Skip to content

[Rule Tuning] Linux DR Tuning - 11 #5511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Aegrah wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[Rule Tuning] Linux DR Tuning - 11 #5511

Aegrah wants to merge 4 commits into from
+633 −588

Conversation

@Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Dec 23, 2025
edited
Loading

PR 5511 Reviewer Summary

Why

This PR updates and refines a broad set of Linux privilege escalation detection rules. The changes aim to:

  • Improve detection accuracy and reduce false positives.
  • Enhance triage and investigation guidance for analysts.
  • Update risk scoring and severity to better reflect threat impact.
  • Expand or clarify exclusions and exceptions for legitimate system/admin activity.
  • Mark certain rules as deprecated where appropriate.

What Changed

General:

  • All rules updated with updated_date = "2025/12/23".
  • Many rules received expanded or newly added note sections with detailed triage, false positive, and response guidance.
  • Several rules had their risk_score and severity adjusted to better reflect risk.
  • Exclusion logic and exception lists were expanded in many queries to reduce noise.

Notable Rule-Specific Changes:

  • privilege_escalation_chown_chmod_unauthorized_file_read

    • risk_score increased from 21 → 47, severity from low → medium.

  • privilege_escalation_container_util_misconfiguration

    • risk_score increased from 47 → 73, severity from medium → high.
    • Investigation guide (note) expanded and improved.

  • privilege_escalation_cve_2025_32463_nsswitch_file_creation

    • Expanded file path exclusions in the query to reduce false positives.

  • privilege_escalation_cve_2025_41244_vmtoolsd_lpe

    • risk_score decreased from 47 → 21, severity from medium → low.
    • Query expanded with additional exclusions for benign process activity.

  • privilege_escalation_dac_permissions

    • risk_score decreased from 47 → 21, severity from medium → low.
    • Investigation guide (note) added.
    • Query exclusions expanded for parent processes and executables.

  • privilege_escalation_docker_escape_via_nsenter

    • Rule renamed to "Potential Docker Escape via Nsenter".
    • Query now excludes parent process /opt/teleport/system/bin/teleport.
    • Investigation guide (note) improved.

  • privilege_escalation_docker_release_file_creation

    • Query now excludes benign executables (e.g., /usr/bin/podman, /usr/bin/git).

  • privilege_escalation_ld_preload_shared_object_modif

    • Investigation guide (note) added.
    • new_terms field changed from ["host.id", "user.id", "process.executable"] to ["agent.id"].
    • history_window_start reduced from 10d → 5d.

  • privilege_escalation_linux_uid_int_max_bug

    • Rule marked as "Deprecated".
    • Investigation guide (note) added.

  • privilege_escalation_load_and_unload_of_kernel_via_kexec

    • Query expanded to exclude more benign parent processes and arguments.

  • privilege_escalation_mount_launched_inside_container

    • Investigation guide (note) added.
    • Query expanded to exclude more benign parent processes and arguments.

  • privilege_escalation_netcon_via_sudo_binary

    • Rule marked as "Deprecated".
    • Investigation guide (note) added.

  • privilege_escalation_potential_suid_sgid_exploitation

    • Query expanded to include more process names and arguments, and to exclude more benign parent processes.

  • privilege_escalation_potential_suid_sgid_proxy_execution

    • risk_score increased from 21 → 47, severity from low → medium.
    • Query expanded to exclude more benign parent executables.

  • privilege_escalation_potential_wildcard_shell_spawn

    • Query expanded to exclude more working directories associated with Steam.

  • privilege_escalation_shadow_file_read

    • Investigation guide (note) added.
    • Query expanded to exclude more benign executables and parent names.
    • history_window_start reduced from 10d → 5d.

  • privilege_escalation_sudo_cve_2019_14287

    • risk_score increased from 47 → 73, severity from medium → high.

  • privilege_escalation_sudo_hijacking

    • Investigation guide (note) added.
    • Query expanded to exclude more benign process names and executables.

  • privilege_escalation_suspicious_cap_setuid_python_execution

    • risk_score increased from 47 → 73, severity from medium → high.
    • Investigation guide (note) added.

  • privilege_escalation_suspicious_uid_guid_elevation

    • Investigation guide (note) added.
    • Query expanded to exclude more benign parent executables, command lines, and working directories.

  • privilege_escalation_uid_change_post_compilation

    • risk_score increased from 47 → 73, severity from medium → high.
    • Investigation guide (note) added.

  • privilege_escalation_uid_elevation_from_unknown_executable

    • risk_score increased from 47 → 73, severity from medium → high.
    • Investigation guide (note) added.
    • Query expanded to exclude more benign process names.

  • privilege_escalation_unshare_namespace_manipulation

    • Query expanded to exclude more benign parent arguments and executables.

Behavioral Impact

  • Improved Detection Quality: Higher risk and severity for critical rules will prioritize the most dangerous threats.
  • Reduced False Positives: Expanded exclusions and more precise queries will reduce alert fatigue for analysts.
  • Better Triage: New and improved investigation guides provide actionable steps for analysts, improving response quality and speed.
  • Deprecation: Some rules are now marked as deprecated, signaling to users that they should be replaced or are no longer recommended.

Risks / Edge Cases

  • Potential Missed Detections: Aggressive exclusions may inadvertently suppress some true positives if legitimate attack techniques mimic benign activity.
  • Rule Deprecation: Deprecated rules may still be in use in some environments; ensure migration to newer rules where possible.
  • Operational Overhead: Analysts may need to review and update their own exception lists and playbooks to align with new guidance and exclusions.

Rollout Notes

  • Review and Test: Carefully review the updated rules and test in a staging environment before full production rollout.
  • Update Playbooks: Update SOC/IR playbooks to leverage the new triage and response guidance.
  • Monitor for Gaps: After deployment, monitor for any missed detections or unexpected alert suppression due to new exclusions.
  • Deprecation Handling: Identify and replace any deprecated rules in your environment.

@Aegrah Aegrah self-assigned this Dec 23, 2025
@Aegrah Aegrah added OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE labels Dec 23, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 23, 2025

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential Shell via Wildcard Injection Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential CVE-2025-32463 Nsswitch File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Recently Compiled Executable (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via SUID/SGID (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Network Connection via Sudo Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via SUID/SGID Proxy Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Unauthorized Access via Wildcard Injection Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Load or Unload via Kexec Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Docker Release File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Docker Escape via Nsenter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of Dynamic Linker Preload Shared Object (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UID Elevation from Previously Unknown Executable (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Sudo Hijacking (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Sudo Privilege Escalation via CVE-2019-14287 (eql)
  • ❌ Potential Shadow File Read via Command Line Utilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via CAP_SETUID/SETGID Capabilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Python cap_setuid (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Container Misconfiguration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Mount Launched Inside a Container (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Namespace Manipulation Using Unshare (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Linux DAC permissions (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential Shell via Wildcard Injection Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential CVE-2025-32463 Nsswitch File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Recently Compiled Executable (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via SUID/SGID (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Network Connection via Sudo Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via SUID/SGID Proxy Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Unauthorized Access via Wildcard Injection Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Load or Unload via Kexec Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Docker Release File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Docker Escape via Nsenter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of Dynamic Linker Preload Shared Object (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UID Elevation from Previously Unknown Executable (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Sudo Hijacking (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Sudo Privilege Escalation via CVE-2019-14287 (eql)
  • ❌ Potential Shadow File Read via Command Line Utilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via CAP_SETUID/SETGID Capabilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Python cap_setuid (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Container Misconfiguration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Mount Launched Inside a Container (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Namespace Manipulation Using Unshare (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Linux DAC permissions (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Aegrah
Aegrah commented Dec 23, 2025
View reviewed changes
@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential Shell via Wildcard Injection Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential CVE-2025-32463 Nsswitch File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Recently Compiled Executable (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via SUID/SGID (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Network Connection via Sudo Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via SUID/SGID Proxy Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Unauthorized Access via Wildcard Injection Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Load or Unload via Kexec Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Docker Release File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Docker Escape via Nsenter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of Dynamic Linker Preload Shared Object (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UID Elevation from Previously Unknown Executable (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Sudo Hijacking (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Sudo Privilege Escalation via CVE-2019-14287 (eql)
  • ❌ Potential Shadow File Read via Command Line Utilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via CAP_SETUID/SETGID Capabilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Python cap_setuid (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Container Misconfiguration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Mount Launched Inside a Container (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Namespace Manipulation Using Unshare (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Linux DAC permissions (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential Shell via Wildcard Injection Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential CVE-2025-32463 Nsswitch File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Recently Compiled Executable (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via SUID/SGID (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Network Connection via Sudo Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via SUID/SGID Proxy Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Unauthorized Access via Wildcard Injection Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Load or Unload via Kexec Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Docker Release File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Docker Escape via Nsenter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Modification of Dynamic Linker Preload Shared Object (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UID Elevation from Previously Unknown Executable (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Sudo Hijacking (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Sudo Privilege Escalation via CVE-2019-14287 (eql)
  • ❌ Potential Shadow File Read via Command Line Utilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via CAP_SETUID/SETGID Capabilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Python cap_setuid (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Container Misconfiguration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Mount Launched Inside a Container (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Namespace Manipulation Using Unshare (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Linux DAC permissions (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@Samirbous Samirbous Awaiting requested review from Samirbous

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus

At least 2 approving reviews are required to merge this pull request.

Assignees

@Aegrah Aegrah

Labels

backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Aegrah @tradebot-elastic