id and have shorter history windows (e.g., from 10d/14d to 5d).

  • Rule-Specific Notes

    • defense_evasion_rename_esxi_vmware_files.toml
      • Now also detects suspicious renaming of index.html in /usr/lib/vmware/.
      • Excludes more benign executables.
    • defense_evasion_rename_esxi_index_file.toml
      • Rule is now marked as Deprecated and renamed accordingly.
      • Investigation notes updated to clarify deprecation.
    • defense_evasion_root_certificate_installation.toml
      • Expanded parent process and working directory exclusions for more accurate detection.
    • defense_evasion_selinux_configuration_creation_or_renaming.toml
      • Excludes more benign process names and executables.
    • defense_evasion_ssl_certificate_deletion.toml
      • Excludes more benign process names and executables.
      • Now requires process.executable to be non-null.
    • defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
      • Severity increased from "low" to "medium", risk score from 21 to 47.
    • defense_evasion_suspicious_path_mounted.toml
      • Severity increased from "low" to "medium", risk score from 21 to 47.
      • Excludes more benign parent executables.
    • defense_evasion_symlink_binary_to_writable_dir.toml
      • New terms now use agent.id instead of host.id, history window shortened to 5d.
      • Excludes more benign parent executables and arguments.
    • defense_evasion_sysctl_kernel_feature_activity.toml
      • Severity increased from "low" to "medium", risk score from 21 to 47.
      • Excludes more benign parent executables and command lines.
    • defense_evasion_unsual_kill_signal.toml
      • Severity increased from "medium" to "high", risk score from 47 to 73.
    • defense_evasion_unusual_preload_env_vars.toml
      • New terms history window shortened from 14d to 5d.
      • Excludes more benign parent executables and names.
    • defense_evasion_var_log_file_creation_by_unsual_process.toml
      • Severity increased from "low" to "medium", risk score from 21 to 47.
      • Excludes more benign process executables.
      • New terms history window shortened to 5d.

Behavioral impact

  • Increased detection coverage for defense evasion techniques across more data sources and event types.
  • Higher severity and risk scores will prioritize these alerts in SOC workflows.
  • More robust filtering and exclusions should reduce false positives and alert fatigue.
  • Alerts will now include richer context for investigation.
  • Deprecated rules will no longer be maintained; users should migrate to newer alternatives.

Risks/edge cases

  • Expanding index patterns and integrations could introduce noise if new data sources are not properly filtered or normalized.
  • Broader event action and process name coverage could increase false positives if not carefully tuned.
  • More aggressive filtering may inadvertently exclude some true positives if not validated in production.
  • Deprecated rules may still be in use in some environments; ensure migration to supported rules.

Rollout notes

  • Ensure new data sources are ingested and mapped correctly before enabling updated rules.
  • Monitor for increased alert volume or false positives after deployment.
  • Communicate changes in detection logic, severity, and exclusions to SOC analysts.
  • Consider phased rollout or additional tuning if noise increases.
  • Review and update any playbooks or automations that reference these rules, especially deprecated ones.

@Aegrah Aegrah self-assigned this Dec 18, 2025
@Aegrah Aegrah added OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE labels Dec 18, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 18, 2025

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 18, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Multi-Base64 Decoding Attempt from Suspicious Location (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker (ld.so) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Clear Logs via Journalctl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Masquerading as Kernel Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kubectl Masquerading via Unexpected Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kernel Feature Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Impersonation Attempt via Kubectl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Base64 Decoded Payload Piped to Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Defense Evasion via PRoot (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Path Mounted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Root Certificate Installation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Shared Object File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SSL Certificate Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SELinux Configuration Creation or Renaming (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Renaming of ESXI Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Interactive Shell Launched from System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Preload Environment Variable Process Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Log File Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Hidden Directory Creation via Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Files and Directories via CommandLine (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Suspicious Renaming of ESXI index.html File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Kernel Module Removal (eql)
  • ❌ Unusual Kill Signal (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Binary Symlink to Suspicious Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Hidden Process via Mount Hidepid (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Creation in /var/log via Suspicious Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potentially Suspicious Process Started via tmux or screen (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kill Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Process Name Stomping with Prctl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 18, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Multi-Base64 Decoding Attempt from Suspicious Location (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker (ld.so) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Clear Logs via Journalctl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Masquerading as Kernel Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kubectl Masquerading via Unexpected Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kernel Feature Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Impersonation Attempt via Kubectl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Base64 Decoded Payload Piped to Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Defense Evasion via PRoot (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Path Mounted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Root Certificate Installation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Shared Object File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SSL Certificate Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SELinux Configuration Creation or Renaming (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Renaming of ESXI Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Interactive Shell Launched from System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Preload Environment Variable Process Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Log File Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Hidden Directory Creation via Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Files and Directories via CommandLine (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Suspicious Renaming of ESXI index.html File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Kernel Module Removal (eql)
  • ❌ Unusual Kill Signal (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Binary Symlink to Suspicious Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Hidden Process via Mount Hidepid (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Creation in /var/log via Suspicious Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potentially Suspicious Process Started via tmux or screen (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kill Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Process Name Stomping with Prctl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 19, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Multi-Base64 Decoding Attempt from Suspicious Location (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker (ld.so) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Clear Logs via Journalctl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Masquerading as Kernel Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kubectl Masquerading via Unexpected Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kernel Feature Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Impersonation Attempt via Kubectl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Base64 Decoded Payload Piped to Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Defense Evasion via PRoot (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Path Mounted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Root Certificate Installation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Shared Object File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SSL Certificate Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SELinux Configuration Creation or Renaming (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Renaming of ESXI Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Interactive Shell Launched from System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Preload Environment Variable Process Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Log File Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Hidden Directory Creation via Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Files and Directories via CommandLine (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Suspicious Renaming of ESXI index.html File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Kernel Module Removal (eql)
  • ❌ Unusual Kill Signal (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Binary Symlink to Suspicious Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Hidden Process via Mount Hidepid (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Creation in /var/log via Suspicious Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potentially Suspicious Process Started via tmux or screen (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kill Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Process Name Stomping with Prctl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 19, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Multi-Base64 Decoding Attempt from Suspicious Location (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker (ld.so) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Clear Logs via Journalctl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Masquerading as Kernel Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kubectl Masquerading via Unexpected Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kernel Feature Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Impersonation Attempt via Kubectl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Base64 Decoded Payload Piped to Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Defense Evasion via PRoot (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Path Mounted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Root Certificate Installation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Shared Object File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SSL Certificate Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SELinux Configuration Creation or Renaming (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Renaming of ESXI Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Interactive Shell Launched from System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Preload Environment Variable Process Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Log File Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Hidden Directory Creation via Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Files and Directories via CommandLine (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Suspicious Renaming of ESXI index.html File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Kernel Module Removal (eql)
  • ❌ Unusual Kill Signal (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Binary Symlink to Suspicious Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Hidden Process via Mount Hidepid (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Creation in /var/log via Suspicious Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potentially Suspicious Process Started via tmux or screen (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kill Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Process Name Stomping with Prctl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 22, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Multi-Base64 Decoding Attempt from Suspicious Location (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker (ld.so) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Clear Logs via Journalctl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Masquerading as Kernel Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Kubectl Masquerading via Unexpected Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kernel Feature Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Impersonation Attempt via Kubectl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Base64 Decoded Payload Piped to Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Defense Evasion via PRoot (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Path Mounted (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Root Certificate Installation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Shared Object File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SSL Certificate Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SELinux Configuration Creation or Renaming (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Renaming of ESXI Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Interactive Shell Launched from System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Preload Environment Variable Process Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Log File Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Hidden Directory Creation via Unusual Parent (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of Hidden Files and Directories via CommandLine (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Suspicious Renaming of ESXI index.html File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Kernel Module Removal (eql)
  • ❌ Unusual Kill Signal (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System Binary Symlink to Suspicious Location (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Hidden Process via Mount Hidepid (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Creation in /var/log via Suspicious Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potentially Suspicious Process Started via tmux or screen (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kill Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Process Name Stomping with Prctl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

terrancedejesus
terrancedejesus reviewed Jan 5, 2026
View reviewed changes
rules/linux/defense_evasion_ssl_certificate_deletion.toml
file where host.os.type == "linux" and event.type == "deletion" and file.path : "/etc/ssl/certs/*" and
file.extension in ("pem", "crt") and not process.name in ("dockerd", "pacman")
file where host.os.type == "linux" and event.type == "deletion" and process.executable != null and
file.path : "/etc/ssl/certs/*" and file.extension in ("pem", "crt") and
Copy link
Contributor

@terrancedejesus terrancedejesus Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we care about /etc/ssl/private/* as well or PKI directories such as /etc/pki/tls/certs/* and /etc/pki/tls/private/*?

Most web servers are not fixed as I recall and are set in a config somewhere. I don't believe we should account for those here, but just a thought about web server coverage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@Samirbous Samirbous Awaiting requested review from Samirbous

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

At least 2 approving reviews are required to merge this pull request.

Assignees

@Aegrah Aegrah

Labels

backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Aegrah @tradebot-elastic @terrancedejesus