Potential Disabling of AppArmor

  1[metadata]
  2creation_date = "2023/08/28"
  3integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces
 11fine-grained access control policies to restrict the actions and resources that specific applications and processes can
 12access. Adversaries may disable security tools to avoid possible detection of their tools and activities.
 13"""
 14from = "now-9m"
 15index = [
 16    "auditbeat-*",
 17    "endgame-*",
 18    "logs-auditd_manager.auditd-*",
 19    "logs-crowdstrike.fdr*",
 20    "logs-endpoint.events.process*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Potential Disabling of AppArmor"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Potential Disabling of AppArmor
 32
 33AppArmor is a Linux security module that enforces strict access controls, limiting what applications can do. Adversaries may attempt to disable AppArmor to evade detection and freely execute malicious activities. The detection rule identifies suspicious processes attempting to stop or disable AppArmor services, such as using commands like `systemctl` or `service` with specific arguments, indicating potential tampering with security defenses.
 34
 35### Possible investigation steps
 36
 37- Review the process details to confirm the command used, focusing on the process name and arguments, such as "systemctl", "service", "chkconfig", or "ln" with arguments related to AppArmor.
 38- Check the user account associated with the process execution to determine if it is a legitimate user or potentially compromised.
 39- Investigate the host's recent activity logs to identify any other suspicious behavior or anomalies around the time the alert was triggered.
 40- Examine the system's AppArmor status to verify if it has been disabled or tampered with, and assess any potential impact on system security.
 41- Correlate this event with other alerts or logs from the same host or user to identify patterns or a broader attack campaign.
 42- Consult threat intelligence sources to determine if there are known adversaries or malware that commonly attempt to disable AppArmor in similar ways.
 43
 44### False positive analysis
 45
 46- Routine system maintenance activities may trigger this rule, such as administrators stopping AppArmor for legitimate updates or configuration changes. To manage this, create exceptions for known maintenance windows or specific administrator accounts.
 47- Automated scripts or configuration management tools like Ansible or Puppet might stop or disable AppArmor as part of their deployment processes. Identify these scripts and whitelist their execution paths or associated user accounts.
 48- Testing environments where security modules are frequently enabled and disabled for testing purposes can generate false positives. Consider excluding these environments from the rule or adjusting the rule's sensitivity for these specific hosts.
 49- Some legitimate software installations may require temporarily disabling AppArmor. Monitor installation logs and correlate them with the rule triggers to identify and exclude these benign activities.
 50- In environments where AppArmor is not actively used or managed, the rule may trigger on default system actions. Evaluate the necessity of monitoring AppArmor in such environments and adjust the rule scope accordingly.
 51
 52### Response and remediation
 53
 54- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the adversary.
 55- Terminate any suspicious processes identified by the detection rule, specifically those attempting to disable AppArmor, to halt any ongoing malicious activities.
 56- Conduct a thorough review of system logs and process execution history to identify any additional indicators of compromise or related malicious activities.
 57- Restore AppArmor to its intended operational state by re-enabling the service and ensuring all security policies are correctly applied.
 58- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected.
 59- Implement enhanced monitoring on the affected system and similar environments to detect any future attempts to disable AppArmor or other security controls.
 60- Review and update access controls and permissions to ensure that only authorized personnel can modify security settings, reducing the risk of similar incidents."""
 61risk_score = 21
 62rule_id = "fac52c69-2646-4e79-89c0-fd7653461010"
 63setup = """## Setup
 64
 65This rule requires data coming in from Elastic Defend.
 66
 67### Elastic Defend Integration Setup
 68Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 69
 70#### Prerequisite Requirements:
 71- Fleet is required for Elastic Defend.
 72- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 73
 74#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 75- Go to the Kibana home page and click "Add integrations".
 76- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 77- Click "Add Elastic Defend".
 78- Configure the integration name and optionally add a description.
 79- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 80- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 81- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 82- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 83For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 84- Click "Save and Continue".
 85- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 86For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 87"""
 88severity = "low"
 89tags = [
 90    "Domain: Endpoint",
 91    "OS: Linux",
 92    "Use Case: Threat Detection",
 93    "Tactic: Defense Evasion",
 94    "Data Source: Elastic Defend",
 95    "Data Source: Elastic Endgame",
 96    "Data Source: Auditd Manager",
 97    "Data Source: Crowdstrike",
 98    "Data Source: SentinelOne",
 99    "Resources: Investigation Guide",
100]
101timestamp_override = "event.ingested"
102type = "eql"
103
104query = '''
105process where host.os.type == "linux" and event.type == "start" and
106 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
107 (
108  (process.name == "systemctl" and process.args in ("stop", "disable", "kill") and process.args in ("apparmor", "apparmor.service")) or
109  (process.name == "service" and process.args == "apparmor" and process.args == "stop") or
110  (process.name == "chkconfig" and process.args == "apparmor" and process.args == "off") or
111  (process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args == "/etc/apparmor.d/disable/")
112)
113'''
114
115
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118[[rule.threat.technique]]
119id = "T1562"
120name = "Impair Defenses"
121reference = "https://attack.mitre.org/techniques/T1562/"
122[[rule.threat.technique.subtechnique]]
123id = "T1562.001"
124name = "Disable or Modify Tools"
125reference = "https://attack.mitre.org/techniques/T1562/001/"
126
127
128
129[rule.threat.tactic]
130id = "TA0005"
131name = "Defense Evasion"
132reference = "https://attack.mitre.org/tactics/TA0005/"