Suspicious which Enumeration

 1[metadata]
 2creation_date = "2023/08/30"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/08"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage
13the which command to enumerate the system for useful installed utilities that may be used after compromising a system to
14escalate privileges or move latteraly across the network. 
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious which Enumeration"
21risk_score = 21
22rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde"
23severity = "low"
24tags = [
25        "Domain: Endpoint",
26        "OS: Linux",
27        "Use Case: Threat Detection",
28        "Tactic: Discovery",
29        "Data Source: Elastic Defend",
30        "Data Source: Elastic Endgame"
31        ]
32timestamp_override = "event.ingested"
33type = "eql"
34query = '''
35process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and 
36process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" and 
37not process.args == "--tty-only"
38
39/* potential tuning if rule would turn out to be noisy
40and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and 
41process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
42*/ 
43'''
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47
48[[rule.threat.technique]]
49id = "T1082"
50name = "System Information Discovery"
51reference = "https://attack.mitre.org/techniques/T1082/"
52
53[rule.threat.tactic]
54id = "TA0007"
55name = "Discovery"
56reference = "https://attack.mitre.org/tactics/TA0007/"