Potential Buffer Overflow Attack Detected

Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short time interval could indicate application exploitation attempts.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/12/11"
 3maturity = "production"
 4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 5min_stack_version = "8.3.0"
 6updated_date = "2023/12/11"
 7
 8[rule]
 9author = ["Elastic"]
10description = """
11Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a
12threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short
13time interval could indicate application exploitation attempts.
14"""
15from = "now-9m"
16index = [".alerts-security.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Potential Buffer Overflow Attack Detected"
20risk_score = 21
21rule_id = "b7c05aaf-78c2-4558-b069-87fa25973489"
22setup = """
23
24This rule leverages alert data from other prebuilt detection rules to function correctly. 
25
26### Dependent Elastic Detection Rule Enablement
27As a higher-order rule (based on other detections), this rule also requires the following prerequisite Elastic detection rule to be installed and enabled:
28- Segfault Detected (5c81fc9d-1eae-437f-ba07-268472967013)
29
30"""
31severity = "low"
32tags = [
33        "Domain: Endpoint",
34        "OS: Linux",
35        "Use Case: Threat Detection",
36        "Tactic: Privilege Escalation",
37        "Tactic: Initial Access",
38        "Use Case: Vulnerability",
39        "Rule Type: Higher-Order Rule"
40        ]
41timestamp_override = "event.ingested"
42type = "threshold"
43query = '''
44kibana.alert.rule.rule_id:5c81fc9d-1eae-437f-ba07-268472967013 and event.kind:signal
45'''
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49
50[[rule.threat.technique]]
51id = "T1068"
52name = "Exploitation for Privilege Escalation"
53reference = "https://attack.mitre.org/techniques/T1068/"
54
55[rule.threat.tactic]
56id = "TA0004"
57name = "Privilege Escalation"
58reference = "https://attack.mitre.org/tactics/TA0004/"
59
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62
63[[rule.threat.technique]]
64id = "T1190"
65name = "Exploit Public-Facing Application"
66reference = "https://attack.mitre.org/techniques/T1190/"
67
68[rule.threat.tactic]
69id = "TA0001"
70name = "Initial Access"
71reference = "https://attack.mitre.org/tactics/TA0001/"
72
73[rule.threshold]
74field = ["event.kind", "host.id"]
75value = 100

Related rules

to-top