Potential Disabling of AppArmor

 1[metadata]
 2creation_date = "2023/08/28"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/08/28"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces 
13fine-grained access control policies to restrict the actions and resources that specific applications and processes can
14access. Adversaries may disable security tools to avoid possible detection of their tools and activities.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Disabling of AppArmor"
21risk_score = 21
22rule_id = "fac52c69-2646-4e79-89c0-fd7653461010"
23severity = "low"
24tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "eql"
27query = '''
28process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (
29  (process.name == "systemctl" and process.args == "disable" and process.args == "apparmor") or
30  (process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args : "/etc/apparmor.d/disable/")
31)
32'''
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36
37[[rule.threat.technique]]
38id = "T1562"
39name = "Impair Defenses"
40reference = "https://attack.mitre.org/techniques/T1562/"
41
42[[rule.threat.technique.subtechnique]]
43id = "T1562.001"
44name = "Disable or Modify Tools"
45reference = "https://attack.mitre.org/techniques/T1562/001/"
46
47[rule.threat.tactic]
48id = "TA0005"
49name = "Defense Evasion"
50reference = "https://attack.mitre.org/tactics/TA0005/"