Skip to content

[New Rules] LiteLLM & Trivy TeamPCP Compromise#5885

Merged
Mikaayenson merged 26 commits intomainfrom
litellm-coverage-new-rules
Mar 26, 2026
Merged

[New Rules] LiteLLM & Trivy TeamPCP Compromise#5885
Mikaayenson merged 26 commits intomainfrom
litellm-coverage-new-rules

Conversation

@Aegrah
Copy link
Copy Markdown
Contributor

@Aegrah Aegrah commented Mar 26, 2026

Summary

Several new rules related to the LiteLLM & Trivy Compromises by TeamPCP.

@Aegrah Aegrah self-assigned this Mar 26, 2026
@Aegrah Aegrah added Rule: New Proposal for new rule Team: TRADE labels Mar 26, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 26, 2026

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Samirbous
Samirbous reviewed Mar 26, 2026
View reviewed changes
Aegrah and others added 2 commits March 26, 2026 13:05
@Aegrah @Samirbous
Apply suggestion from @Samirbous
cf6b17d 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
@Aegrah @Samirbous
Apply suggestion from @Samirbous
d09a46c 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Aegrah and others added 2 commits March 26, 2026 15:35
@Aegrah @Samirbous
Update rules/cross-platform/collection_data_encrypted_via_openssl.toml
65368f4 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
@Aegrah @Samirbous
Update rules/cross-platform/collection_data_encrypted_via_openssl.toml
b0eec23 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Aegrah Aegrah requested a review from Mikaayenson March 26, 2026 15:08
Mikaayenson
Mikaayenson approved these changes Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Mikaayenson Mikaayenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixing tags should address the unit tests.

Aegrah and others added 3 commits March 26, 2026 16:21
@Aegrah @terrancedejesus
Update rules/cross-platform/execution_suspicious_python_command_execu…
f87c28f 
…tion.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
@Aegrah @terrancedejesus
Update rules/cross-platform/execution_suspicious_python_command_execu…
6470290 
…tion.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
@Aegrah @Mikaayenson
Update rules/cross-platform/defense_evasion_data_encrypted_via_openss…
94f157a 
…l.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Aegrah @Mikaayenson
Update rules/cross-platform/defense_evasion_data_encrypted_via_openss…
095521d 
…l.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Chroot Execution Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Python Shell Command Execution (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Secret Access via Unusual User Agent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Data Encrypted via OpenSSL Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Aegrah
Copy link
Copy Markdown
Contributor Author

Aegrah commented Mar 26, 2026

ESQL Validation

Showcasing that the query works:
{3112B634-1015-4593-9B62-92F0511F8032}

Did not show the results since there's sensitive info. Can always test on personal stacks!

@Mikaayenson Mikaayenson merged commit c6f843e into main Mar 26, 2026
10 of 14 checks passed
@Mikaayenson Mikaayenson deleted the litellm-coverage-new-rules branch March 26, 2026 16:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mikaayenson Mikaayenson Mikaayenson approved these changes

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@imays11 imays11 Awaiting requested review from imays11

@Samirbous Samirbous Awaiting requested review from Samirbous

Assignees

@Aegrah Aegrah

Labels

backport: auto Rule: New Proposal for new rule Team: TRADE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Aegrah @tradebot-elastic @Mikaayenson @Samirbous @terrancedejesus