fix_cwd_path_detections

[tccontre]

Updated detection to fix the weakness of PATH record in terms of execution of process in different working directory using CWD record

    modified:   detections/endpoint/linux_auditd_doas_conf_file_creation.yml
    modified:   detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml
    modified:   detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml
    modified:   detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml
    modified:   detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml
    modified:   detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml
    modified:   detections/endpoint/linux_magic_sysrq_key_abuse.yml

search detection:

Example Detected Event A:

detected event where there is CWD but the doas.conf was tried to access outside the "/etc" dir.

detected event where there is CWD value and it has the directory where the actual event process happened in this case in "/etc" folder:

detected event where there is no CWD generated

msg value of event that access doas.conf outside /etc folder or without CWD

What does this PR have in it? Screenshots are worth 1000 words 😄

Checklist

• Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
• CI/CD jobs passed ✔️
• Validated SPL logic.
• Validated tags, description, and how to implement.
• Verified references match analytic.
• Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

• If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
• Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.
• Updates to existing lookup files can be tricky, because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here but the short version is that any changes to lookup files need to bump the the date and version in the associated YAML file.

[nasbench]

In Review

[nasbench]

Updated the detections to include the following

• Group by actual auditd ID instead of the full msg. For this added an extraction in audit_id
• Added nametype filter where needed and to the output fields.
• Improved descriptions and overall indentation as well as RBA message.
• Added a new DS for type CWD

Most of the detections titles / type have to be updated in the future (something to consider for future releases) as they are not accurate. Also because the detection only focuses on PATH type auditd events they are not super useful to give context. An additional future improvement would be to include related EXECVE or PROCTITLE in order to exactly assess the level of suspiciousness.

Because this would lead to more research and future changes. I decided to push for this to get merged so at least we avoid the bypass and think of future improvements.

@t-contreras please do create a ticket for this internally so that we can track future enhancements.