⚠️ This version requires crowdsec version >= 1.5 ⚠️

A collection for laurel a post-processing plugin for auditd:

• laurel json log parser
• post exploitation behavior detection

• detect a process calling wget/curl and executing the download script/binary very quickly after

• detect invocation of obfuscated payloads (ie. base64 decode | interpreter)

• detect invocation of scripts/binaries from hidden directories

• detect backdoors trying to "kill competitors" :

  • repeated/fast invokation of rm
  • repeated/fast invokation of kill / pkill

• detect a root suid binary that crashes soon after startup with a SIGSEGV, SIGABRT, SIGBUS or SIGTRAP.

Example acquisition for this collection :

1filenames:
2  - /var/log/laurel/*.log
3labels:
4  type: laurel

The scenario's effectiveness relies on your auditd configuration logging EXECVE :

1auditctl -a exit,always -F arch=b64 -S execve
2auditctl -a exit,always -F arch=b32 -S execve

As an example, you canrestrict it to a specific uid (ie -F euid=33) if you want to monitor only your web server.

As an example, see Florian Roth's example auditd config.

To have nice-looking notifications on auditd alerts, you can use the following format template:

1format: |
2  {{ range . -}}
3  {{$alert := . }}
4  *{{$alert.Scenario}}*
5  {{ range .Events }}
6  `{{.GetMeta "exe"}}` invoked by parent process `{{.GetMeta "parent_progname"}}` (uid={{.GetMeta "uid"}})
7  {{ end -}}
8  {{- end }}

You shouldn't use an existing notification template, as it will not display the full information as it is tailored to IP base alerts.

Once you have setup your notification template, you MUST add a profile to either profiles.yaml or profiles.yaml.local

1name: pid_alert
2filters:
3 - Alert.GetScope() == "pid"
4decisions: []
5notifications:
6  - slack_default
7## Please edit the above line to match your notification name
8on_success: break
9---