diff --git a/data_sources/linux_messages_syslog.yml b/data_sources/linux_messages_syslog.yml new file mode 100644 index 0000000000..fb2ac17175 --- /dev/null +++ b/data_sources/linux_messages_syslog.yml @@ -0,0 +1,55 @@ +name: Linux Messages Syslog +id: c9e3bbb5-e0a2-4bac-8457-227e71841bda +version: 2 +date: '2025-01-23' +author: Patrick Bareiss, Splunk +description: Logs kernel events on a Linux system, including + service starts/stops, hardware events, authentication notices, and other OS-level activity. +mitre_components: +- Service Modification +- Service Metadata +- OS API Execution +- Application Log Content +source: /var/log/kern +sourcetype: linux_messages_syslog +supported_TA: +- name: Splunk Add-on for Unix and Linux + url: https://splunkbase.splunk.com/app/833 + version: 10.2.0 +fields: +- _time +- action +- app +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- dest +- dvc +- eventtype +- host +- index +- linecount +- pid +- process +- punct +- source +- sourcetype +- splunk_server +- src +- src_port +- sshd_protocol +- tag +- tag::action +- tag::eventtype +- timeendpos +- timestartpos +- user +- user_name +- vendor_action +- vendor_product +example_log: 'May 6 17:24:00 ubuntu kernel: [ 801.664268] NET: Registered PF_ALG protocol family' \ No newline at end of file diff --git a/detections/endpoint/linux_malformed_auth_entry.yml b/detections/endpoint/linux_malformed_auth_entry.yml new file mode 100644 index 0000000000..09cc4c5949 --- /dev/null +++ b/detections/endpoint/linux_malformed_auth_entry.yml @@ -0,0 +1,63 @@ +name: Linux Malformed Auth Entry +id: 962602e9-08ae-47ff-af89-a1e83f461a26 +version: 1 +date: '2026-05-06' +author: Raven Tait, Splunk +status: production +type: TTP +description: The following analytic detects when su runs from a page-cache-corrupted binary. When this happens a partial corruption of its runtime state can prevent it from resolving the identity of the calling user. Under normal conditions, su logs both the target account and the invoking user. When exploitation has occurred via this path, the invoking username field is absent.. This activity is significant because it indicates a possible privilege escalation attempt, allowing a user to gain root access. If confirmed malicious, an attacker could achieve full control over the system, execute arbitrary commands, and compromise the entire environment. +data_source: + - Linux Secure +search: | + sourcetype=linux_secure process=su + | rex "su:\s+\(to\s+(?\S+)\)(?\s{2,})on\s+(?\S+)" + | where len(ltrim(source_user)) == 0 + | stats + count as total_attempts, + min(_time) as first_seen, + max(_time) as last_seen, + values(target_user) as target_users, + values(host) as dest + by process + | `linux_malformed_auth_entry_filter` +how_to_implement: To successfully implement this search, you need to have relevant authentication logs ingested with the Splunk Add-On for Unix and Linux (https://splunkbase.splunk.com/app/833). +known_false_positives: No known false positives. +references: + - https://xint.io/blog/copy-fail-linux-distributions + - https://github.com/theori-io/copy-fail-CVE-2026-31431 + - https://github.com/Neo23x0/auditd/blob/master/audit.rules +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +rba: + message: Malformed authentication entry on $dest$ indicating possible privilege escalation. + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: [] +tags: + analytic_story: + - Linux Privilege Escalation + asset_type: Endpoint + mitre_attack_id: + - T1068 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: + - CVE-2026-31431 +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/linux_auditd_copy_fail/auth.log + source: /var/log/secure + sourcetype: linux_secure diff --git a/detections/endpoint/linux_pf_alg_registration_outside_of_boot_window.yml b/detections/endpoint/linux_pf_alg_registration_outside_of_boot_window.yml new file mode 100644 index 0000000000..521f6e1ae4 --- /dev/null +++ b/detections/endpoint/linux_pf_alg_registration_outside_of_boot_window.yml @@ -0,0 +1,61 @@ +name: Linux PF_ALG Registration Outside of Boot Window +id: 8a9684ae-52e6-4a57-aea4-8a9f72942564 +version: 1 +date: '2026-05-11' +author: Raven Tait, Splunk +status: production +type: TTP +description: The following analytic detects when the AF_ALG kernel crypto socket interface being loaded more than 300 seconds after system boot, which is a primary kernel-level indicator of Copy Fail (CVE-2026-31431) exploitation activity on Debian and Ubuntu family systems. The AF_ALG interface is required by the exploit to access the vulnerable authencesn crypto code path, and on systems where it is not auto-loaded at boot, its on-demand registration by an unprivileged process is a strong indicator of exploitation in progress. +data_source: + - Linux Messages Syslog +search: | + sourcetype="linux_messages_syslog" "NET: Registered PF_ALG protocol family" + | rex field=_raw "kernel: \[\s*(?[\d\.]+)\]" + | eval uptime_seconds=tonumber(uptime_seconds) + | where uptime_seconds > 300 + | eval uptime_readable=tostring(round(uptime_seconds/60,1)) . " minutes after boot" + | rename host as dest + | table _time dest uptime_seconds uptime_readable _raw + | sort -uptime_seconds + | `linux_pf_alg_registration_outside_of_boot_window_filter` +how_to_implement: To successfully implement this search, you need to have relevant kernel logs ingested with the Splunk Add-On for Unix and Linux (https://splunkbase.splunk.com/app/833). +known_false_positives: AF_ALG can be legitimately loaded after boot by on-demand LUKS volume mounts, IPsec VPN clients establishing tunnels, or OpenSSL deployments with the afalg engine enabled, making this signal most reliable on dedicated server infrastructure where these operations are handled at boot time. +references: + - https://xint.io/blog/copy-fail-linux-distributions + - https://github.com/theori-io/copy-fail-CVE-2026-31431 + - https://github.com/Neo23x0/auditd/blob/master/audit.rules +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +rba: + message: AF_ALG instantiated after boot on $dest$ indicating possible privilege escalation. + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: [] +tags: + analytic_story: + - Linux Privilege Escalation + asset_type: Endpoint + mitre_attack_id: + - T1068 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: + - CVE-2026-31431 +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/linux_auditd_copy_fail/kern.log + source: /var/log/kern + sourcetype: linux_messages_syslog diff --git a/detections/endpoint/linux_su_launch_process_with_null_argv.yml b/detections/endpoint/linux_su_launch_process_with_null_argv.yml new file mode 100644 index 0000000000..77abd106aa --- /dev/null +++ b/detections/endpoint/linux_su_launch_process_with_null_argv.yml @@ -0,0 +1,67 @@ +name: Linux Su Launch Process with Null Argv +id: 0085652a-e682-45a2-a40c-5bb68b8f260e +version: 1 +date: '2026-05-12' +author: Raven Tait, Splunk +status: production +type: TTP +description: The following analytic detects kernel-level events where a setuid binary launches a shell or interpreter with a NULL argument vector, which occurs when a privilege escalation exploit gains root and executes a shell via execve() without constructing a legitimate argument array. +data_source: + - Linux Messages Syslog +search: | + sourcetype="linux_messages_syslog" "NULL argv" "empty string added" + | rex field=_raw "process '(?[^']+)' launched '(?[^']+)' with NULL argv" + | where isnotnull(launching_process) AND isnotnull(launched_process) + | stats + count AS occurrences, + min(_time) AS firstTime, + max(_time) AS lastTime, + values(_raw) AS message, + values(host) AS dest + by host, launching_process, launched_process + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | table dest, launching_process, launched_process, + firstTime, lastTime, occurrences, message + | `linux_su_launch_process_with_null_argv_filter` +how_to_implement: To successfully implement this search, you need to have relevant kernel logs ingested with the Splunk Add-On for Unix and Linux (https://splunkbase.splunk.com/app/833). +known_false_positives: Legitimate false positives are rare but can occur when custom or poorly written setuid binaries, PAM modules, or login frameworks invoke shells programmatically without constructing a proper argv array. However, mainstream setuid binaries like su, sudo, and pkexec on modern Linux distributions always pass arguments, so any hit involving those specific processes should be treated as high confidence. +references: + - https://www.elastic.co/security-labs/copy-fail-dirtyfrag-linux-page-bugs-in-the-wild + - https://www.elastic.co/security-labs/copy-fail-dirtyfrag-linux-page-bugs-in-the-wild +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +rba: + message: Su spawned process with NULL argv on $dest$ indicating possible privilege escalation. + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: [] +tags: + analytic_story: + - Linux Privilege Escalation + asset_type: Endpoint + mitre_attack_id: + - T1068 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: + - CVE-2026-43284 + - CVE-2026-43500 +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/linux_dirtyfrag/kern.log + source: /var/log/kern + sourcetype: linux_messages_syslog diff --git a/detections/endpoint/linux_suspicious_namespace_creation.yml b/detections/endpoint/linux_suspicious_namespace_creation.yml new file mode 100644 index 0000000000..510b36e494 --- /dev/null +++ b/detections/endpoint/linux_suspicious_namespace_creation.yml @@ -0,0 +1,113 @@ +name: Linux Suspicious Namespace Creation +id: 039dbee4-39d8-4ad0-a43a-df4db3a41990 +version: 1 +date: '2026-05-12' +author: Raven Tait, Splunk +status: production +type: TTP +description: The follow analytic detects an unprivileged user invoking the unshare syscall with user namespace flags followed within 120 seconds by a root-owned shell or interpreter spawning under the same parent process, correlating auditd syscall telemetry with Sysmon process creation events to identify the two-step sequence characteristic of user-namespace-based Linux kernel privilege escalation exploits such as DirtyFrag. +data_source: + - Linux Auditd Syscall + - Sysmon for Linux EventID 1 +search: | + type=SYSCALL SYSCALL=unshare + | where uid != "0" AND uid != "4294967295" + | where a0 IN ("10000000","50000000","70000000","10020000","50020000","70020000") + | eval unshare_time=_time, + unshare_pid=pid, + unshare_ppid=ppid, + trigger_uid=uid, + trigger_auid=auid, + trigger_exe=exe, + ns_flags=a0 + | table host, unshare_time, comm, syscall, unshare_pid, unshare_ppid, + trigger_uid, trigger_auid, trigger_exe, ns_flags + | join type=inner host unshare_ppid [ + search `sysmon` EventID=1 User=root + | where match(Image, "/(su|sudo|pkexec|passwd|chsh|newgrp|doas|run0|sg|dash|sh|bash|zsh|fish|ksh|csh|tcsh|ash|mksh|busybox|tmux|screen|node|python[^/]*|perl[^/]*|ruby[^/]*|php[^/]*|lua[^/]*)$") + | eval root_spawn_time=_time, root_pid=ProcessId, + root_exe=Image, root_cmdline=CommandLine, root_parent=ParentProcessId + | rename ParentProcessId AS unshare_ppid + | table host, unshare_ppid, root_spawn_time, root_pid, + root_exe, root_cmdline, root_parent, unshare_time, + action, original_file_name, parent_process, parent_process_exec, + parent_process_guid, parent_process_id, parent_process_name, + parent_process_path, process, process_exec, process_guid, + process_hash, process_id, process_integrity_level, + process_name, process_path, user, user_id, vendor_product + ] + | where (root_spawn_time - unshare_time) >= 0 + | where (root_spawn_time - unshare_time) <= 120 + | eval elapsed_sec=round(root_spawn_time - unshare_time, 2) + | eval ioc_match=case( + ns_flags="50000000", "dirtyfrag (CLONE_NEWUSER|CLONE_NEWNET)", + ns_flags="10000000", "CLONE_NEWUSER only", + ns_flags="70000000", "CLONE_NEWUSER|CLONE_NEWNET|CLONE_NEWPID", + 1=1, "namespace flags="+ns_flags + ) + | rename host as dest + | stats + count AS count, + min(unshare_time) AS firstTime, + max(unshare_time) AS lastTime, + values(trigger_uid) AS trigger_uid, + values(trigger_auid) AS trigger_auid, + values(trigger_exe) AS trigger_exe, + values(ns_flags) AS ns_flags, + values(ioc_match) AS ioc_match, + values(unshare_pid) AS unshare_pid, + values(unshare_ppid) AS unshare_ppid, + values(root_exe) AS root_exe, + values(root_cmdline) AS root_cmdline, + values(root_pid) AS root_pid, + values(elapsed_sec) AS elapsed_sec, + values(process_hash) AS process_hash, + values(vendor_product) AS vendor_product + by dest, comm, syscall + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_suspicious_namespace_creation_filter` +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed. +known_false_positives: No false positives have been identified at this time. +references: + - https://www.elastic.co/security-labs/copy-fail-dirtyfrag-linux-page-bugs-in-the-wild + - https://www.elastic.co/security-labs/copy-fail-dirtyfrag-linux-page-bugs-in-the-wild +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +rba: + message: Suspicious namespace created on $dest$ indicating possible privilege escalation via DirtyFrag. + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: [] +tags: + analytic_story: + - Linux Privilege Escalation + asset_type: Endpoint + mitre_attack_id: + - T1068 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: + - CVE-2026-43284 + - CVE-2026-43500 +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/linux_dirtyfrag/audit.log + source: auditd + sourcetype: auditd + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/linux_dirtyfrag/linux_sysmon.log + source: Syslog:Linux-Sysmon/Operational + sourcetype: sysmon:linux