[New Rule] Abnormal Process ID File Creation (elastic#1964)

* adding rule detection

* changed Rule ID

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Adding reboot extension as well.

Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Adding reboot to description.

Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Added additional reference to similar threat.

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Co-authored-by: Justin Ibarra <[email protected]>

* added rule for a process starting where the executable's name represented a PID file

* Adjusted user.id value from integer to string

* Added simple investigation notes and osquery coverage

* TOML linting

* Updated date to reflect recent changes

Co-authored-by: Colson Wilhoit <[email protected]>
Co-authored-by: Justin Ibarra <[email protected]>

rules/linux/execution_abnormal_process_id_file_created.toml

@@ -0,0 +1,81 @@
+[metadata]
+creation_date = "2022/05/11"
+maturity = "production"
+updated_date = "2022/05/12"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs)
+directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage
+other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising
+itself or these files as legitimate PID files.
+"""
+false_positives = [
+    """
+    False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To
+    differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious.
+    """,
+]
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Abnormal Process ID or Lock File Created"
+note = """## Triage and analysis
+
+### Investigating Abnormal Process ID or Lock File Created
+Detection alerts from this rule indicate that an unusual PID file was created and could potentially have alternate purposes during an intrusion.  Here are some possible avenues of investigation:
+- Run the following in Osquery to quickly identify unsual PID file size: "SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%pid';"
+- Examine the history of this file creation and from which process it was created by using the "lsof" command.
+- Examine the contents of the PID file itself, simply by running the "cat" command to determine if the expected process ID integer exists and if not, the PID file is not legitimate.
+- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation."""
+references = [
+    "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/",
+    "https://twitter.com/GossiTheDog/status/1522964028284411907",
+    "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
+]
+risk_score = 43
+rule_id = "cac91072-d165-11ec-a764-f661ea17fbce"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+/* add file size filters when data is available */
+file where event.type == "creation" and user.id == "0" and
+    file.path regex~ """/var/run/\w+\.(pid|lock|reboot)""" and file.extension in ("pid","lock","reboot") and
+
+    /* handle common legitimate files */
+
+    not file.name in (
+    "auditd.pid",
+    "python*",
+    "apport.pid",
+    "apport.lock",
+    "kworker*",
+    "gdm3.pid",
+    "sshd.pid",
+    "acpid.pid",
+    "unattended-upgrades.lock",
+    "unattended-upgrades.pid",
+    "cmd.pid",
+    "cron*.pid"
+    )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1106"
+name = "Native API"
+reference = "https://attack.mitre.org/techniques/T1106/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/linux/execution_process_started_from_process_id_file.toml

@@ -0,0 +1,61 @@
+[metadata]
+creation_date = "2022/05/11"
+maturity = "production"
+updated_date = "2022/05/12"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage
+paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous
+copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables
+and other tasks, disguising itself or these files as legitimate PID files.
+"""
+false_positives = [
+    """
+    False-Positives (FP) should be at a minimum with this detection as PID files are meant to hold process IDs, not
+    inherently be executables that spawn processes.
+    """,
+]
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Process Started from Process ID (PID) File"
+note = """## Triage and analysis
+
+### Investigating Process Started from Process ID (PID) File
+Detection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation:
+- Examine parent and child process relationships of the new process to determine if other processes are running.
+- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: "SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';"
+- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation."""
+references = [
+    "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/",
+    "https://twitter.com/GossiTheDog/status/1522964028284411907",
+    "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
+]
+risk_score = 73
+rule_id = "3688577a-d196-11ec-90b0-f661ea17fbce"
+severity = "high"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and user.id == "0" and process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)"""
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+