nldcsc-elastic-rules 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl

nldcsc_elastic_rules/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

@@ -0,0 +1,250 @@
+[metadata]
+creation_date = "2025/11/23"
+integration = ["aws", "endpoint"]
+maturity = "production"
+updated_date = "2025/11/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of Living Off the Land Binaries (LOLBins) or GTFOBins on EC2 instances via AWS Systems Manager
+(SSM) `SendCommand` API. This detection correlates AWS CloudTrail `SendCommand` events with endpoint process execution
+by matching SSM command IDs. While AWS redacts command parameters in CloudTrail logs, this correlation technique reveals
+the actual commands executed on EC2 instances. Adversaries may abuse SSM to execute malicious commands remotely without
+requiring SSH or RDP access, using legitimate system utilities for data exfiltration, establishing reverse shells, or
+lateral movement.
+"""
+false_positives = [
+    """
+    Legitimate administrative tasks using SSM to run system utilities may trigger this rule. Review the command context,
+    user identity, and timing to determine if the activity is authorized.
+    """,
+    """
+    Automated configuration management or monitoring scripts that use LOLBins via SSM for legitimate purposes. Consider
+    excluding known automation accounts or specific command patterns.
+    """,
+]
+from = "now-9m"
+interval = "8m"
+language = "esql"
+license = "Elastic License v2"
+name = "AWS EC2 LOLBin Execution via SSM SendCommand"
+note = """## Triage and analysis
+
+### Investigating AWS EC2 LOLBin Execution via SSM SendCommand
+
+AWS Systems Manager (SSM) enables remote command execution on EC2 instances without SSH/RDP access. While legitimate for administration, adversaries exploit this by running LOLBins—system utilities abused for malicious purposes like data theft or backdoors. This detection correlates CloudTrail API logs with endpoint telemetry using SSM command IDs, bypassing AWS's parameter redaction to reveal actual executed commands and identify suspicious activity.
+
+This is an ESQL aggregation-based rule, thus all original event fields and detail may not be present in the alert. It is recommended to pivot into the raw events from both data sources for full context during investigation.
+
+### Possible investigation steps
+
+- Review the SSM command ID in the alert to track the full lifecycle of the command from initiation to execution across both CloudTrail and endpoint data
+- Examine the CloudTrail user identity, including the ARN and access key ID, to determine who initiated the SSM command and verify if the activity is authorized
+- Analyze the command lines of the executed LOLBins to understand what commands were run and assess their intent, looking for indicators of data exfiltration, reverse shells, or reconnaissance
+- Check the source IP address and user agent from the CloudTrail event to identify if the request came from an expected location or tool
+- Investigate the affected EC2 instances for other suspicious activities or signs of compromise during the same timeframe, including network connections and file modifications
+- Review the SSM shell process details to see the full context of what the SSM agent executed and identify the parent-child process relationships
+- Correlate the timing between the CloudTrail event and endpoint execution to ensure they occurred within the detection window and represent the same activity
+- Check if the same user identity or source IP has executed similar SSM commands on other EC2 instances in your environment
+
+### False positive analysis
+
+- Routine administrative scripts that use utilities like curl, wget, or python for legitimate configuration management should be documented and excluded by user identity or source IP
+- Automated monitoring tools that execute commands via SSM for health checks or data collection can be filtered by identifying their consistent patterns and access key IDs
+- DevOps CI/CD pipelines that deploy or test applications using SSM may trigger alerts; create exceptions based on known automation roles or specific command patterns
+- Security scanning tools that legitimately use SSM for vulnerability assessments should be allowlisted by their known IAM roles or source IPs
+- Scheduled maintenance tasks using LOLBins for backup, log rotation, or data synchronization can be excluded by command pattern matching or execution timing
+
+### Response and remediation
+
+- Immediately isolate the affected EC2 instance from the network to prevent further unauthorized command execution or lateral movement
+- Review AWS CloudTrail logs to identify the IAM user, role, or access key associated with the suspicious SSM command and revoke or rotate compromised credentials
+- Terminate any unauthorized processes identified on the endpoint that match the LOLBin execution patterns detected in the alert
+- Conduct a forensic analysis of the affected EC2 instance to identify any persistence mechanisms, backdoors, or data exfiltration indicators
+- Implement stricter IAM policies to limit SSM `SendCommand` permissions to only trusted users and roles, following the principle of least privilege
+- Enable multi-factor authentication (MFA) for IAM users with SSM execution privileges to reduce the risk of credential compromise
+- Review and update VPC security groups and network ACLs to restrict outbound traffic from EC2 instances to only necessary destinations, preventing data exfiltration
+- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional AWS resources or accounts have been compromised
+"""
+references = [
+    "https://www.mitiga.io/blog/abusing-the-amazon-web-services-ssm-agent-as-a-remote-access-trojan",
+    "https://www.kali.org/tools/pacu/",
+    "https://www.100daysofredteam.com/p/ghost-in-the-cloud-abusing-aws-ssm",
+    "https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/",
+    "https://gtfobins.github.io/",
+]
+risk_score = 47
+rule_id = "a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Domain: Endpoint",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Tactic: Command and Control",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS CloudTrail",
+    "Data Source: AWS EC2",
+    "Data Source: AWS SSM",
+    "Data Source: AWS Systems Manager",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+FROM logs-aws.cloudtrail*, logs-endpoint.events.process-* METADATA _id, _version, _index
+| WHERE
+  // CloudTrail SSM SendCommand with AWS-RunShellScript
+  (
+    event.dataset == "aws.cloudtrail"
+    AND event.action == "SendCommand"
+    AND aws.cloudtrail.request_parameters LIKE "*documentName=AWS-RunShellScript*"
+  )
+  // Linux endpoint process events, prefiltered to SSM shell runner OR LOLBins/GTFOBins
+  OR
+  (
+    event.dataset == "endpoint.events.process"
+    AND host.os.type == "linux"
+    AND (
+      // SSM shell (_script.sh) runner
+      process.command_line LIKE "%/document/orchestration/%/awsrunShellScript/%/_script.sh"
+      // LOLBins / GTFOBins
+      OR process.name IN (
+        "base64",
+        "curl",
+        "wget",
+        "openssl",
+        "nc", "ncat", "netcat",
+        "socat",
+        "python", "python3",
+        "perl",
+        "php",
+        "ruby",
+        "ssh",
+        "scp",
+        "sftp",
+        "rsync"
+      )
+    )
+  )
+
+// Endpoint leg: extract SSM command ID from parent command line
+| DISSECT process.parent.command_line
+    "%{}/document/orchestration/%{Esql.process_parent_command_line_ssm_command_id}/%{}"
+
+// CloudTrail leg: extract SSM command ID from response_elements
+| DISSECT aws.cloudtrail.response_elements
+    "%{}commandId=%{Esql.aws_cloudtrail_response_elements_ssm_command_id},%{}"
+
+// Coalesce SSM command ID from both data sources
+| EVAL Esql.aws_ssm_command_id = COALESCE(
+    Esql.aws_cloudtrail_response_elements_ssm_command_id,
+    Esql.process_parent_command_line_ssm_command_id
+)
+| WHERE Esql.aws_ssm_command_id IS NOT NULL
+
+// Role flags
+| EVAL Esql.is_cloud_event    = event.dataset == "aws.cloudtrail"
+| EVAL Esql.is_endpoint_event = event.dataset == "endpoint.events.process"
+
+// Identify the SSM shell processes (the _script.sh runners)
+| EVAL Esql.is_ssm_shell_process =
+    Esql.is_endpoint_event
+    AND process.command_line LIKE "%/document/orchestration/%/awsrunShellScript/%/_script.sh"
+
+// LOLBins / GTFOBins on Linux
+| EVAL Esql.is_lolbin_process =
+    Esql.is_endpoint_event AND NOT Esql.is_ssm_shell_process
+
+// Aggregate per SSM command ID
+| STATS
+    // Core correlation counts & timing
+    Esql.aws_cloudtrail_event_count                 = SUM(CASE(Esql.is_cloud_event, 1, 0)),
+    Esql.endpoint_events_process_lolbin_count       = SUM(CASE(Esql.is_lolbin_process, 1, 0)),
+    Esql.endpoint_events_process_ssm_shell_count    = SUM(CASE(Esql.is_ssm_shell_process, 1, 0)),
+    Esql.aws_cloudtrail_first_event_ts              = MIN(CASE(Esql.is_cloud_event, @timestamp, null)),
+    Esql.endpoint_events_process_first_lolbin_ts    = MIN(CASE(Esql.is_lolbin_process, @timestamp, null)),
+
+    // AWS / CloudTrail identity & request context
+    Esql_priv.aws_cloudtrail_user_identity_arn_values          =
+      VALUES(CASE(Esql.is_cloud_event, aws.cloudtrail.user_identity.arn, null)),
+    Esql_priv.aws_cloudtrail_user_identity_access_key_id_values =
+      VALUES(CASE(Esql.is_cloud_event, aws.cloudtrail.user_identity.access_key_id, null)),
+    Esql_priv.user_name_values                                 =
+      VALUES(CASE(Esql.is_cloud_event, user.name, null)),
+
+    // AWS environment / request metadata
+    Esql.cloud_region_values     = VALUES(CASE(Esql.is_cloud_event, cloud.region, null)),
+    Esql.source_ip_values        = VALUES(CASE(Esql.is_cloud_event, source.ip, null)),
+    Esql.user_agent_original_values =
+      VALUES(CASE(Esql.is_cloud_event, user_agent.original, null)),
+
+    // Endpoint host & user context
+    Esql.host_name_values        = VALUES(CASE(Esql.is_endpoint_event, host.name, null)),
+    Esql_priv.endpoint_user_name_values =
+      VALUES(CASE(Esql.is_endpoint_event, user.name, null)),
+
+    // SSM shell processes on endpoint
+    Esql.process_command_line_ssm_shell_values =
+      VALUES(CASE(Esql.is_ssm_shell_process, process.command_line, null)),
+    Esql.process_pid_ssm_shell_values =
+      VALUES(CASE(Esql.is_ssm_shell_process, process.pid, null)),
+
+    // LOLBin processes on endpoint
+    Esql.process_name_lolbin_values =
+      VALUES(CASE(Esql.is_lolbin_process, process.name, null)),
+    Esql.process_executable_lolbin_values =
+      VALUES(CASE(Esql.is_lolbin_process, process.executable, null)),
+    Esql.process_command_line_lolbin_values =
+      VALUES(CASE(Esql.is_lolbin_process, process.command_line, null)),
+    Esql.process_pid_lolbin_values =
+      VALUES(CASE(Esql.is_lolbin_process, process.pid, null)),
+    Esql.process_parent_command_line_lolbin_values =
+      VALUES(CASE(Esql.is_lolbin_process, process.parent.command_line, null)),
+
+    Esql.data_stream_namespace_values = VALUES(data_stream.namespace)
+  BY Esql.aws_ssm_command_id
+
+// Detection condition: SSM SendCommand + AWS-RunShellScript + LOLBin on endpoint
+| WHERE Esql.aws_cloudtrail_event_count > 0
+  AND Esql.endpoint_events_process_lolbin_count > 0
+  AND DATE_DIFF(
+        "minutes",
+        Esql.endpoint_events_process_first_lolbin_ts,
+        Esql.aws_cloudtrail_first_event_ts
+      ) <= 5
+| SORT Esql.aws_cloudtrail_first_event_ts ASC
+| KEEP Esql.*, Esql_priv.*
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1651"
+name = "Cloud Administration Command"
+reference = "https://attack.mitre.org/techniques/T1651/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1105"
+name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+

nldcsc_elastic_rules/rules/{linux/persistence_nodejs_pre_or_post_install_script_execution.toml → cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml}

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/09/18"
-integration = ["endpoint", "crowdstrike"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/12/03"
 
 [rule]
 author = ["Elastic"]
@@ -13,11 +13,15 @@ this technique to execute arbitrary commands on the system and establish persist
 was observed in the wild as part of the Shai-Hulud worm.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
+index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Node.js Pre or Post-Install Script Execution"
-references = ["https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise"]
+references = [
+    "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise",
+    "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
+    "https://www.elastic.co/blog/shai-hulud-worm-2-0-updated-response",
+]
 risk_score = 47
 rule_id = "0871a5d8-6b5f-4a12-a568-fd7bc05bd8db"
 setup = """## Setup
@@ -49,6 +53,7 @@ severity = "medium"
 tags = [
   "Domain: Endpoint",
   "OS: Linux",
+  "OS: macOS",
   "Use Case: Threat Detection",
   "Tactic: Persistence",
   "Tactic: Execution",
@@ -56,35 +61,18 @@ tags = [
   "Data Source: Elastic Defend",
   "Resources: Investigation Guide",
   "Data Source: Crowdstrike",
+  "Data Source: SentinelOne",
 ]
 type = "eql"
 query = '''
 sequence by host.id with maxspan=10s
-  [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.name == "node" and process.args == "install"] by process.entity_id
-  [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.parent.name == "node"] by process.parent.entity_id
+  [process where host.os.type in ("linux", "macos") and event.type == "start" and event.action in ("exec", "ProcessRollup2", "start") and process.name == "node" and process.args == "install"] by process.entity_id
+  [process where host.os.type in ("linux", "macos") and event.type == "start" and event.action in ("exec", "ProcessRollup2", "start") and process.parent.name == "node"] by process.parent.entity_id
 '''
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
-[[rule.threat.technique]]
-id = "T1543"
-name = "Create or Modify System Process"
-reference = "https://attack.mitre.org/techniques/T1543/"
-
-[[rule.threat.technique]]
-id = "T1574"
-name = "Hijack Execution Flow"
-reference = "https://attack.mitre.org/techniques/T1574/"
-
-[rule.threat.tactic]
-id = "TA0003"
-name = "Persistence"
-reference = "https://attack.mitre.org/tactics/TA0003/"
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
@@ -95,6 +83,16 @@ id = "T1059.004"
 name = "Unix Shell"
 reference = "https://attack.mitre.org/techniques/T1059/004/"
 
+[[rule.threat.technique]]
+id = "T1204"
+name = "User Execution"
+reference = "https://attack.mitre.org/techniques/T1204/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1204.005"
+name = "Malicious Library"
+reference = "https://attack.mitre.org/techniques/T1204/005/"
+
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
@@ -103,6 +101,24 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
+[[rule.threat.technique]]
+id = "T1543"
+name = "Create or Modify System Process"
+reference = "https://attack.mitre.org/techniques/T1543/"
+
+[[rule.threat.technique]]
+id = "T1574"
+name = "Hijack Execution Flow"
+reference = "https://attack.mitre.org/techniques/T1574/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"

nldcsc_elastic_rules/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml

@@ -0,0 +1,146 @@
+[metadata]
+creation_date = "2025/11/27"
+integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
+maturity = "production"
+updated_date = "2025/11/27"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects the creation of privileged containers that mount host directories into the container's filesystem.
+Such configurations can be exploited by attackers to escape the container isolation and gain access to the host system,
+potentially leading to privilege escalation and lateral movement within the environment.
+"""
+from = "now-9m"
+index = [
+    "auditbeat-*",
+    "endgame-*",
+    "logs-auditd_manager.auditd-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process*",
+    "logs-sentinel_one_cloud_funnel.*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Privileged Container Creation with Host Directory Mount"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Privileged Container Creation with Host Directory Mount
+
+This rule flags creation of a privileged container that bind-mounts host directories into the container filesystem, breaking isolation and granting direct access to host files and devices. An attacker on a compromised node starts a privileged container via the runtime, bind-mounts the host root (/:) inside it, then chroots and alters critical files or services to seize host control, persist, and pivot.
+
+### Possible investigation steps
+
+- Retrieve the full process tree and execution context (user, controlling TTY, parent, remote source IP) to identify who initiated the container and whether it aligns with a sanctioned change.
+- Run runtime introspection to confirm the container’s mounts and privileges (e.g., docker ps/inspect or CRI equivalents), capturing the container ID, exact hostPath mappings, image, entrypoint, and start time.
+- If orchestrated, correlate with Kubernetes events and kubelet logs at the same timestamp to find any Pod using privileged: true with hostPath volumes, recording the namespace, service account, controller, and requestor.
+- Review audit and file integrity telemetry after container start for host-impacting actions such as chroot into the mount, nsenter into host namespaces, or writes to critical paths (/etc/passwd, /etc/sudoers, /root/.ssh, /var/lib/kubelet, and systemd unit directories).
+- Assess image provenance and intent by resolving the image digest and registry, reviewing history/entrypoint for post-start tooling, and validating with service owners or allowlists whether this privileged host-mount is expected on this node.
+
+### False positive analysis
+
+- An administrator uses docker run --privileged with -v /:/host during a break-glass or troubleshooting session to edit host files or restart services, matching the pattern but aligned with an approved maintenance procedure.
+- Automated provisioning or upgrade workflows intentionally start a privileged container that bind-mounts / to apply system configuration, install packages, or manage kernel modules during node bootstrap, producing an expected event.
+
+### Response and remediation
+
+- Immediately stop and remove the privileged container by its ID using docker, cordon the node to prevent scheduling, and temporarily disable the Docker/CRI socket to block further privileged runs.
+- Preserve forensic artifacts (docker inspect output, container image and filesystem, bash history, /var/log) and remediate by diffing and restoring critical paths (/etc, /root/.ssh, /etc/systemd/system, /var/lib/kubelet), removing rogue users, SSH keys, and systemd units.
+- Rotate credentials potentially exposed by the host mount (SSH keys, kubelet certs, cloud tokens under /var/lib/kubelet or /root), patch the container runtime, and uncordon or rejoin the node only after verifying privileged runs and host-root mounts are blocked.
+- Escalate to incident response if the mount included "/" or if evidence shows chroot or nsenter into host namespaces or writes to /etc/passwd, /etc/sudoers, or systemd unit files, and initiate host reimage and broader fleet scoping.
+- Enforce controls that deny --privileged and hostPath of "/" via admission policy (Pod Security Standards, Kyverno, OPA Gatekeeper), drop CAP_SYS_ADMIN with seccomp/AppArmor, enable Docker userns-remap and no-new-privileges, and restrict membership in the docker group.
+- Establish a break-glass approval workflow and an allowlist for legitimate host mounts, enable file integrity monitoring on /etc and kubelet directories, and add runtime rules to alert and block future docker run -v /:/host attempts."""
+references = [
+    "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise",
+    "https://socket.dev/blog/shai-hulud-strikes-again-v2",
+    "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
+    "https://unit42.paloaltonetworks.com/container-escape-techniques/",
+]
+risk_score = 73
+rule_id = "d1f310cb-5921-4d37-bbdf-cfdab7a6df9c"
+setup = """## Setup
+This rule requires data coming in from Elastic Defend.
+### Elastic Defend Integration Setup
+Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
+#### Prerequisite Requirements:
+- Fleet is required for Elastic Defend.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
+- Go to the Kibana home page and click "Add integrations".
+- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
+- Click "Add Elastic Defend".
+- Configure the integration name and optionally add a description.
+- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
+- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
+- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
+- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
+For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
+- Click "Save and Continue".
+- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
+For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+"""
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "Domain: Container",
+    "OS: Linux",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Data Source: Elastic Defend",
+    "Data Source: Elastic Endgame",
+    "Data Source: Auditd Manager",
+    "Data Source: Crowdstrike",
+    "Data Source: SentinelOne",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+process.name == "docker" and process.args == "--privileged" and process.args == "run" and
+process.args == "-v" and process.args like "/:/*" and
+not (
+  (process.args == "aktosecurity/mirror-api-logging:k8s_ebpf" and process.args == "akto-api-security-traffic-collector") or
+  (process.args like "goharbor/prepare:*" and process.args in ("/:/hostfs", "/:/hostfs/"))
+)
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+[[rule.threat.technique]]
+id = "T1609"
+name = "Container Administration Command"
+reference = "https://attack.mitre.org/techniques/T1609/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1611"
+name = "Escape to Host"
+reference = "https://attack.mitre.org/techniques/T1611/"
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"

nldcsc_elastic_rules/rules/cross-platform/execution_register_github_actions_runner.toml

@@ -0,0 +1,126 @@
+[metadata]
+creation_date = "2025/11/26"
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
+maturity = "production"
+updated_date = "2025/11/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects the configuration of a GitHub Actions self-hosted runner using the Runner.Listener binary.
+When a machine is registered to a remote repository, its owner gains the ability to execute arbitrary workflow commands on that host.
+Unexpected or unauthorized runner registration may indicate adversarial activity aimed at establishing remote code execution
+via malicious GitHub workflows.
+"""
+false_positives = [
+    "Authorized github repository with no malicious workflow actions.",
+]
+from = "now-9m"
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-system.security*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
+    "auditbeat-*",
+    "logs-auditd_manager.auditd-*"
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Remote GitHub Actions Runner Registration"
+note = """## Triage and analysis
+
+### Investigating Remote GitHub Actions Runner Registration
+
+Unexpected or unauthorized Github actions runner registration may indicate adversarial activity aimed at establishing remote code execution via malicious GitHub workflows.
+
+### Possible investigation steps
+
+- Review the remote repository details and reputation.
+- Examine the remote repository for any suspicious workflows run commands in the `.github/workflows` folder.
+- Examine the execution context like process tree, associated network and file activities.
+- Verify if there is adjascent any sensitive file access or collection.
+- Correlate with other alerts and investiguate if this activity is related to a supply chain attack.
+
+### False positive analysis
+
+- Authorized configuration changes.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement.
+- Terminate any suspicious child processes that were initiated by the registered Github actions runner.
+- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise.
+- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed.
+- Implement application whitelisting to prevent unauthorized execution.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network."""
+references = [
+    "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise",
+    "https://socket.dev/blog/shai-hulud-strikes-again-v2",
+]
+risk_score = 47
+rule_id = "57e118c1-19eb-4c20-93a6-8a6c30a5b48b"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: Windows",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Tactic: Initial Access",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
+    "Data Source: Windows Security Event Logs",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
+    "Data Source: Auditd Manager",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+ process.name in ("Runner.Listener", "Runner.Listener.exe") and
+ process.args == "configure" and process.args == "--url" and process.args == "--token"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1195"
+name = "Supply Chain Compromise"
+reference = "https://attack.mitre.org/techniques/T1195/"
+[[rule.threat.technique.subtechnique]]
+id = "T1195.002"
+name = "Compromise Software Supply Chain"
+reference = "https://attack.mitre.org/techniques/T1195/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+