detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard
verified publisher icon elastic

[Rule Tuning] File Deletion via Shred

Open Aegrah opened this issue 2 months ago • 2 comments

Summary

In the community Slack, an issue was raised where Shai-Hulud 2.0 used something like the shred -uvz command to shred files. Our current logic specifically looked for singular command-line flags; making evasion trivial. This FN tuning PR adds wildcarding to the process arguments to ensure that it will detect this behavior.

Thread: https://elasticstack.slack.com/archives/C016E72DWDS/p1764589273848359?thread_ts=1764345584.144749&cid=C016E72DWDS

Testing

I did not change capitalization, as the command line arguments are parsed case-sensitively. However, it is possible to add two flags to a single -.

ruben@ruben:~$ shred -uz test_file

ruben@ruben:~$ shred -Uz test_file
shred: invalid option -- 'U'
Try 'shred --help' for more information.
ruben@ruben:~$ shred --Remove
shred: unrecognized option '--Remove'
Try 'shred --help' for more information.

Aegrah avatar Dec 01 '25 12:12 Aegrah

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • [ ] Detailed description of the suggested changes.
  • [ ] Provide example JSON data or screenshots.
  • [ ] Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • [ ] Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • [ ] Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • [ ] Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • [ ] Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • [ ] Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • [ ] Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • [ ] Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • [ ] Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • [ ] Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • [ ] updated_date matches the date of tuning PR merged.
  • [ ] min_stack_version should support the widest stack versions.
  • [ ] name and description should be descriptive and not include typos.
  • [ ] query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • [ ] Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • [ ] Ensure that the tuned rule has a low false positive rate.

github-actions[bot] avatar Dec 01 '25 12:12 github-actions[bot]

⛔️ Test failed

Results
  • ❌ File Deletion via Shred (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

tradebot-elastic avatar Dec 01 '25 12:12 tradebot-elastic

⛔️ Test failed

Results
  • ❌ File Deletion via Shred (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

tradebot-elastic avatar Dec 02 '25 09:12 tradebot-elastic

⛔️ Test failed

Results
  • ❌ File Deletion via Shred (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

tradebot-elastic avatar Dec 02 '25 09:12 tradebot-elastic

Updated query

Changed the query based on @w0rk3r's comment; proof of working logic:

{CF4AA4DB-5D72-4327-8F9F-1AB2728F6BC3}

Aegrah avatar Dec 02 '25 09:12 Aegrah