Closed Aegrah closed 1 week ago
These guidelines serve as a reminder set of considerations when proposing a new rule.
creation_date
matches the date of creation PR initially merged.min_stack_version
should support the widest stack versions.name
and description
should be descriptive and not include typos.query
should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json
if not available in an integration.min_stack_comments
and min_stack_version
should be included if the rule is only compatible starting from a specific stack version.index
pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).integration
should align with the index
. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml
template are updated.setup
should include the necessary steps to configure the integration.note
should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).tags
should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS
in the definitions.py file.threat
, techniques
, and subtechniques
should map to ATT&CK always if possible.building_block_type
should be included if the rule is a building block and the rule should be located in the rules_building_block
folder.bypass_bbr_timing
should be included if adding custom lookback timing to the rule.
Summary
A set of vulnerabilities in the CUPS printing system (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177) allows remote unauthenticated attackers to achieve remote code execution (RCE) by sending UDP packets to port 631 or through local network-based attacks, such as spoofing mDNS or DNS-SD advertisements. These flaws affect components like cups-browsed, libcupsfilters, libppd, and foomatic-rip, enabling attackers to replace or install malicious printer configurations, which could lead to arbitrary command execution when a print job is started. The detection rules aim to identify suspicious IPP requests and command execution attempts to mitigate the risk of exploitation from these vulnerabilities.
Detections
This PR adds 5 new detection rules, all focusing on different behaviors that are part of the attack chain:
Cupsd or Foomatic-rip Shell Execution
This rule detects shell executions from the foomatic-rip parent process. This detection rule detects all 33 attempts that we ran with the POC.
Printer User (lp) Shell Execution
This rule detects shell executions from the foomatic-rip parent process through the default printer user (lp). This query is broader, but will only work when your Cups/foomatic-rip processes run as the lp-user. You can alter this query to a different user.name if this is different in your environment.
Network Connection by Cups Foomatic-rip Child
This rule detects network connections initiated by a child processes of foomatic-rip. This should be suspicious. If these services do communicate in your environment, make sure to whitelist destination IP's.
File Creation by Cups Foomatic-rip Child
This rule detects suspicious file creation events executed by child processes of foomatic-rip. The default PoCs test by writing a file to /tmp/, which would be detected through this rule. Additionally, if the attacker were to download a stage and execute it manually afterwards, this rule would detect the file creation event.
This rule excludes
/tmp/gs_*
, because this is the default pattern. If you want to be more secure, remove the white listing. It will become noisier though.Suspicious Execution from Foomatic-rip or Cupsd Parent
This rule detects suspicious process command lines executed by child processes of foomatic-rip and cupsd. The command lines focus on persistence, file downloading, encoding/decoding activity, reverse shells, shared-object loading through GTFOBins and more.
References